VyOS to VyOS IPSEC VPN - cannot get it working

Hi All,

I have followed the guide: http://vyos.net/wiki/User_Guide#Site-to-Site
and double checked evrything few times, still cannot get the VPN tunnel UP

I have site to site VPN between :

  • vyos and Cisco ASA
  • vyos and AWS VPC (AWS buit-in VPN)
    working with no problems

but vyos to vyos I cannot get working, this the the output for “monitor vpn ipsec”:

VPN-IPSEC: packet from <PEER_IP>:500: received Vendor ID payload [strongSwan]
VPN-IPSEC: packet from <PEER_IP>:500: ignoring Vendor ID payload [Cisco-Unity]
VPN-IPSEC: packet from <PEER_IP>:500: received Vendor ID payload [XAUTH]
VPN-IPSEC: packet from <PEER_IP>:500: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: responding to Main Mode
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: Peer ID is ID_IPV4_ADDR: ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: no suitable connection for peer ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: sending encrypted notification INVALID_ID_INFORMATION to <PEER_IP>:500
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #4: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #4: starting keying attempt 3 of an unlimited number
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: initiating Main Mode to replace #4
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: received Vendor ID payload [strongSwan]
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: ignoring Vendor ID payload [Cisco-Unity]
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: received Vendor ID payload [XAUTH]
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: ignoring informational payload, type INVALID_ID_INFORMATION
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: Peer ID is ID_IPV4_ADDR: ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: no suitable connection for peer ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: sending encrypted notification INVALID_ID_INFORMATION to <PEER_IP>:500
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: next payload type of ISAKMP Hash Payload has an unknown value: 218
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: malformed payload in packet
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: discarding duplicate packet; already STATE_MAIN_I3
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: Peer ID is ID_IPV4_ADDR: ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: no suitable connection for peer ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: sending encrypted notification INVALID_ID_INFORMATION to <PEER_IP>:500
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: discarding duplicate packet; already STATE_MAIN_I3
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: next payload type of ISAKMP Hash Payload has an unknown value: 142
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #6: malformed payload in packet
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: max number of retransmissions (2) reached STATE_MAIN_R2

Please advise.

looks like it doesn’t have configuration or can’t recognize the peer… it would help if you posted your configs

Hi, please find the config in the attachment.

set local-address <VYOS_TEST_1_PRIVATE_IP> should probably be
set local-address <VYOS_TEST_1_PEER_IP>

And the same for your second router. The local address of one router should be the peer on the other.

Thanks for the answer but no.
<VYOS_TEST_1_PEER_IP> is not directly assigned on interface in VyOS. VyOS is aware only of <VYOS_TEST_1_PRIVATE_IP>
Since this is set up in AWS, the AWS itself translates <VYOS_TEST_1_PEER_IP> to <VYOS_TEST_1_PRIVATE_IP> and vice versa.

This setup is working between VyOS and Cisco ASA and also between VyOS and AWS VPN, so I guess there is no reason not to work between VyOS and VyOS.

Fro your first post:

VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: Peer ID is ID_IPV4_ADDR: ‘10.71.19.17’
VPN-IPSEC: “peer-<PEER_IP>-tunnel-1” #5: no suitable connection for peer ‘10.71.19.17’

It may indicate something is wrong :wink:

Resolved! It was related to peer ID as ArneO stated.

This is the fix (“remote-id” option):

VyOS Test 1:
edit vpn ipsec site-to-site peer <VYOS_TEST_2_PEER_IP>
set authentication remote-id <VYOS_TEST_2_PRIVATE_IP>

VyOS Test 2:
edit vpn ipsec site-to-site peer <VYOS_TEST_1_PEER_IP>
set authentication remote-id <VYOS_TEST_1_PRIVATE_IP>

I am attaching the full configuration (fix included) of both VyOS instances. This can be used as a template for site-to-site VPN between two VyOS instances in AWS environment.