Hi everyone,
I’m running VyOS 1.1.7.
I’m trying to configure an IPSEC VPN with AWS.
My WAN (physical interface) has more than one public IP configured.
I have other VPNs working perfectly (also with AWS) that are using the first IP address configured on the physical interface as local-address.
This last VPN I’m trying to configure uses anther IP addresses configured (instead of ending with 210 -as for the other VPNs- it ends with 212).
To do that, I’ve specified in my VPN config to use that specific local address.
The VPN doesn’t work, and in between many tests, I’ve tried to tcp-dump on the public interface, looking for any activity.
I discovered that AWS is not replying (that’s what I suppose) because the VyOS is still sending out packets using the 210 IP address, instead of the 212 I’ve set.
Here is my site-to-site VPN config (IPs and secrets anonymized):
show vpn ipsec ike-group aws-ci
dead-peer-detection {
action restart
interval 15
timeout 30
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
show vpn ipsec esp-group aws-ci
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
show vpn ipsec site-to-site peer AWS_PEER_IP
authentication {
mode pre-shared-secret
pre-shared-secret my_secret
}
connection-type initiate
description "AWS-CI 1"
ike-group aws-ci
ikev2-reauth inherit
local-address *.*.*..212
vti {
bind vti6
esp-group aws-ci
}
Here is an extract of the log (IPs and secrets anonymized):
sudo tcpdump -i eth1 host AWS_PEER_IP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
00:49:30.096175 IP *.*.*.210.isakmp > ec2.********.amazonaws.com.isakmp: isakmp: phase 1 I ident
Of course, if you believe there’s any other error besides this, please let me know.
Any help would be really appreciated.
Thank you,
-Luca