Page MenuHomeVyOS Platform

Spoke site dynamic IP over NAT connect to Hub site
Open, NormalPublicBUG

Description

Hi

I want to setup a site to site dmvpn on 1.2.0 rc10.
In the spoke site used dynamic IP(PPPoe over NAT) connect to internet.
And the hub site used static public IP connect to Internet.

the Vyos setup follow information

The HUB Site

ethernet eth0 {
    address 116.90.86.181/24 (Public IP)
    duplex auto
    hw-id 00:50:56:95:6e:1a
    smp-affinity auto
    speed auto
}
ethernet eth1 {
    address 172.16.101.1/24 (Internal gateway IP)
    duplex auto
    hw-id 00:50:56:95:8e:c3
    smp-affinity auto
    speed auto
}
loopback lo {
}
tunnel tun0 {
    address 10.0.0.1/24
    encapsulation gre
    local-ip 116.90.86.181
    multicast enable
    parameters {
        ip {
            key 1
        }
    }
}
nhrp {
    tunnel tun0 {
        cisco-authentication
        holding-time 300
        multicast dynamic
        redirect
    }
}
static {
    route 0.0.0.0/0 {
        next-hop 116.90.86.254 {
    }
}
    route 192.168.101.0/24 {
        next-hop 10.0.0.2 {
    }
}
ipsec {
    esp-group ESP-HUB {
        compression disable
        lifetime 1800
        mode tunnel
        pfs dh-group2
        proposal 1 {
            encryption aes256
            hash sha256
        }
        proposal 2 {
            encryption 3des
            hash md5
        }
    }
    ike-group IKE-HUB {
        ikev2-reauth no
        key-exchange ikev1
        lifetime 3600
        proposal 1 {
            dh-group 2
            encryption aes256
            hash sha1
        }
        proposal 2 {
            dh-group 2
            encryption aes128
            hash sha1
        }
    }
    ipsec-interfaces {
            interface eth0
    }
    nat-traversal enable
    profile IDC-VPN {
        authentication {
            mode pre-shared-secret
            pre-shared-secret
        }
        bind {
            tunnel tun0
        }
        esp-group ESP-HUB
        ike-group IKE-HUB
        }
    }
}

The spoke site

ethernet eth0 {
    duplex auto
    hw-id 00:e0:67:08:81:44
    pppoe 0 {
        default-route auto
        mtu 1492
        name-server auto
        password xxx
        user-id xxx
    }
    smp-affinity auto
    speed auto
}
ethernet eth3 {
    address 192.168.101.1/24
    duplex auto
    hw-id 00:e0:67:08:81:47
    smp-affinity auto
    speed auto
}
loopback lo {
}
tunnel tun0 {
    address 10.0.0.2/24
    encapsulation gre
    local-ip 0.0.0.0
    multicast enable
    parameters {
        ip {
            key 1
        }
    }
}
nhrp {
    tunnel tun0 {
        cisco-authentication
        map 10.0.0.1/24 {
            nbma-address 116.90.86.181
            register
        }
    multicast nhs
    redirect
    shortcut
    }
}
static {
    route 172.16.101.0/24 {
        next-hop 10.0.0.1 {
        }
    }
}
ipsec {
    esp-group ESP-SPOKE {
    compression disable
    lifetime 1800
    mode tunnel
    pfs dh-group2
    proposal 1 {
        encryption aes256
        hash sha256
        }
    proposal 2 {
        encryption 3des
        hash md5
        }
    }
    ike-group IKE-SPOKE {
    ikev2-reauth no
    key-exchange ikev1
    lifetime 3600
    proposal 1 {
        dh-group 2
        encryption aes256
        hash sha1
        }
    proposal 2 {
        dh-group 2
        encryption aes128
        hash sha1
        }
    }
    ipsec-interfaces {
        interface pppoe0
    }
    nat-traversal enable
    profile IDC-ZZ {
        authentication {
            mode pre-shared-secret 
            pre-shared-secret XXX
        }
    bind {
        tunnel tun0
    }
    esp-group ESP-SPOKE
    ike-group IKE-SPOKE
    }
}

