Hi,
I’m trying to connect a few tunnels to AWS, I’m having issues with the v6 ones. As the title says the IPSEC and SAs seem up, yet the VTI interfaces stay down. I have 4 tunnels total (2v4 and 2 v6).
I can see the following in the logs
Apr 25 16:27:58 vti-up-down[14206]: Interface vti2 up-client-v6 AWS_DC_V6_1-vti
Apr 25 16:27:59 vti-up-down[14209]: Interface vti0 up-client AWS_DC_V4_1-vti
Apr 25 16:28:01 vti-up-down[14247]: Interface vti3 up-client-v6 AWS_DC_V6_2-vti
Apr 25 16:28:01 vti-up-down[14250]: Interface vti1 up-client AWS_DC_V4_2-vti
Apr 25 16:27:58 charon-systemd[14182]: CHILD_SA AWS_DC_V6_1-vti{2} established with SPIs c0ffb2d7_i c54cc8c9_o and TS ::/0 === ::/0
Apr 25 16:27:58 charon[14182]: 15[IKE] <AWS_DC_V6_1|3> CHILD_SA AWS_DC_V6_1-vti{2} established with SPIs c0ffb2d7_i c54cc8c9_o and TS ::/0 === ::/0
Apr 25 16:27:59 charon[14182]: 10[IKE] <AWS_DC_V4_1|1> CHILD_SA AWS_DC_V4_1-vti{3} established with SPIs c9715c3f_i c1533dab_o and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 25 16:27:59 charon-systemd[14182]: CHILD_SA AWS_DC_V4_1-vti{3} established with SPIs c9715c3f_i c1533dab_o and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 25 16:28:00 charon[14182]: 03[IKE] <AWS_DC_V6_2|4> CHILD_SA AWS_DC_V6_2-vti{4} established with SPIs c4b32c3c_i cda20d93_o and TS ::/0 === ::/0
Apr 25 16:28:00 charon-systemd[14182]: CHILD_SA AWS_DC_V6_2-vti{4} established with SPIs c4b32c3c_i cda20d93_o and TS ::/0 === ::/0
Apr 25 16:28:01 charon[14182]: 11[IKE] <AWS_DC_V4_2|2> CHILD_SA AWS_DC_V4_2-vti{1} established with SPIs cc4dd31a_i c5536589_o and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 25 16:28:01 charon-systemd[14182]: CHILD_SA AWS_DC_V4_2-vti{1} established with SPIs cc4dd31a_i c5536589_o and TS 0.0.0.0/0 === 0.0.0.0/0
And then I have the following output
@vyos01.lab:~$ show vpn ipsec connections
Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal
---------------- ------- ------ ---------------- ---------- ----------- ----------- -------------- ----------------------------------
AWS_DC_V4_1 up IKEv2 x.x.x.x - - x.x.x.x x.x.x.x AES_CBC/128/HMAC_SHA1_96/MODP_1024
AWS_DC_V4_1-vti up IPsec x.x.x.x 0.0.0.0/0 0.0.0.0/0 x.x.x.x x.x.x.x AES_CBC/128/HMAC_SHA1_96/None
::/0 ::/0
AWS_DC_V4_2 up IKEv2 x.x.x.x - - x.x.x.x x.x.x.x AES_CBC/128/HMAC_SHA1_96/MODP_1024
AWS_DC_V4_2-vti up IPsec x.x.x.x 0.0.0.0/0 0.0.0.0/0 x.x.x.x x.x.x.x AES_CBC/128/HMAC_SHA1_96/None
::/0 ::/0
AWS_DC_V6_1 up IKEv2 x.x.x.x - - x.x.x.x x.x.x.x AES_CBC/128/HMAC_SHA1_96/MODP_1024
AWS_DC_V6_1-vti up IPsec x.x.x.x 0.0.0.0/0 0.0.0.0/0 x.x.x.x x.x.x.x AES_CBC/128/HMAC_SHA1_96/None
::/0 ::/0
AWS_DC_V6_2 up IKEv2 x.x.x.x - - x.x.x.x x.x.x.x AES_CBC/128/HMAC_SHA1_96/MODP_1024
AWS_DC_V6_2-vti up IPsec x.x.x.x 0.0.0.0/0 0.0.0.0/0 x.x.x.x x.x.x.x AES_CBC/128/HMAC_SHA1_96/None
::/0 ::/0
@vyos01.lab:~$ show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- ------------------------------------------ ----------------- ------- ----- ----- -------------
vti0 169.254.250.126/30 n/a default 1436 u/u AWS_DC_V4_1
vti1 169.254.212.98/30 n/a default 1436 u/u AWS_DC_V4_2
vti2 169.254.227.14/30 n/a default 1436 A/D AWS_DC_V6_1
fd4d:2975:3b8:ee11:29cb:255c:4e27:83b6/126
vti3 169.254.234.114/30 n/a default 1436 A/D AWS_DC_V6_2
fd1c:c003:18da:7b2e:2b33:e73e:b7a:3402/126
I’ve tried looking at past posts on this, but no matter how many times I restart the ipsec service or the VM I get no joy. The config is the same across the board with just ip addresses and PSK changing. I’m running version 1.5.
Any help would be appreciated.