VyOS to VyOS IPSEC VPN - cannot get it working


#1

Hi All,

I have followed the guide: http://vyos.net/wiki/User_Guide#Site-to-Site
and double checked evrything few times, still cannot get the VPN tunnel UP

I have site to site VPN between :

  • vyos and Cisco ASA
  • vyos and AWS VPC (AWS buit-in VPN)
    working with no problems

but vyos to vyos I cannot get working, this the the output for “monitor vpn ipsec”:

VPN-IPSEC: packet from <PEER_IP>:500: received Vendor ID payload [strongSwan]
VPN-IPSEC: packet from <PEER_IP>:500: ignoring Vendor ID payload [Cisco-Unity]
VPN-IPSEC: packet from <PEER_IP>:500: received Vendor ID payload [XAUTH]
VPN-IPSEC: packet from <PEER_IP>:500: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: responding to Main Mode
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: Peer ID is ID_IPV4_ADDR: ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: no suitable connection for peer ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: sending encrypted notification INVALID_ID_INFORMATION to <PEER_IP>:500
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #4: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #4: starting keying attempt 3 of an unlimited number
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: initiating Main Mode to replace #4
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: received Vendor ID payload [strongSwan]
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: ignoring Vendor ID payload [Cisco-Unity]
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: received Vendor ID payload [XAUTH]
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: ignoring informational payload, type INVALID_ID_INFORMATION
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: Peer ID is ID_IPV4_ADDR: ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: no suitable connection for peer ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: sending encrypted notification INVALID_ID_INFORMATION to <PEER_IP>:500
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: next payload type of ISAKMP Hash Payload has an unknown value: 218
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: malformed payload in packet
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: discarding duplicate packet; already STATE_MAIN_I3
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: Peer ID is ID_IPV4_ADDR: ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: no suitable connection for peer ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: sending encrypted notification INVALID_ID_INFORMATION to <PEER_IP>:500
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: discarding duplicate packet; already STATE_MAIN_I3
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: next payload type of ISAKMP Hash Payload has an unknown value: 142
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: malformed payload in packet
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: max number of retransmissions (2) reached STATE_MAIN_R2

Please advise.


#2

looks like it doesn’t have configuration or can’t recognize the peer… it would help if you posted your configs


#3

Hi, please find the config in the attachment.


#4

set local-address <VYOS_TEST_1_PRIVATE_IP> should probably be
set local-address <VYOS_TEST_1_PEER_IP>

And the same for your second router. The local address of one router should be the peer on the other.


#5

Thanks for the answer but no.
<VYOS_TEST_1_PEER_IP> is not directly assigned on interface in VyOS. VyOS is aware only of <VYOS_TEST_1_PRIVATE_IP>
Since this is set up in AWS, the AWS itself translates <VYOS_TEST_1_PEER_IP> to <VYOS_TEST_1_PRIVATE_IP> and vice versa.

This setup is working between VyOS and Cisco ASA and also between VyOS and AWS VPN, so I guess there is no reason not to work between VyOS and VyOS.


#6

Fro your first post:

VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: Peer ID is ID_IPV4_ADDR: ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: no suitable connection for peer ‘10.71.19.17’

It may indicate something is wrong :wink:


#7

Resolved! It was related to peer ID as ArneO stated.

This is the fix (“remote-id” option):

VyOS Test 1:
edit vpn ipsec site-to-site peer <VYOS_TEST_2_PEER_IP>
set authentication remote-id <VYOS_TEST_2_PRIVATE_IP>

VyOS Test 2:
edit vpn ipsec site-to-site peer <VYOS_TEST_1_PEER_IP>
set authentication remote-id <VYOS_TEST_1_PRIVATE_IP>

I am attaching the full configuration (fix included) of both VyOS instances. This can be used as a template for site-to-site VPN between two VyOS instances in AWS environment.