I check log see follow info

In Hub show log all | grep charon

Dec 9 13:02:00 vyos charon: 08[ENC] generating INFORMATIONAL_V1 request 3953897240 [ HASH N(INVAL_ID) ]
Dec 9 13:02:00 vyos charon: 08[NET] sending packet: from 116.90.86.181[4500] to 115.60.57.13[23132] (76 bytes)
Dec 9 13:04:57 vyos charon: 10[NET] received packet: from 115.60.57.13[23132] to 116.90.86.181[4500] (92 bytes)
Dec 9 13:04:57 vyos charon: 10[ENC] parsed INFORMATIONAL_V1 request 1310358166 [ HASH D ]
Dec 9 13:04:57 vyos charon: 10[IKE] received DELETE for IKE_SA vpnprof-dmvpn-tun0[116]
Dec 9 13:04:57 vyos charon: 10[IKE] deleting IKE_SA vpnprof-dmvpn-tun0[116] between 116.90.86.181[116.90.86.181]…115.60.57.13[100.64.21.35]
Dec 9 13:04:57 vyos charon: 14[NET] received packet: from 115.60.57.13[21532] to 116.90.86.181[500] (216 bytes)
Dec 9 13:04:57 vyos charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Dec 9 13:04:57 vyos charon: 14[IKE] received XAuth vendor ID
Dec 9 13:04:57 vyos charon: 14[IKE] received DPD vendor ID
Dec 9 13:04:57 vyos charon: 14[IKE] received FRAGMENTATION vendor ID
Dec 9 13:04:57 vyos charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
Dec 9 13:04:57 vyos charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 9 13:04:57 vyos charon: 14[IKE] 115.60.57.13 is initiating a Main Mode IKE_SA
Dec 9 13:04:57 vyos charon: 14[ENC] generating ID_PROT response 0 [ SA V V V V ]
Dec 9 13:04:57 vyos charon: 14[NET] sending packet: from 116.90.86.181[500] to 115.60.57.13[21532] (160 bytes)
Dec 9 13:04:57 vyos charon: 15[NET] received packet: from 115.60.57.13[21532] to 116.90.86.181[500] (244 bytes)
Dec 9 13:04:57 vyos charon: 15[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 9 13:04:57 vyos charon: 15[IKE] remote host is behind NAT
Dec 9 13:04:57 vyos charon: 15[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 9 13:04:57 vyos charon: 15[NET] sending packet: from 116.90.86.181[500] to 115.60.57.13[21532] (244 bytes)
Dec 9 13:04:57 vyos charon: 13[NET] received packet: from 115.60.57.13[23132] to 116.90.86.181[4500] (76 bytes)
Dec 9 13:04:57 vyos charon: 13[ENC] parsed ID_PROT request 0 [ ID HASH ]
Dec 9 13:04:57 vyos charon: 13[CFG] looking for pre-shared key peer configs matching 116.90.86.181…115.60.57.13[100.64.21.35]
Dec 9 13:04:57 vyos charon: 13[CFG] selected peer config “vpnprof-dmvpn-tun0”
Dec 9 13:04:57 vyos charon: 13[IKE] IKE_SA vpnprof-dmvpn-tun0[117] established between 116.90.86.181[116.90.86.181]…115.60.57.13[100.64.21.35]
Dec 9 13:04:57 vyos charon: 13[IKE] scheduling rekeying in 3588s
Dec 9 13:04:57 vyos charon: 13[IKE] maximum IKE_SA lifetime 3948s
Dec 9 13:04:57 vyos charon: 13[ENC] generating ID_PROT response 0 [ ID HASH ]
Dec 9 13:04:57 vyos charon: 13[NET] sending packet: from 116.90.86.181[4500] to 115.60.57.13[23132] (76 bytes)
Dec 9 13:04:57 vyos charon: 07[NET] received packet: from 115.60.57.13[23132] to 116.90.86.181[4500] (332 bytes)
Dec 9 13:04:57 vyos charon: 07[ENC] parsed QUICK_MODE request 614827736 [ HASH SA No KE ID ID ]
Dec 9 13:04:57 vyos charon: 07[IKE] no matching CHILD_SA config found

