VyOS firewall IP-SEC tunnel dropping every 50 min

mihirjmodi · July 14, 2020, 1:59pm

Hell Eveyone,
I have setup IP-SEC tunnel from our cloud enviornment to AZURE platform and keep dropping every 50 min then reconnect itself, but it disturb data replication job at our end.
I have setup multiple proposal on phase1 as not sure which one is going to work with Azure platform
vpn {
ipsec {
auto-update 60
esp-group ESP-group {
compression disable
lifetime 3600
mode tunnel
pfs dh-group2
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-group {
close-action restart
dead-peer-detection {
action restart
interval 15
timeout 30
}
ikev2-reauth no
key-exchange ikev1
lifetime 3600
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
proposal 2 {
dh-group 2
encryption 3des
hash sha1
}
proposal 3 {
dh-group 2
encryption aes128
hash sha1
}
proposal 4 {
dh-group 2
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 4.4.4.4 {
authentication {
mode pre-shared-secret
pre-shared-secret ~~~~~~~
}
connection-type initiate
default-esp-group ESP-group
description AzureTest
ike-group IKE-group
ikev2-reauth inherit
local-address x.x.x.x
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-group
local {
prefix 172.20.130.0/27
}
remote {
prefix 10.0.0.0/16
}
}

please provide any suggestion/sollution or debug commnand which much appriciated.

Viacheslav · July 14, 2020, 4:41pm

Hi @mihirjmodi
Is it possible to use ikev2 version?

c-po · July 14, 2020, 8:05pm

I’m using the described setup for my Azure connection: Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec) — VyOS 1.4.x (sagitta) documentation

mihirjmodi · July 15, 2020, 10:31am

Yes I did applied earlier on but Tunnel went down as soon as start using IKEv2.

mihirjmodi · July 15, 2020, 10:32am

In this document setup I have seen its using IKEv2 but then after made change to IKEv2 tunnel went down.

howardt · July 17, 2020, 3:37am

You may try to disable PFS, connection-type set to responds, and use vti interface.

mihirjmodi · July 25, 2020, 12:20pm

Apologies for late reply to but I have tried this and still no luck with stable IP-SEC tunnel its stay 6 to 7 hours stable and then gone down reconnect itself and get connected another 6 to 7 hours.

howardt · July 27, 2020, 8:43am

The ike lifetime should set to 28800 and ESP lifetime should set to 3600(ikev1) or 27000 (ikev2)

mihirjmodi · July 27, 2020, 12:28pm

Thanks for your reply, I have made change to lifetime set to 28800 as only setup 3600 on IKE and ESP is 3600 as I am using IKEv1.
still the same issue as tunnel got disconnected nearly 7hours and reconnect it.