VyOS 1.5-rolling-202408050022 | IPSec VPN Up But ping both remote IP is Destination Host Unreachable

Hi Team,

  1. I’m trying to set up a IPSec VPN environment with VyOS 1.5-rolling-202408050022, both LOCAL and Remote are behind firewall.
  2. Now IPSec VPN is established, but it shows that DESTINATION HOST UNREACHABLE when pinging remote ip , vice versa.

VYOS A Configuration

set firewall global-options all-ping 'enable'
set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 5 action 'accept'
set firewall ipv4 forward filter rule 5 destination address 'xxx.xxx.0.0/0'
set firewall ipv4 forward filter rule 5 protocol 'all'
set firewall ipv4 forward filter rule 5 source address 'xxx.xxx.0.0/0'
set firewall ipv4 name PERMET_ALL default-action 'accept'
set firewall ipv4 name PERMET_ALL rule 100 action 'accept'
set firewall ipv4 name PERMET_ALL rule 100 destination address 'xxx.xxx.0.0/0'
set firewall ipv4 name PERMET_ALL rule 100 protocol 'all'
set firewall ipv4 name PERMET_ALL rule 100 source address 'xxx.xxx.0.0/0'
set firewall ipv4 output filter default-action 'accept'
set firewall ipv4 output filter rule 105 action 'accept'
set firewall ipv4 output filter rule 105 destination address 'xxx.xxx.0.0/0'
set firewall ipv4 output filter rule 105 protocol 'all'
set firewall ipv4 output filter rule 105 source address 'xxx.xxx.0.0/0'
set interfaces dummy dum0 address 'xxx.xxx.11.1/24'
set interfaces ethernet eth0 address 'xxx.xxx.100.94/16'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:05'
set interfaces ethernet eth0 ip enable-proxy-arp
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
set interfaces loopback lo
set interfaces vti vti1 address 'xxx.xxx.3.1/31'
set interfaces vti vti1 ip adjust-mss '1350'
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.153.253
set protocols static route xxx.xxx.12.0/24 interface vti1
set protocols static route xxx.xxx.0.0/16 interface vti1
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/8'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/16'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/8'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/12'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/16'
set service ntp allow-client xxxxxx '::1/128'
set service ntp allow-client xxxxxx 'fe80::/10'
set service ntp allow-client xxxxxx 'fc00::/7'
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ssh listen-address 'xxx.xxx.0.0'
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set vpn ipsec authentication psk vyospfsense id 'xxx.xxx.185.147'
set vpn ipsec authentication psk vyospfsense secret xxxxxx
set vpn ipsec esp-group to-pfsense-esp lifetime '3600'
set vpn ipsec esp-group to-pfsense-esp mode 'tunnel'
set vpn ipsec esp-group to-pfsense-esp pfs 'dh-group2'
set vpn ipsec esp-group to-pfsense-esp proposal 2 encryption 'aes256'
set vpn ipsec esp-group to-pfsense-esp proposal 2 hash 'sha256'
set vpn ipsec ike-group to-pfsense-ike close-action 'none'
set vpn ipsec ike-group to-pfsense-ike ikev2-reauth
set vpn ipsec ike-group to-pfsense-ike key-exchange 'ikev2'
set vpn ipsec ike-group to-pfsense-ike lifetime '28800'
set vpn ipsec ike-group to-pfsense-ike mode 'main'
set vpn ipsec ike-group to-pfsense-ike proposal 2 dh-group '2'
set vpn ipsec ike-group to-pfsense-ike proposal 2 encryption 'aes256'
set vpn ipsec ike-group to-pfsense-ike proposal 2 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer to_pfsense authentication local-id 'xxx.xxx.185.147'
set vpn ipsec site-to-site peer to_pfsense authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer to_pfsense authentication remote-id 'xxx.xxx.192.183'
set vpn ipsec site-to-site peer to_pfsense connection-type 'initiate'
set vpn ipsec site-to-site peer to_pfsense ike-group 'to-pfsense-ike'
set vpn ipsec site-to-site peer to_pfsense ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer to_pfsense local-address 'any'
set vpn ipsec site-to-site peer to_pfsense remote-address 'xxx.xxx.192.183'
set vpn ipsec site-to-site peer to_pfsense tunnel 0 esp-group 'to-pfsense-esp'
set vpn ipsec site-to-site peer to_pfsense tunnel 0 local prefix 'xxx.xxx.0.0/16'
set vpn ipsec site-to-site peer to_pfsense tunnel 0 protocol 'esp'
set vpn ipsec site-to-site peer to_pfsense tunnel 0 remote prefix 'xxx.xxx.0.0/16'
set vpn ipsec site-to-site peer to_pfsense vti bind 'vti1'
set vpn ipsec site-to-site peer to_pfsense vti esp-group 'to-pfsense-esp'

