Hi there,
I have been trying to solve this annoying issue for a few days now, basically we have a few servers in different data centres, which handle all of our internal network routing. They’re all interconnected by IPSec Site-to-Site VPNs so that one data centre private network can talk to another.
We have found this to be fairly unreliable, so we’re moving to VyOS. The problem is, we need to do this in stages, so replace one server with VyOS, have it connect to the other servers, replace the next one, etc.
Our current OpenSwan servers run CentOS 5.11 with OpenSwan 2.6.32.
For some strange reason, I cannot get our VyOS installation to connect to the OpenSwan servers over IPSec, we continually get the following messages:
==VYOS==
Jan 21 19:02:22 vyos pluto[10356]: packet from :500: ignoring Vendor ID payload [4f4568794c64414365636661]
Jan 21 19:02:22 vyos pluto[10356]: packet from :500: received Vendor ID payload [Dead Peer Detection]
Jan 21 19:02:22 vyos pluto[10356]: packet from :500: ignoring Vendor ID payload [RFC 3947]
Jan 21 19:02:22 vyos pluto[10356]: packet from :500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Jan 21 19:02:22 vyos pluto[10356]: packet from :500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jan 21 19:02:22 vyos pluto[10356]: packet from :500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jan 21 19:02:22 vyos pluto[10356]: packet from :500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 21 19:02:22 vyos pluto[10356]: “peer--tunnel-1” #4630: responding to Main Mode
Jan 21 19:02:22 vyos pluto[10356]: “peer--tunnel-1” #4630: Oakley Transform [AES_CBC (128), HMAC_SHA1, MODP_1536] refused due to strict flag
Jan 21 19:02:22 vyos pluto[10356]: “peer--tunnel-1” #4630: Oakley Transform [AES_CBC (128), HMAC_SHA1, MODP_1024] refused due to strict flag
Jan 21 19:02:22 vyos pluto[10356]: “peer--tunnel-1” #4630: no acceptable Oakley Transform
Jan 21 19:02:22 vyos pluto[10356]: “peer--tunnel-1” #4630: sending notification NO_PROPOSAL_CHOSEN to :500
Jan 21 19:02:37 vyos pluto[10356]: “peer--tunnel-1” #4628: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 21 19:02:37 vyos pluto[10356]: “peer--tunnel-1” #4628: starting keying attempt 5 of an unlimited number
Jan 21 19:02:37 vyos pluto[10356]: “peer--tunnel-1” #4631: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #4628 {using isakmp#4619}
Jan 21 19:02:37 vyos pluto[10356]: “peer--tunnel-1” #4619: ignoring informational payload, type INVALID_ID_INFORMATION
==OPENSWAN==
Jan 21 10:50:50 openswan pluto[5179]: “vyos/1x1” #59: sending encrypted notification INVALID_ID_INFORMATION to :500
Jan 21 10:50:55 openswan pluto[5179]: “vyos/1x1” #4: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Jan 21 10:50:55 openswan pluto[5179]: “vyos/1x1” #4: received and ignored informational message
Jan 21 10:51:00 openswan pluto[5179]: “vyos/1x1” #59: the peer proposed: 10.10.8.0/24:0/0 -> 172.16.1.0/24:0/0
Jan 21 10:51:00 openswan pluto[5179]: “vyos/1x1” #59: cannot respond to IPsec SA request because no connection is known for 10.10.8.0/24===<>[+S=C]…<>[+S=C]===172.16.1.0/24
So phase 1 comes up fine, it’s only phase 2 / ESP that won’t come up.
All of my searching online has lead me to believe there is a configuration mismatch between the two based on the errors we’re receiving, but I have tried heaps of different combinations, none of which have worked, plus the fact that the settings look almost identical.
Our configs for both are:
==VYOS==
set vpn ipsec esp-group ESP-1W lifetime ‘1800’
set vpn ipsec esp-group ESP-1W pfs ‘disable’
set vpn ipsec esp-group ESP-1W proposal 1 encryption ‘aes128’
set vpn ipsec esp-group ESP-1W proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKE-1W lifetime ‘3600’
set vpn ipsec ike-group IKE-1W proposal 1 dh-group ‘14’
set vpn ipsec ike-group IKE-1W proposal 1 encryption ‘aes128’
set vpn ipsec ike-group IKE-1W proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer authentication pre-shared-secret ‘’
set vpn ipsec site-to-site peer connection-type ‘initiate’
set vpn ipsec site-to-site peer default-esp-group ‘ESP-1W’
set vpn ipsec site-to-site peer ike-group ‘IKE-1W’
set vpn ipsec site-to-site peer local-address ‘’
set vpn ipsec site-to-site peer tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer tunnel 1 esp-group ‘ESP-1W’
set vpn ipsec site-to-site peer tunnel 1 local prefix ‘172.16.1.0/24’
set vpn ipsec site-to-site peer tunnel 1 remote prefix ‘10.10.8.0/24’
==OPENSWAN==
conn vyos
#ADDRESSING
left=
right=
leftsourceip=
leftsubnets={172.16.10.0/24}
rightsubnets={10.10.8.0/24}
#PHASE 1
ikelifetime=1h
ike=aes128-sha1
#PHASE 2
phase2=esp
phase2alg=aes128-sha1;modp2048
authby=secret
type=tunnel
auto=start
pfs=no
forceencaps=yes
Obviously public IPs have been replaced with and above.
Any help / suggestions anyone can give would be greatly appreciated.
Thanks in advance.