VTI on IKEv2 issue on 999.201802130337


#1

I tested IPSec use VTI and IKEv2 between VyOS and Cisco Router.

It seems IPSec was complete(P1 and P2 were OK), but ping’s behavior looks strange.

PING from VyOS to Cisco.

Tunnel Interface’s address is 172.16.20.0/24.

a) ping 172.16.20.1 interfafce vit1 —> Success.
b) ping 172.16.20.1 interfafce 172.16.20.2 —> Failed.
PING from Cisco to VyOS.
c) ping 172.16.20.2 source tunnel 1 —> Failed.
d) ping 172.16.20.2 source 172.16.20.1 —> Failed.

IPSec Status:

[code]vyos@VPN1:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP


Global_IP1 10.200.10.73

Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
------  -----  -------------  -------  ----    -----  ------  ------  -----
vti     up     252.0/5.7K     aes256   sha256_128 no     2160    3600    all

Cisco#sh crypto session
Crypto session current status

Interface: Tunnel1
Profile: IKEv2_Profile_VyOS
Session status: UP-ACTIVE
Peer: Global_IP2 port 1024
Session ID: 1627
IKEv2 SA: local 192.168.1.2/4500 remote Global_IP2/1024 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map[/code]

Ping Results:

[code]- Pattern a
vyos@VPN1:~$ ping 172.16.20.1 interface vti1
PING 172.16.20.1 (172.16.20.1) from 172.16.20.2 vti1: 56(84) bytes of data.
64 bytes from 172.16.20.1: icmp_seq=1 ttl=255 time=6.23 ms
64 bytes from 172.16.20.1: icmp_seq=2 ttl=255 time=6.42 ms
^C
— 172.16.20.1 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 6.235/6.331/6.427/0.096 ms

  • Pattern b
    vyos@VPN1:~$ ping 172.16.20.1 interface 172.16.20.2
    PING 172.16.20.1 (172.16.20.1) from 172.16.20.2 : 56(84) bytes of data.

^C
— 172.16.20.1 ping statistics —
5 packets transmitted, 0 received, 100% packet loss, time 4005ms

  • Pattern c
    Cisco#ping 172.16.20.2 source tunnel 1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds:
    Packet sent with a source address of 172.16.20.1

    Success rate is 0 percent (0/5)

  • Pattern d
    Cisco#ping 172.16.20.2 source 172.16.20.1
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds:
    Packet sent with a source address of 172.16.20.1

    Success rate is 0 percent (0/5)[/code]

VyOS Configuration:

[code]set interfaces vti vti1 address ‘172.16.20.2/24’

set vpn ipsec esp-group ESP compression ‘disable’
set vpn ipsec esp-group ESP lifetime ‘3600’
set vpn ipsec esp-group ESP mode ‘tunnel’
set vpn ipsec esp-group ESP pfs ‘dh-group14’
set vpn ipsec esp-group ESP proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP proposal 1 hash ‘sha256’
set vpn ipsec ike-group IKE ikev2-reauth ‘no’
set vpn ipsec ike-group IKE key-exchange ‘ikev2’
set vpn ipsec ike-group IKE lifetime ‘3600’
set vpn ipsec ike-group IKE proposal 1 dh-group ‘14’
set vpn ipsec ike-group IKE proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE proposal 1 hash ‘sha256’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer Global_IP1 authentication id ‘10.200.10.73’
set vpn ipsec site-to-site peer Global_IP1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer Global_IP1 authentication pre-shared-secret ‘password’
set vpn ipsec site-to-site peer Global_IP1 authentication remote-id ‘192.168.1.2’
set vpn ipsec site-to-site peer Global_IP1 connection-type ‘initiate’
set vpn ipsec site-to-site peer Global_IP1 default-esp-group ‘ESP’
set vpn ipsec site-to-site peer Global_IP1 ike-group ‘IKE’
set vpn ipsec site-to-site peer Global_IP1 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer Global_IP1 local-address ‘10.200.10.73’
set vpn ipsec site-to-site peer Global_IP1 vti bind ‘vti1’
set vpn ipsec site-to-site peer Global_IP1 vti esp-group ‘ESP’[/code]