VTI interfaces admin down - IPSEC up

Hi,

I’m trying to connect a few tunnels to AWS, I’m having issues with the v6 ones. As the title says the IPSEC and SAs seem up, yet the VTI interfaces stay down. I have 4 tunnels total (2v4 and 2 v6).

I can see the following in the logs

Apr 25 16:27:58 vti-up-down[14206]: Interface vti2 up-client-v6 AWS_DC_V6_1-vti
Apr 25 16:27:59 vti-up-down[14209]: Interface vti0 up-client AWS_DC_V4_1-vti
Apr 25 16:28:01 vti-up-down[14247]: Interface vti3 up-client-v6 AWS_DC_V6_2-vti
Apr 25 16:28:01 vti-up-down[14250]: Interface vti1 up-client AWS_DC_V4_2-vti
Apr 25 16:27:58 charon-systemd[14182]: CHILD_SA AWS_DC_V6_1-vti{2} established with SPIs c0ffb2d7_i c54cc8c9_o and TS ::/0 === ::/0
Apr 25 16:27:58 charon[14182]: 15[IKE] <AWS_DC_V6_1|3> CHILD_SA AWS_DC_V6_1-vti{2} established with SPIs c0ffb2d7_i c54cc8c9_o and TS ::/0 === ::/0
Apr 25 16:27:59 charon[14182]: 10[IKE] <AWS_DC_V4_1|1> CHILD_SA AWS_DC_V4_1-vti{3} established with SPIs c9715c3f_i c1533dab_o and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 25 16:27:59 charon-systemd[14182]: CHILD_SA AWS_DC_V4_1-vti{3} established with SPIs c9715c3f_i c1533dab_o and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 25 16:28:00 charon[14182]: 03[IKE] <AWS_DC_V6_2|4> CHILD_SA AWS_DC_V6_2-vti{4} established with SPIs c4b32c3c_i cda20d93_o and TS ::/0 === ::/0
Apr 25 16:28:00 charon-systemd[14182]: CHILD_SA AWS_DC_V6_2-vti{4} established with SPIs c4b32c3c_i cda20d93_o and TS ::/0 === ::/0
Apr 25 16:28:01 charon[14182]: 11[IKE] <AWS_DC_V4_2|2> CHILD_SA AWS_DC_V4_2-vti{1} established with SPIs cc4dd31a_i c5536589_o and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 25 16:28:01 charon-systemd[14182]: CHILD_SA AWS_DC_V4_2-vti{1} established with SPIs cc4dd31a_i c5536589_o and TS 0.0.0.0/0 === 0.0.0.0/0

And then I have the following output

@vyos01.lab:~$ show vpn ipsec connections
Connection        State    Type    Remote address    Local TS    Remote TS    Local id     Remote id       Proposal
----------------  -------  ------  ----------------  ----------  -----------  -----------  --------------  ----------------------------------
AWS_DC_V4_1      up       IKEv2   x.x.x.x    -           -            x.x.x.x  x.x.x.x  AES_CBC/128/HMAC_SHA1_96/MODP_1024
AWS_DC_V4_1-vti  up       IPsec   x.x.x.x    0.0.0.0/0   0.0.0.0/0    x.x.x.x  x.x.x.x  AES_CBC/128/HMAC_SHA1_96/None
                                                     ::/0        ::/0
AWS_DC_V4_2      up       IKEv2   x.x.x.x     -           -            x.x.x.x  x.x.x.x   AES_CBC/128/HMAC_SHA1_96/MODP_1024
AWS_DC_V4_2-vti  up       IPsec   x.x.x.x     0.0.0.0/0   0.0.0.0/0    x.x.x.x  x.x.x.x   AES_CBC/128/HMAC_SHA1_96/None
                                                     ::/0        ::/0
AWS_DC_V6_1      up       IKEv2   x.x.x.x        -           -            x.x.x.x  x.x.x.x      AES_CBC/128/HMAC_SHA1_96/MODP_1024
AWS_DC_V6_1-vti  up       IPsec   x.x.x.x        0.0.0.0/0   0.0.0.0/0    x.x.x.x  x.x.x.x      AES_CBC/128/HMAC_SHA1_96/None
                                                     ::/0        ::/0
AWS_DC_V6_2      up       IKEv2   x.x.x.x     -           -            x.x.x.x  x.x.x.x   AES_CBC/128/HMAC_SHA1_96/MODP_1024
AWS_DC_V6_2-vti  up       IPsec   x.x.x.x     0.0.0.0/0   0.0.0.0/0    x.x.x.x  x.x.x.x   AES_CBC/128/HMAC_SHA1_96/None
                                                     ::/0        ::/0
@vyos01.lab:~$ show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                                  MAC                VRF        MTU  S/L    Description
-----------  ------------------------------------------  -----------------  -------  -----  -----  -------------
vti0         169.254.250.126/30                          n/a                default   1436  u/u    AWS_DC_V4_1
vti1         169.254.212.98/30                           n/a                default   1436  u/u    AWS_DC_V4_2
vti2         169.254.227.14/30                           n/a                default   1436  A/D    AWS_DC_V6_1
             fd4d:2975:3b8:ee11:29cb:255c:4e27:83b6/126
vti3         169.254.234.114/30                          n/a                default   1436  A/D    AWS_DC_V6_2
             fd1c:c003:18da:7b2e:2b33:e73e:b7a:3402/126

I’ve tried looking at past posts on this, but no matter how many times I restart the ipsec service or the VM I get no joy. The config is the same across the board with just ip addresses and PSK changing. I’m running version 1.5.

