VPN using wrong local-adde


#1

Hi everyone,

I’m running VyOS 1.1.7.

I’m trying to configure an IPSEC VPN with AWS.

My WAN (physical interface) has more than one public IP configured.

I have other VPNs working perfectly (also with AWS) that are using the first IP address configured on the physical interface as local-address.

This last VPN I’m trying to configure uses anther IP addresses configured (instead of ending with 210 -as for the other VPNs- it ends with 212).
To do that, I’ve specified in my VPN config to use that specific local address.

The VPN doesn’t work, and in between many tests, I’ve tried to tcp-dump on the public interface, looking for any activity.

I discovered that AWS is not replying (that’s what I suppose) because the VyOS is still sending out packets using the 210 IP address, instead of the 212 I’ve set.

Here is my site-to-site VPN config (IPs and secrets anonymized):

show vpn ipsec ike-group aws-ci dead-peer-detection { action restart interval 15 timeout 30 } ikev2-reauth no key-exchange ikev1 lifetime 28800 proposal 1 { dh-group 2 encryption aes128 hash sha1 }

show vpn ipsec esp-group aws-ci compression disable lifetime 3600 mode tunnel pfs enable proposal 1 { encryption aes128 hash sha1 }

show vpn ipsec site-to-site peer AWS_PEER_IP authentication { mode pre-shared-secret pre-shared-secret my_secret } connection-type initiate description "AWS-CI 1" ike-group aws-ci ikev2-reauth inherit local-address *.*.*..212 vti { bind vti6 esp-group aws-ci }

Here is an extract of the log (IPs and secrets anonymized):

sudo tcpdump -i eth1 host AWS_PEER_IP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 00:49:30.096175 IP *.*.*.210.isakmp > ec2.********.amazonaws.com.isakmp: isakmp: phase 1 I ident

Of course, if you believe there’s any other error besides this, please let me know.

Any help would be really appreciated.

Thank you,

-Luca