VYOS B Configuration

set firewall global-options all-ping 'enable'
set firewall ipv4 forward filter default-action 'accept'
set firewall ipv4 forward filter rule 5 action 'accept'
set firewall ipv4 forward filter rule 5 destination address 'xxx.xxx.0.0/0'
set firewall ipv4 forward filter rule 5 protocol 'all'
set firewall ipv4 forward filter rule 5 source address 'xxx.xxx.0.0/0'
set firewall ipv4 name PERMET_ALL default-action 'accept'
set firewall ipv4 name PERMET_ALL rule 100 action 'accept'
set firewall ipv4 name PERMET_ALL rule 100 destination address 'xxx.xxx.0.0/0'
set firewall ipv4 name PERMET_ALL rule 100 protocol 'all'
set firewall ipv4 name PERMET_ALL rule 100 source address 'xxx.xxx.0.0/0'
set firewall ipv4 output filter default-action 'accept'
set firewall ipv4 output filter rule 105 action 'accept'
set firewall ipv4 output filter rule 105 destination address 'xxx.xxx.0.0/0'
set firewall ipv4 output filter rule 105 protocol 'all'
set firewall ipv4 output filter rule 105 source address 'xxx.xxx.0.0/0'
set interfaces dummy dum0 address 'xxx.xxx.12.1/24'
set interfaces ethernet eth0 address 'xxx.xxx.181.102/16'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:dd'
set interfaces ethernet eth0 ip enable-proxy-arp
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth1 address 'xxx.xxx.207.16/24'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:93'
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload sg
set interfaces ethernet eth1 offload tso
set interfaces loopback lo
set interfaces vti vti1 address 'xxx.xxx.2.1/31'
set interfaces vti vti1 ip adjust-mss '1350'
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.0.1
set protocols static route xxx.xxx.11.0/24 interface vti1
set protocols static route xxx.xxx.62.252/32 next-hop xxx.xxx.0.1
set protocols static route xxx.xxx.0.0/16 interface vti1
set protocols static route xxx.xxx.185.147/32 next-hop xxx.xxx.0.1
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/8'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/16'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/8'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/12'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/16'
set service ntp allow-client xxxxxx '::1/128'
set service ntp allow-client xxxxxx 'fe80::/10'
set service ntp allow-client xxxxxx 'fc00::/7'
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ssh listen-address 'xxx.xxx.0.0'
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set vpn ipsec authentication psk vyospfsense id 'xxx.xxx.181.102'
set vpn ipsec authentication psk vyospfsense id 'xxx.xxx.192.183'
set vpn ipsec authentication psk vyospfsense secret xxxxxx
set vpn ipsec esp-group to-pfsense-esp lifetime '3600'
set vpn ipsec esp-group to-pfsense-esp mode 'tunnel'
set vpn ipsec esp-group to-pfsense-esp pfs 'dh-group2'
set vpn ipsec esp-group to-pfsense-esp proposal 2 encryption 'aes256'
set vpn ipsec esp-group to-pfsense-esp proposal 2 hash 'sha256'
set vpn ipsec ike-group to-pfsense-ike close-action 'none'
set vpn ipsec ike-group to-pfsense-ike ikev2-reauth
set vpn ipsec ike-group to-pfsense-ike key-exchange 'ikev2'
set vpn ipsec ike-group to-pfsense-ike lifetime '28800'
set vpn ipsec ike-group to-pfsense-ike mode 'main'
set vpn ipsec ike-group to-pfsense-ike proposal 2 dh-group '2'
set vpn ipsec ike-group to-pfsense-ike proposal 2 encryption 'aes256'
set vpn ipsec ike-group to-pfsense-ike proposal 2 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer to_pfsense authentication local-id 'xxx.xxx.192.183'
set vpn ipsec site-to-site peer to_pfsense authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer to_pfsense authentication remote-id 'xxx.xxx.185.147'
set vpn ipsec site-to-site peer to_pfsense connection-type 'respond'
set vpn ipsec site-to-site peer to_pfsense ike-group 'to-pfsense-ike'
set vpn ipsec site-to-site peer to_pfsense ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer to_pfsense local-address 'any'
set vpn ipsec site-to-site peer to_pfsense remote-address 'xxx.xxx.185.147'
set vpn ipsec site-to-site peer to_pfsense tunnel 0 esp-group 'to-pfsense-esp'
set vpn ipsec site-to-site peer to_pfsense tunnel 0 local prefix 'xxx.xxx.0.0/16'
set vpn ipsec site-to-site peer to_pfsense tunnel 0 protocol 'esp'
set vpn ipsec site-to-site peer to_pfsense tunnel 0 remote prefix 'xxx.xxx.0.0/16'
set vpn ipsec site-to-site peer to_pfsense vti bind 'vti1'
set vpn ipsec site-to-site peer to_pfsense vti esp-group 'to-pfsense-esp'

IPSec VPN status snapshot

Unreachable originates from 10.10.2.1, which most likely is VTI interface on your peer.
Issue is on peer, check its route table

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.