Any help would be appreciated.

So there’s a couple of caveats that I’ve since discovered. First is AWS (despite giving you a v4 and v6 address on the v6 tunnels) won’t DS. So the vti2 int should only have a v6 address.

Second is despite this not being in any docs, and not being needed for v4, you need to set TS on the v6 int. I set local to the fd4d:2975:3b8:ee11:29cb:255c:4e27:83b4/126 subnet and remote to ::/0. That sorted the issue seen.

I hope this can help someone in the future.

4 Likes

thanks for sharing the experience with DS Adam , I was talking with you on reddit , but it’s good to know that it was solved.

1 Like

Thanks @Adam.phillips !!

Not sure if I’m unlucky but I had the same issue only using ipv4 !

I’ll share the config I added to make it work with my vti1:

Before:

show vpn ipsec connections

Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal


MyPeer up IKEv2 remote_domain.com,180.x.x.x - - local_domain.com remote_domain.com AES_CBC/256/HMAC_SHA2_512_256/MODP_2048
MyPeer-vti up IPsec remote_domain.com,180.x.x.x 0.0.0.0/0 0.0.0.0/0 local_domain.com remote_domain.com AES_CBC/256/HMAC_SHA2_512_256/None
::/0 ::/0

Site-to-site config:
set vpn ipsec site-to-site peer MyPeer authentication local-id ‘local_domain.com’
set vpn ipsec site-to-site peer MyPeer authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer MyPeer authentication remote-id ‘remote_domain.com’
set vpn ipsec site-to-site peer MyPeer connection-type ‘initiate’
set vpn ipsec site-to-site peer MyPeer default-esp-group ‘MyESPGroup’
set vpn ipsec site-to-site peer MyPeer ike-group ‘MyIKEGroup’
set vpn ipsec site-to-site peer MyPeer ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer MyPeer local-address ‘192.168.1.13’
set vpn ipsec site-to-site peer MyPeer remote-address ‘remote_domain.com’
set vpn ipsec site-to-site peer MyPeer remote-address ‘180.x.x.x’
set vpn ipsec site-to-site peer MyPeer vti bind ‘vti1’
set vpn ipsec site-to-site peer MyPeer vti esp-group ‘MyESPGroup’

After:

set vpn ipsec site-to-site peer MyPeer authentication local-id ‘local_domain.com’
set vpn ipsec site-to-site peer MyPeer authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer MyPeer authentication remote-id ‘remote_domain.com’
set vpn ipsec site-to-site peer MyPeer connection-type ‘initiate’
set vpn ipsec site-to-site peer MyPeer default-esp-group ‘MyESPGroup’
set vpn ipsec site-to-site peer MyPeer ike-group ‘MyIKEGroup’
set vpn ipsec site-to-site peer MyPeer ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer MyPeer local-address ‘192.168.1.13’
set vpn ipsec site-to-site peer MyPeer remote-address ‘remote_domain.com’
set vpn ipsec site-to-site peer MyPeer remote-address ‘180.x.x.x’
set vpn ipsec site-to-site peer MyPeer tunnel 0 local prefix ‘0.0.0.0/0’
set vpn ipsec site-to-site peer MyPeer tunnel 0 remote prefix ‘0.0.0.0/0’
set vpn ipsec site-to-site peer MyPeer vti bind ‘vti1’
set vpn ipsec site-to-site peer MyPeer vti esp-group ‘MyESPGroup’

show vpn ipsec connections

Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal


MyPeer up IKEv2 remote_domain.com,180.x.x.x - - local_domain.com remote_domain.com AES_CBC/256/HMAC_SHA2_512_256/MODP_2048
MyPeer-tunnel-0 up IPsec remote_domain.com,180.x.x.x 0.0.0.0/0 0.0.0.0/0 local_domain.com remote_domain.com AES_CBC/256/HMAC_SHA2_512_256/None
MyPeer-tunnel-0-passthrough down IPsec remote_domain.com,180.x.x.x 0.0.0.0/0 0.0.0.0/0 local_domain.com remote_domain.com -


vyos@local_domain.com:~$ show version
Version: VyOS 1.5-rolling-202405101513
Release train: current

Built by: [email protected]
Built on: Fri 10 May 2024 17:38 UTC
Build UUID: e4bff2cd-f42d-44dc-ae80-48a95d61c38e
Build commit ID: f4d26782632777

Architecture: x86_64
Boot via: installed image
System type: VMware guest

Hardware vendor: VMware, Inc.
Hardware model: VMware Virtual Platform
Hardware S/N: VMware-56 4d c7 62 3a b5 bb 1d-b9 5d 75 20 89 82 c2 63
Hardware UUID: 62c74d56-b53a-1dbb-b95d-75208982c263

Copyright: VyOS maintainers and contributors

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.