Hi Team,
I configured this tunnel and not sure why it is creating multiple tunnels and not sure why??
Here is the config
run show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.10.13.10 10.10.13.10 10.10.11.10 10.10.11.10
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 AES_CBC_256 HMAC_SHA2_256_128 MODP_1536 no 1 26287
Peer ID / IP Local ID / IP
------------ -------------
10.10.13.10 10.10.13.10 10.10.11.10 10.10.11.10
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 AES_CBC_256 HMAC_SHA2_256_128 MODP_1536 no 1 25978
Peer ID / IP Local ID / IP
------------ -------------
10.10.13.10 10.10.13.10 10.10.11.10 10.10.11.10
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 AES_CBC_256 HMAC_SHA2_256_128 MODP_1536 no 6 28158
And here is on peer
Peer ID / IP Local ID / IP
------------ -------------
10.10.11.10 10.10.11.10 10.10.13.10 10.10.13.10
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 AES_CBC_256 HMAC_SHA2_256_128 MODP_1536 no 3 27257
Peer ID / IP Local ID / IP
------------ -------------
10.10.11.10 10.10.13.10
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
down IKEv1 n/a n/a n/a no 0 0
Peer ID / IP Local ID / IP
------------ -------------
10.10.11.10 10.10.11.10 10.10.13.10 10.10.13.10
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 AES_CBC_256 HMAC_SHA2_256_128 MODP_1536 no 8 26831
run show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------ ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------------
R3-vti down 14s 1K/0B 14/0 10.10.13.10 10.10.13.10 AES_CBC_256/HMAC_SHA2_256_128/MODP_1536
R3-vti up 4s 956B/1010B 12/13 10.10.13.10 10.10.13.10 AES_CBC_256/HMAC_SHA2_256_128/MODP_1536
R3-vti up 5s 0B/104B 0/2 10.10.13.10 10.10.13.10 AES_CBC_256/HMAC_SHA2_256_128/MODP_1536
R3-vti up 5s 164B/0B 3/0 10.10.13.10 10.10.13.10 AES_CBC_256/HMAC_SHA2_256_128/MODP_1536
R3-vti up 9s 1K/1K 14/16 10.10.13.10 10.10.13.10 AES_CBC_256/HMAC_SHA2_256_128/MODP_1536
R1
set high-availability vrrp group ETH0 address 10.10.11.10
set high-availability vrrp group ETH0 advertise-interval '1'
set high-availability vrrp group ETH0 interface 'eth0'
set high-availability vrrp group ETH0 priority '100'
set high-availability vrrp group ETH0 track interface 'eth0'
set high-availability vrrp group ETH0 vrid '10'
set high-availability vrrp group ETH1 address 10.10.12.10
set high-availability vrrp group ETH1 advertise-interval '1'
set high-availability vrrp group ETH1 interface 'eth1'
set high-availability vrrp group ETH1 priority '100'
set high-availability vrrp group ETH1 track interface 'eth1'
set high-availability vrrp group ETH1 vrid '20'
set interfaces ethernet eth0 address '10.10.11.15/24'
set interfaces ethernet eth0 hw-id '00:0c:29:8f:c8:2a'
set interfaces ethernet eth1 address '10.10.12.15/24'
set interfaces ethernet eth1 hw-id '00:0c:29:8f:c8:34'
set interfaces loopback lo
set interfaces vti vti2 address '169.254.1.1/30'
set protocols bgp address-family ipv4-unicast network 10.10.12.0/24
set protocols bgp neighbor 169.254.1.2 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 169.254.1.2 disable-connected-check
set protocols bgp neighbor 169.254.1.2 remote-as '65501'
set protocols bgp neighbor 169.254.1.2 timers holdtime '10'
set protocols bgp neighbor 169.254.1.2 timers keepalive '2'
set protocols bgp neighbor 169.254.1.2 update-source '169.254.1.1'
set protocols bgp system-as '65500'
set protocols static route 0.0.0.0/0 next-hop 10.10.11.100
set protocols static route 169.254.1.2/32 interface vti2
set service ntp allow-client address '127.0.0.0/8'
set service ntp allow-client address '169.254.0.0/16'
set service ntp allow-client address '10.0.0.0/8'
set service ntp allow-client address '172.16.0.0/12'
set service ntp allow-client address '192.168.0.0/16'
set service ntp allow-client address '::1/128'
set service ntp allow-client address 'fe80::/10'
set service ntp allow-client address 'fc00::/7'
