VyOS 1.2.0 IPSec server setup not working

I copied the coped from the VyOS Support portal at https://support.vyos.io/en/guides/vyos-user-guide/user-guide/l2tp-over-ipsec to try to setup a IPsec VPN server to use with Windows and Linux.

When I get to the section of the code to do:

set firewall name OUTSIDE-LOCAL rule 40 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 40 protocol ‘esp’
set firewall name OUTSIDE-LOCAL rule 40 destination port ‘50’

I have been entering one line at a time and doing a commit to make sure my configuration is accurate and valid.

I am attaching my configuration -Redacted- and the exact errror message I am getting:

Connection timed out

Welcome to VyOS

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
vyos@vyos:~$ show confg

Invalid command: show [confg]

vyos@vyos:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name OUTSIDE-LOCAL {
default-action drop
rule 41 {
action accept
destination {
port 500
}
protocol udp
}
rule 42 {
action accept
destination {
port 4500
}
protocol udp
}
rule 43 {
action accept
destination {
port 1701
}
ipsec {
match-ipsec
}
protocol udp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth2 {
address MyPublicIP/23
description Outside
duplex auto
hw-id 00:50:56:85:e7:4d
smp-affinity auto
speed auto
}
ethernet eth3 {
address MyInternalIP/22
description Inside
duplex auto
hw-id 00:50:56:85:00:5e
smp-affinity auto
speed auto
}
loopback lo {
}
}
nat {
source {
rule 110 {
outbound-interface eth2
source {
address MyInternalIPSubnet/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop MyPublicIPGateway {
distance 1
}
}
}
}
service {
dns {
forwarding {
cache-size 0
listen-address MyInternalIP
name-server MyIntrnalDNS1
name-server MyInternalDNS2
}
}
ssh {
port 22
}
}
system {
config-management {
commit-revisions 100
}
console {
}
domain-name MyFQDN
host-name vyos
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 172.21.12.1
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone US/Central
}
vpn {
ipsec {
ipsec-interfaces {
interface eth2
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username MyUsername{
password ****************
}
}
mode local
}
client-ip-pool {
start 172.21.62.231
stop 172.21.62.239
}
dns-servers {
server-1 MyInternalDNS1
server-2 MyInternalDNS2
}
idle 1800
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
ike-lifetime 3600
lifetime 3600
}
outside-address MyPublicIP
}
}
}
vyos@vyos:~$
vyos@vyos:~$ configure
[edit]
vyos@vyos# set firewall name OUTSIDE-LOCAL rule 40 action ‘accept’
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# set firewall name OUTSIDE-LOCAL rule 40 protocol ‘esp’
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# set firewall name OUTSIDE-LOCAL rule 40 destination port ‘50’
[edit]
vyos@vyos# commit
[ firewall name OUTSIDE-LOCAL ]
Firewall configuration error: ports can only be specified when protocol is “tcp” or “udp” (currently “esp”)

[[firewall name OUTSIDE-LOCAL]] failed
Commit failed
[edit]
vyos@vyos# ~$ show system image
The system currently has the following image(s) installed:

1: 1.2.0-epa3 (default boot)

I just realized that I am not using final build…

Do I have to wipe and re-enter my entire configuration to use production distribution?
I have 1.2.0-amd64.iso, but must have used the EPA3 copy mistakenly…

You help is appreciated,
Howard

99% sure its not related, but I had encountered a problem today, which I’ll report on a new post.

Looks like QM was failing.

The voodo spell i used to get IPSEC working:

set vpn ipsec logging log-level

Hi HMJares,

wenn you have access to the 1.2.0-amd64.iso you can update, the saved config is migrated during update.

I haven’t verified it yet, but don’t set the port wenn you accept ESP.

Please see this blogpost here.
The documentation is in a migration process. Maybe the example is outdated.

I will take a closer look at this in next days.

cheers

I did upgrade to the 1.2.0-amd64 version.
No change in the problem.
CLI still gives error on:

set firewall name OUTSIDE-LOCAL rule 40 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 40 destination port ‘50’
set firewall name OUTSIDE-LOCAL rule 40 protocol ‘esp’

during commit. Says you can’t define firewall rule for a port unless protocol is TCP or UDP.

Hi HMJares,

sorry for the delay.

don’t set the destination port on the example rule 40. than the commit success.

The ESP protocoll don’t have portnumbers.

The Example is outdated and i have it on my list to rewrite it correctly. It also don’t include that you have include the firewall ruleset to you WAN interface.

Please see this location for the latest User guide:
https://vyos.readthedocs.io/en/latest/index.html

Ok. Taht helped me get the configuration saved and committed.
I tried to connect to vyos server configured as described and now receive:

“The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.”

I have uploaded my configuration, if you have time to see what I did wrong.

Thank you for your support and patience.

Howard
vyos_IPSEC_Config.txt (5.4 KB)