VyOS crashes after configuring site-to-site commands


#1

Hi all:

We got a router VyOS with 1.1.6 version. We want to configure an IPSec tunnel (as we already have in others routers). As I’m a new user can’t upload the configuration file to this topic so I to to paste it:

set interfaces ethernet eth0 address '1.1.240.17/24'
set interfaces ethernet eth0 address '1.1.240.254/24'
set interfaces ethernet eth0 address '1.1.240.138/24'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp_affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '10.100.200.1/24'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 smp_affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 address '10.100.201.1/24'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 smp_affinity 'auto'
set interfaces ethernet eth2 speed 'auto'
set interfaces ethernet eth3 address '1.1.70.10/24'
set interfaces ethernet eth3 duplex 'auto'
set interfaces ethernet eth3 'policy'
set interfaces ethernet eth3 smp_affinity 'auto'
set interfaces ethernet eth3 speed 'auto'
set interfaces ethernet eth6 address '10.100.203.1/24'
set interfaces ethernet eth6 duplex 'auto'
set interfaces ethernet eth6 smp_affinity 'auto'
set interfaces ethernet eth6 speed 'auto'
set interfaces loopback 'lo'
set nat destination rule 40 destination address '1.1.70.10'
set nat destination rule 40 destination port 'http,https'
set nat destination rule 40 inbound-interface 'eth3'
set nat destination rule 40 protocol 'tcp'
set nat destination rule 40 translation address '10.100.201.30'
set nat destination rule 50 destination address '1.1.240.254'
set nat destination rule 50 inbound-interface 'eth0'
set nat destination rule 50 translation address '10.100.201.2'
set nat destination rule 60 destination address '1.1.240.138'
set nat destination rule 60 inbound-interface 'eth0'
set nat destination rule 60 translation address '10.100.201.17'
set nat source rule 2 outbound-interface 'eth3'
set nat source rule 2 source address '10.100.201.30'
set nat source rule 2 translation address '1.1.70.10'
set nat source rule 3 outbound-interface 'eth0'
set nat source rule 3 source address '10.100.201.17'
set nat source rule 3 translation address '1.1.240.138'
set nat source rule 4 outbound-interface 'eth0'
set nat source rule 4 source address '10.100.201.2'
set nat source rule 4 translation address '1.1.240.254'
set nat source rule 5 outbound-interface 'eth0'
set nat source rule 5 source address '10.100.201.0/24'
set nat source rule 5 translation address 'masquerade'
set nat source rule 50 outbound-interface 'eth0'
set nat source rule 50 source address '10.100.201.2'
set nat source rule 50 translation address '1.1.240.254'
set protocols 'static'
set service snmp community monitorizacion authorization 'ro'
set service ssh 'allow-root'
set service ssh port '22'
set system config-management commit-revisions '20'
set system console device ttyS0 speed '9600'
set system gateway-address '1.1.240.1'
set system host-name 'vyos-Centro'
set system login user config authentication encrypted-password '$'
set system login user config authentication plaintext-password ''
set system login user config authentication public-keys dm@dm-OptiPlex-960 key ''
set system login user config authentication public-keys dm@dm-OptiPlex-960 type 'ssh-rsa'
set system login user config level 'admin'
set system login user vyos authentication encrypted-password '$'
set system login user vyos authentication plaintext-password ''
set system login user vyos authentication public-keys backup@seguridad-utilidades key '
set system login user vyos authentication public-keys backup@seguridad-utilidades type 'ssh-rsa'
set system login user vyos level 'admin'
set system login user vyos-lectura authentication encrypted-password '$'
set system login user vyos-lectura authentication plaintext-password ''
set system login user vyos-lectura level 'operator'
set system ntp server '0.pool.ntp.org'
set system package auto-sync '1'
set system package repository community components 'main'
set system package repository community distribution 'helium'
set system package repository community password ''
set system package repository community url 'http://packages.vyos.net/vyos'
set system package repository community username ''
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set system time-zone 'Europe/Madrid'
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '1800'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'enable'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP proposal 1 hash 'sha1'
set vpn ipsec esp-group IKE compression 'disable'
set vpn ipsec esp-group IKE lifetime '3600'
set vpn ipsec esp-group IKE mode 'tunnel'
set vpn ipsec esp-group IKE pfs 'enable'
set vpn ipsec esp-group IKE proposal 1 encryption 'aes128'
set vpn ipsec esp-group IKE proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '3600'
set vpn ipsec ike-group IKE proposal 1 dh-group '2'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'

No we want to configure the site-to-site config, those are the commands we introduce:

set vpn ipsec site-to-site peer 2.2.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret 'password'
set vpn ipsec site-to-site peer 2.2.2.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 2.2.2.2 default-esp-group 'ESP'
set vpn ipsec site-to-site peer 2.2.2.2 ike-group 'IKE'
set vpn ipsec site-to-site peer 2.2.2.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 2.2.2.2 local-address '20.20.20.20'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 local prefix '10.100.200.0/23'
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 remote prefix '1.1.1.1/24'

So far, everythings fine. If we launch compare saved it shows the commands with + symbol, so ok. The problem comes up when we hit commit command, in that moment the router stop responding, it freezes completely and the only way to recover it is restarting.

Regards


#2

Hello, @seguridad_tic!
Router stops respond for network requests or in local console too?


#3

Hi:

Thanks for your response. The problem was in the remote prefix of the tunnel, our fault.

Problem fixed.
Regards


#4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.