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ssh
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'MUM-R1'
set system login user vyos authentication encrypted-password '$6$rounds=656000$/5dAQVZ2RIYhA.Ov$2BCxkSvUiRdhjlAdjgfGzYgRPAYHUQbA4MzjpAEt7PYnWQmhTZXQAcTH9lFtJJJ8fs533uHQSlHw0izxrCYOZ0'
set system login user vyos authentication plaintext-password ''
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set vpn ipsec authentication psk VYOS id '10.10.13.10'
set vpn ipsec authentication psk VYOS secret 'admin@123'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group5'
set vpn ipsec esp-group ESP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE dead-peer-detection interval '5'
set vpn ipsec ike-group IKE dead-peer-detection timeout '5'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE proposal 10 dh-group '5'
set vpn ipsec ike-group IKE proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer R3 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer R3 authentication remote-id '10.10.13.10'
set vpn ipsec site-to-site peer R3 ike-group 'IKE'
set vpn ipsec site-to-site peer R3 local-address '10.10.11.10'
set vpn ipsec site-to-site peer R3 remote-address '10.10.13.10'
set vpn ipsec site-to-site peer R3 vti bind 'vti2'
set vpn ipsec site-to-site peer R3 vti esp-group 'ESP'
And here is on R3
set interfaces ethernet eth0 address '10.10.13.10/24'
set interfaces ethernet eth0 hw-id '00:0c:29:b7:f5:6f'
set interfaces ethernet eth1 address '10.10.14.10/24'
set interfaces ethernet eth1 hw-id '00:0c:29:b7:f5:79'
set interfaces loopback lo
set interfaces vti vti2 address '169.254.1.2/30'
set protocols bgp address-family ipv4-unicast network 10.10.14.0/24
set protocols bgp neighbor 169.254.1.1 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 169.254.1.1 disable-connected-check
set protocols bgp neighbor 169.254.1.1 remote-as '65500'
set protocols bgp neighbor 169.254.1.1 timers holdtime '10'
set protocols bgp neighbor 169.254.1.1 timers keepalive '2'
set protocols bgp neighbor 169.254.1.1 update-source '169.254.1.2'
set protocols bgp system-as '65501'
set protocols static route 0.0.0.0/0 next-hop 10.10.13.100
set protocols static route 169.254.1.1/32 interface vti2
set service ntp allow-client address '127.0.0.0/8'
set service ntp allow-client address '169.254.0.0/16'
set service ntp allow-client address '10.0.0.0/8'
set service ntp allow-client address '172.16.0.0/12'
set service ntp allow-client address '192.168.0.0/16'
set service ntp allow-client address '::1/128'
set service ntp allow-client address 'fe80::/10'
set service ntp allow-client address 'fc00::/7'
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ssh
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'R3'
set system login user vyos authentication encrypted-password '$6$rounds=656000$AVCeBgETTFcGnWR8$8svKVFlU88AwPYPSWw7mD8g.iOTDxEDSri/skLkWJNeSpaA2woY40avFQmHbO2yfCK2guxYF7wdu0OpC4QDkc/'
set system login user vyos authentication plaintext-password ''
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set vpn ipsec authentication psk VYOS id '10.10.11.10'
set vpn ipsec authentication psk VYOS secret 'admin@123'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group5'
set vpn ipsec esp-group ESP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE dead-peer-detection interval '5'
set vpn ipsec ike-group IKE dead-peer-detection timeout '5'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE proposal 10 dh-group '5'
set vpn ipsec ike-group IKE proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer MUM authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer MUM authentication remote-id '10.10.11.10'
set vpn ipsec site-to-site peer MUM ike-group 'IKE'
set vpn ipsec site-to-site peer MUM local-address '10.10.13.10'
set vpn ipsec site-to-site peer MUM remote-address '10.10.11.10'
set vpn ipsec site-to-site peer MUM vti bind 'vti2'
set vpn ipsec site-to-site peer MUM vti esp-group 'ESP'