In Spock site show log all | grep charon

Dec 9 13:05:13 vyos charon: 07[CFG] vici terminate with source me 100.64.21.35 and other 116.90.86.181
Dec 9 13:05:13 vyos charon: 06[IKE] deleting IKE_SA vpnprof-dmvpn-tun0[38] between 100.64.21.35[100.64.21.35]…116.90.86.181[116.90.86.181]
Dec 9 13:05:13 vyos charon: 06[IKE] sending DELETE for IKE_SA vpnprof-dmvpn-tun0[38]
Dec 9 13:05:13 vyos charon: 06[ENC] generating INFORMATIONAL_V1 request 1310358166 [ HASH D ]
Dec 9 13:05:13 vyos charon: 06[NET] sending packet: from 100.64.21.35[4500] to 116.90.86.181[4500] (92 bytes)
Dec 9 13:05:13 vyos charon: 06[CFG] vici initiate ‘dmvpn’, me 100.64.21.35, other 116.90.86.181, limits 0
Dec 9 13:05:13 vyos charon: 07[IKE] initiating Main Mode IKE_SA vpnprof-dmvpn-tun0[39] to 116.90.86.181
Dec 9 13:05:13 vyos charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Dec 9 13:05:13 vyos charon: 07[NET] sending packet: from 100.64.21.35[500] to 116.90.86.181[500] (216 bytes)
Dec 9 13:05:13 vyos charon: 05[NET] received packet: from 116.90.86.181[500] to 100.64.21.35[500] (160 bytes)
Dec 9 13:05:13 vyos charon: 05[ENC] parsed ID_PROT response 0 [ SA V V V V ]
Dec 9 13:05:13 vyos charon: 05[IKE] received XAuth vendor ID
Dec 9 13:05:13 vyos charon: 05[IKE] received DPD vendor ID
Dec 9 13:05:13 vyos charon: 05[IKE] received FRAGMENTATION vendor ID
Dec 9 13:05:13 vyos charon: 05[IKE] received NAT-T (RFC 3947) vendor ID
Dec 9 13:05:13 vyos charon: 05[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 9 13:05:13 vyos charon: 05[NET] sending packet: from 100.64.21.35[500] to 116.90.86.181[500] (244 bytes)
Dec 9 13:05:13 vyos charon: 07[NET] received packet: from 116.90.86.181[500] to 100.64.21.35[500] (244 bytes)
Dec 9 13:05:13 vyos charon: 07[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 9 13:05:13 vyos charon: 07[IKE] local host is behind NAT, sending keep alives
Dec 9 13:05:13 vyos charon: 07[ENC] generating ID_PROT request 0 [ ID HASH ]
Dec 9 13:05:13 vyos charon: 07[NET] sending packet: from 100.64.21.35[4500] to 116.90.86.181[4500] (76 bytes)
Dec 9 13:05:13 vyos charon: 13[NET] received packet: from 116.90.86.181[4500] to 100.64.21.35[4500] (76 bytes)
Dec 9 13:05:13 vyos charon: 13[ENC] parsed ID_PROT response 0 [ ID HASH ]
Dec 9 13:05:13 vyos charon: 13[IKE] IKE_SA vpnprof-dmvpn-tun0[39] established between 100.64.21.35[100.64.21.35]…116.90.86.181[116.90.86.181]
Dec 9 13:05:13 vyos charon: 13[IKE] scheduling rekeying in 3304s
Dec 9 13:05:13 vyos charon: 13[IKE] maximum IKE_SA lifetime 3664s
Dec 9 13:05:13 vyos charon: 13[ENC] generating QUICK_MODE request 614827736 [ HASH SA No KE ID ID ]
Dec 9 13:05:13 vyos charon: 13[NET] sending packet: from 100.64.21.35[4500] to 116.90.86.181[4500] (332 bytes)
Dec 9 13:05:13 vyos charon: 04[NET] received packet: from 116.90.86.181[4500] to 100.64.21.35[4500] (76 bytes)
Dec 9 13:05:13 vyos charon: 04[ENC] parsed INFORMATIONAL_V1 request 3550378600 [ HASH N(INVAL_ID) ]
Dec 9 13:05:13 vyos charon: 04[IKE] received INVALID_ID_INFORMATION error notify

