VyOS on AWS as VPN Server (L2TP/IPsec and IPsec only)

General questions
1

Hi,

I’m trying to setup VyOS on AWS as a VPN server for L2TP/IPsec clients (Windows / iOS) and for an IPsec only connection for my EdgeRouter.

I followed the manual and various tutorials on the internet for the few commands necessary to setup the L2TP/IPsec part. But when trying to connect from a Windows or iOS client, I get the following:

Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001] Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009] Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: received Vendor ID payload [RFC 3947] Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: ignoring Vendor ID payload [FRAGMENTATION] Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable] Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: ignoring Vendor ID payload [Vid-Initial-Contact] Dec 13 03:26:28 VyOS-AMI pluto[2615]: packet from 444.333.222.111:500: ignoring Vendor ID payload [IKE CGA version 1] Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: responding to Main Mode from unknown peer 444.333.222.111 Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: NAT-Traversal: Result using RFC 3947: both are NATed Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[1] 444.333.222.111 #1: Peer ID is ID_IPV4_ADDR: '192.168.1.101' Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111 #1: deleting connection "remote-access-mac-zzz" instance with peer 444.333.222.111 {isakmp=#0/ipsec=#0} Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sent MR3, ISAKMP SA established Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: cannot respond to IPsec SA request because no connection is known for 111.222.333.444/32===172.29.32.13:4500[172.29.32.13]:17/1701...444.333.222.111:4500[192.168.1.101]:17/%any===192.168.1.101/32 Dec 13 03:26:28 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_ID_INFORMATION to 444.333.222.111:4500 Dec 13 03:26:29 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet) Dec 13 03:26:29 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 444.333.222.111:4500 Dec 13 03:26:30 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet) Dec 13 03:26:30 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 444.333.222.111:4500 Dec 13 03:26:33 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet) Dec 13 03:26:33 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 444.333.222.111:4500 Dec 13 03:26:40 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet) Dec 13 03:26:40 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 444.333.222.111:4500 Dec 13 03:26:55 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet) Dec 13 03:26:55 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 444.333.222.111:4500 Dec 13 03:27:10 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet) Dec 13 03:27:10 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 444.333.222.111:4500 Dec 13 03:27:25 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500 #1: received Delete SA payload: deleting ISAKMP State #1 Dec 13 03:27:25 VyOS-AMI pluto[2615]: "remote-access-mac-zzz"[2] 444.333.222.111:4500: deleting connection "remote-access-mac-zzz" instance with peer 444.333.222.111 {isakmp=#0/ipsec=#0}

where 444.333.222.111 would be my public IP at home, and 111.222.333.444 the Elastic (public) IP at AWS.

I tried the Elastic IP as well as the internal AWS IP for “set vpn l2tp remote-access outside-address X.X.X.X”. Same result for both, but I guess I need to use the internal IP.

I already googled the “cannot respond to IPsec SA request because no connection is known” part and can find a lot of information but no solution. Is this issue really still unsolved? Obviously the sytem does recognize that both ends are NATed. So why does it not work?

Would I have the same problem with the EdgeRouter connection (IPsec only)? Then only the AWS end would be NATed, as the EdgeRouter will be directly connected to the Internet. Didn’t have time to try that, yet. Did anybody get such a setup working?

Thanks!

Kind regards,
iBlueDragon

2

Hi, did you find a solution for this? I have the same problem and I cannot find anything useful :frowning:

3

To add more info, I think the issue is because of double NAT… As I (the client) am on NAT, and the server is on Amazon EC2 which also is NAT…

4

I think i’ve found the solution.
So what you do if you need to tackle double-NAT problem? Add another NAT, of course!
I have created a dummy interface with real public IP from AWS. I then added destination rule which translates address for incoming traffic to forward it to dummy interface. Then, I told IPSec to use the dummy interface.
This worked with Android and Windows clients for me.

[code]# Create a dummy interface
set interfaces dummy dum0 address ‘111.222.333.444/32’
set vpn ipsec ipsec-interfaces interface ‘dum0’

Translating address back to external address

set nat destination rule 10 description ‘ext to int antinat’
set nat destination rule 10 inbound-interface ‘eth0’
set nat destination rule 10 translation address ‘111.222.333.444’

Regular outbound NAT masquerade

set nat source rule 10 outbound-interface ‘eth0’
set nat source rule 10 source address ‘192.168.255.0/24’ # your client-ip-pool subnet
set nat source rule 10 translation address ‘masquerade’[/code]