VyOS 1.2.0 IPSec server setup not working


I copied the coped from the VyOS Support portal at https://support.vyos.io/en/guides/vyos-user-guide/user-guide/l2tp-over-ipsec to try to setup a IPsec VPN server to use with Windows and Linux.

When I get to the section of the code to do:

set firewall name OUTSIDE-LOCAL rule 40 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 40 protocol ‘esp’
set firewall name OUTSIDE-LOCAL rule 40 destination port ‘50’

I have been entering one line at a time and doing a commit to make sure my configuration is accurate and valid.

I am attaching my configuration -Redacted- and the exact errror message I am getting:

Connection timed out

Welcome to VyOS

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
vyos@vyos:~$ show confg

Invalid command: show [confg]

vyos@vyos:~ show configuration firewall { all-ping enable broadcast-ping disable config-trap disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name OUTSIDE-LOCAL { default-action drop rule 41 { action accept destination { port 500 } protocol udp } rule 42 { action accept destination { port 4500 } protocol udp } rule 43 { action accept destination { port 1701 } ipsec { match-ipsec } protocol udp } } receive-redirects disable send-redirects enable source-validation disable syn-cookies enable twa-hazards-protection disable } interfaces { ethernet eth2 { address MyPublicIP/23 description Outside duplex auto hw-id 00:50:56:85:e7:4d smp-affinity auto speed auto } ethernet eth3 { address MyInternalIP/22 description Inside duplex auto hw-id 00:50:56:85:00:5e smp-affinity auto speed auto } loopback lo { } } nat { source { rule 110 { outbound-interface eth2 source { address MyInternalIPSubnet/24 } translation { address masquerade } } } } protocols { static { route { next-hop MyPublicIPGateway { distance 1 } } } } service { dns { forwarding { cache-size 0 listen-address MyInternalIP name-server MyIntrnalDNS1 name-server MyInternalDNS2 } } ssh { port 22 } } system { config-management { commit-revisions 100 } console { } domain-name MyFQDN host-name vyos login { user vyos { authentication { encrypted-password **************** plaintext-password **************** } level admin } } name-server ntp { server 0.pool.ntp.org { } server 1.pool.ntp.org { } server 2.pool.ntp.org { } } syslog { global { facility all { level info } facility protocols { level debug } } } time-zone US/Central } vpn { ipsec { ipsec-interfaces { interface eth2 } nat-networks { allowed-network { } } nat-traversal enable } l2tp { remote-access { authentication { local-users { username MyUsername{ password **************** } } mode local } client-ip-pool { start stop } dns-servers { server-1 MyInternalDNS1 server-2 MyInternalDNS2 } idle 1800 ipsec-settings { authentication { mode pre-shared-secret pre-shared-secret **************** } ike-lifetime 3600 lifetime 3600 } outside-address MyPublicIP } } } vyos@vyos:~
vyos@vyos:~$ configure
vyos@vyos# set firewall name OUTSIDE-LOCAL rule 40 action ‘accept’
vyos@vyos# commit
vyos@vyos# set firewall name OUTSIDE-LOCAL rule 40 protocol ‘esp’
vyos@vyos# commit
vyos@vyos# set firewall name OUTSIDE-LOCAL rule 40 destination port ‘50’
vyos@vyos# commit
[ firewall name OUTSIDE-LOCAL ]
Firewall configuration error: ports can only be specified when protocol is “tcp” or “udp” (currently “esp”)

[[firewall name OUTSIDE-LOCAL]] failed
Commit failed
vyos@vyos# ~$ show system image
The system currently has the following image(s) installed:

1: 1.2.0-epa3 (default boot)

I just realized that I am not using final build…

Do I have to wipe and re-enter my entire configuration to use production distribution?
I have 1.2.0-amd64.iso, but must have used the EPA3 copy mistakenly…

You help is appreciated,


99% sure its not related, but I had encountered a problem today, which I’ll report on a new post.

Looks like QM was failing.

The voodo spell i used to get IPSEC working:

set vpn ipsec logging log-level


Hi HMJares,

wenn you have access to the 1.2.0-amd64.iso you can update, the saved config is migrated during update.

I haven’t verified it yet, but don’t set the port wenn you accept ESP.

Please see this blogpost here.
The documentation is in a migration process. Maybe the example is outdated.

I will take a closer look at this in next days.



I did upgrade to the 1.2.0-amd64 version.
No change in the problem.
CLI still gives error on:

set firewall name OUTSIDE-LOCAL rule 40 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 40 destination port ‘50’
set firewall name OUTSIDE-LOCAL rule 40 protocol ‘esp’

during commit. Says you can’t define firewall rule for a port unless protocol is TCP or UDP.


Hi HMJares,

sorry for the delay.

don’t set the destination port on the example rule 40. than the commit success.

The ESP protocoll don’t have portnumbers.

The Example is outdated and i have it on my list to rewrite it correctly. It also don’t include that you have include the firewall ruleset to you WAN interface.

Please see this location for the latest User guide:


Ok. Taht helped me get the configuration saved and committed.
I tried to connect to vyos server configured as described and now receive:

“The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.”

I have uploaded my configuration, if you have time to see what I did wrong.

Thank you for your support and patience.

vyos_IPSEC_Config.txt (5.4 KB)