I change vpn log to level 2, see follow info.

In Spock Site:

Dec 10 05:05:59 vyos charon[12687]: 13[CFG] proposing traffic selectors for us:
Dec 10 05:05:59 vyos charon[12687]: 13[CFG] 100.64.161.96/32[gre] (This IP is my PPPOE interface DHCP IP)
Dec 10 05:05:59 vyos charon[12687]: 13[CFG] proposing traffic selectors for other:
Dec 10 05:05:59 vyos charon[12687]: 13[CFG] 116.90.86.181/32[gre]

Dec 10 05:05:59 vyos charon[12687]: 13[ENC] generating QUICK_MODE request 3607804314 [ HASH SA No KE ID ID ]
Dec 10 05:05:59 vyos charon[12687]: 13[NET] sending packet: from 100.64.161.96[4500] to 116.90.86.181[4500] (332 bytes)
Dec 10 05:05:59 vyos charon[12687]: 12[NET] received packet: from 116.90.86.181[4500] to 100.64.161.96[4500] (76 bytes)
Dec 10 05:05:59 vyos charon[12687]: 12[ENC] parsed INFORMATIONAL_V1 request 2361528290 [ HASH N(INVAL_ID) ]
Dec 10 05:05:59 vyos charon[12687]: 12[IKE] received INVALID_ID_INFORMATION error notify

In Hub Site:

Dec 10 05:11:38 vyos charon: 05[NET] sending packet: from 116.90.86.181[4500] to 115.60.62.155[1026] (76 bytes)
Dec 10 05:11:38 vyos charon: 06[NET] received packet: from 115.60.62.155[1026] to 116.90.86.181[4500] (332 bytes)
Dec 10 05:11:38 vyos charon: 06[ENC] parsed QUICK_MODE request 2409290503 [ HASH SA No KE ID ID ]
Dec 10 05:11:38 vyos charon: 06[CFG] looking for a child config for 116.90.86.181/32[gre] === 100.64.161.96/32[gre]
Dec 10 05:11:38 vyos charon: 06[CFG] proposing traffic selectors for us:
Dec 10 05:11:38 vyos charon: 06[CFG] 116.90.86.181/32[gre]
Dec 10 05:11:38 vyos charon: 06[CFG] proposing traffic selectors for other:
Dec 10 05:11:38 vyos charon: 06[CFG] 115.60.62.155/32[gre](This IP is my public IP over NAT)

Dec 10 05:11:38 vyos charon: 06[IKE] no matching CHILD_SA config found

In the spoke site run show vpn debug

Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.4-amd64-vyos, x86_64):
uptime: 18 hours, since Dec 09 11:49:39 2018
malloc: sbrk 2953216, mmap 0, used 1079040, free 1874176
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 63
loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
100.64.161.96
Connections:
vpnprof-dmvpn-tun0: %any…%any IKEv1
vpnprof-dmvpn-tun0: local: [100.64.161.96] uses pre-shared key authentication
vpnprof-dmvpn-tun0: remote: uses pre-shared key authentication
dmvpn: child: dynamic[gre] === dynamic[gre] TUNNEL
Security Associations (1 up, 0 connecting):
vpnprof-dmvpn-tun0[554]: ESTABLISHED 70 seconds ago, 100.64.161.96[100.64.161.96]…116.90.86.181[116.90.86.181]
vpnprof-dmvpn-tun0[554]: IKEv1 SPIs: 1d80a49b252bba19_i* 4fee3d2118f59b23_r, rekeying in 57 minutes
vpnprof-dmvpn-tun0[554]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

In the hub site run show vpn debug

Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.4-amd64-vyos, x86_64):
uptime: 14 hours, since Dec 09 15:18:01 2018
malloc: sbrk 2973696, mmap 0, used 837248, free 2136448
worker threads: 10 of 16 idle, 5/0/1/0 working, job queue: 0/0/0/0, scheduled: 62
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
116.90.86.181
Connections:
vpnprof-dmvpn-tun0: %any…%any IKEv1
vpnprof-dmvpn-tun0: local: [116.90.86.181] uses pre-shared key authentication
vpnprof-dmvpn-tun0: remote: uses pre-shared key authentication
dmvpn: child: dynamic[gre] === dynamic[gre] TUNNEL
Security Associations (1 up, 1 connecting):
vpnprof-dmvpn-tun0[2]: CONNECTING, 116.90.86.181[%any]…192.168.200.1[%any]
vpnprof-dmvpn-tun0[2]: IKEv1 SPIs: ec31392f2e4f28e6_i* 0000000000000000_r
vpnprof-dmvpn-tun0[2]: Tasks queued: QUICK_MODE
vpnprof-dmvpn-tun0[2]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
vpnprof-dmvpn-tun0[452]: ESTABLISHED 2 minutes ago, 116.90.86.181[116.90.86.181]…115.60.62.155[100.64.161.96]
vpnprof-dmvpn-tun0[452]: IKEv1 SPIs: 1d80a49b252bba19_i 4fee3d2118f59b23_r*, rekeying in 56 minutes
vpnprof-dmvpn-tun0[452]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

IP: 100.64.161.96/32 is Spock site pppoe interface IP address
IP: 115.60.62.155/32 is Spock site public IP address over nat
IP:116.90.86.181/32 is Hub site public static IP

may be help us help me fix that issue.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0 rc10
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.

Did you ever get this figured out?

I've commit that issue. According to my understanding, this problem will be solved in vyos version 1.3. Have you fix that issue?

thank you

马文斌 | David Ma | Technical Director

北京飞翔畅盛科技有限公司

发件人: "hammerstud (jake)" <[email protected]>
收件人: "David Ma" <[email protected]>
发送时间: 星期四, 2019年 4 月 25日 下午 12:53:01
主题: [Commented On] T1101: Spoke site dynamic IP over NAT connect to Hub site

hammerstud added a comment.

Did you ever get this figured out?

TASK DETAIL
[ https://phabricator.vyos.net/T1101 | https://phabricator.vyos.net/T1101 ]

EMAIL PREFERENCES
[ https://phabricator.vyos.net/settings/panel/emailpreferences/ | https://phabricator.vyos.net/settings/panel/emailpreferences/ ]

To: UnicronNL, hammerstud
Cc: hammerstud, pasik, Core Community, Maintainers, bjtangseng, hexes

erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Aug 31 2021, 7:02 PM
erkin set Issue type to Bug (incorrect behavior).
Viacheslav edited projects, added VyOS 1.5 Circinus; removed VyOS 1.3 Equuleus (1.3.6).
Viacheslav added subscribers: UnicronNL, Viacheslav.
Dec 9 13:04:57 vyos charon: 07[IKE] no matching CHILD_SA config found

Do you have several connections from the hosts behind the same NAT external address to the same hub?
It worked in my previous tests, but it was just one host behind NAT to connect to the HUB.
Re-check please and close if it works fine now. Need to update.