Hi
I want to setup a site to site dmvpn on 1.2.0 rc10.
In the spoke site used dynamic IP(PPPoe over NAT) connect to internet.
And the hub site used static public IP connect to Internet.
the Vyos setup follow information
The HUB Site
ethernet eth0 { address 116.90.86.181/24 (Public IP) duplex auto hw-id 00:50:56:95:6e:1a smp-affinity auto speed auto } ethernet eth1 { address 172.16.101.1/24 (Internal gateway IP) duplex auto hw-id 00:50:56:95:8e:c3 smp-affinity auto speed auto } loopback lo { } tunnel tun0 { address 10.0.0.1/24 encapsulation gre local-ip 116.90.86.181 multicast enable parameters { ip { key 1 } } } nhrp { tunnel tun0 { cisco-authentication holding-time 300 multicast dynamic redirect } } static { route 0.0.0.0/0 { next-hop 116.90.86.254 { } } route 192.168.101.0/24 { next-hop 10.0.0.2 { } } ipsec { esp-group ESP-HUB { compression disable lifetime 1800 mode tunnel pfs dh-group2 proposal 1 { encryption aes256 hash sha256 } proposal 2 { encryption 3des hash md5 } } ike-group IKE-HUB { ikev2-reauth no key-exchange ikev1 lifetime 3600 proposal 1 { dh-group 2 encryption aes256 hash sha1 } proposal 2 { dh-group 2 encryption aes128 hash sha1 } } ipsec-interfaces { interface eth0 } nat-traversal enable profile IDC-VPN { authentication { mode pre-shared-secret pre-shared-secret } bind { tunnel tun0 } esp-group ESP-HUB ike-group IKE-HUB } } }
The spoke site
ethernet eth0 { duplex auto hw-id 00:e0:67:08:81:44 pppoe 0 { default-route auto mtu 1492 name-server auto password xxx user-id xxx } smp-affinity auto speed auto } ethernet eth3 { address 192.168.101.1/24 duplex auto hw-id 00:e0:67:08:81:47 smp-affinity auto speed auto } loopback lo { } tunnel tun0 { address 10.0.0.2/24 encapsulation gre local-ip 0.0.0.0 multicast enable parameters { ip { key 1 } } } nhrp { tunnel tun0 { cisco-authentication map 10.0.0.1/24 { nbma-address 116.90.86.181 register } multicast nhs redirect shortcut } } static { route 172.16.101.0/24 { next-hop 10.0.0.1 { } } } ipsec { esp-group ESP-SPOKE { compression disable lifetime 1800 mode tunnel pfs dh-group2 proposal 1 { encryption aes256 hash sha256 } proposal 2 { encryption 3des hash md5 } } ike-group IKE-SPOKE { ikev2-reauth no key-exchange ikev1 lifetime 3600 proposal 1 { dh-group 2 encryption aes256 hash sha1 } proposal 2 { dh-group 2 encryption aes128 hash sha1 } } ipsec-interfaces { interface pppoe0 } nat-traversal enable profile IDC-ZZ { authentication { mode pre-shared-secret pre-shared-secret XXX } bind { tunnel tun0 } esp-group ESP-SPOKE ike-group IKE-SPOKE } }
I check log see follow info
In Hub show log all | grep charon
Dec 9 13:02:00 vyos charon: 08[ENC] generating INFORMATIONAL_V1 request 3953897240 [ HASH N(INVAL_ID) ]
Dec 9 13:02:00 vyos charon: 08[NET] sending packet: from 116.90.86.181[4500] to 115.60.57.13[23132] (76 bytes)
Dec 9 13:04:57 vyos charon: 10[NET] received packet: from 115.60.57.13[23132] to 116.90.86.181[4500] (92 bytes)
Dec 9 13:04:57 vyos charon: 10[ENC] parsed INFORMATIONAL_V1 request 1310358166 [ HASH D ]
Dec 9 13:04:57 vyos charon: 10[IKE] received DELETE for IKE_SA vpnprof-dmvpn-tun0[116]
Dec 9 13:04:57 vyos charon: 10[IKE] deleting IKE_SA vpnprof-dmvpn-tun0[116] between 116.90.86.181[116.90.86.181]…115.60.57.13[100.64.21.35]
Dec 9 13:04:57 vyos charon: 14[NET] received packet: from 115.60.57.13[21532] to 116.90.86.181[500] (216 bytes)
Dec 9 13:04:57 vyos charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Dec 9 13:04:57 vyos charon: 14[IKE] received XAuth vendor ID
Dec 9 13:04:57 vyos charon: 14[IKE] received DPD vendor ID
Dec 9 13:04:57 vyos charon: 14[IKE] received FRAGMENTATION vendor ID
Dec 9 13:04:57 vyos charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
Dec 9 13:04:57 vyos charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 9 13:04:57 vyos charon: 14[IKE] 115.60.57.13 is initiating a Main Mode IKE_SA
Dec 9 13:04:57 vyos charon: 14[ENC] generating ID_PROT response 0 [ SA V V V V ]
Dec 9 13:04:57 vyos charon: 14[NET] sending packet: from 116.90.86.181[500] to 115.60.57.13[21532] (160 bytes)
Dec 9 13:04:57 vyos charon: 15[NET] received packet: from 115.60.57.13[21532] to 116.90.86.181[500] (244 bytes)
Dec 9 13:04:57 vyos charon: 15[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 9 13:04:57 vyos charon: 15[IKE] remote host is behind NAT
Dec 9 13:04:57 vyos charon: 15[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 9 13:04:57 vyos charon: 15[NET] sending packet: from 116.90.86.181[500] to 115.60.57.13[21532] (244 bytes)
Dec 9 13:04:57 vyos charon: 13[NET] received packet: from 115.60.57.13[23132] to 116.90.86.181[4500] (76 bytes)
Dec 9 13:04:57 vyos charon: 13[ENC] parsed ID_PROT request 0 [ ID HASH ]
Dec 9 13:04:57 vyos charon: 13[CFG] looking for pre-shared key peer configs matching 116.90.86.181…115.60.57.13[100.64.21.35]
Dec 9 13:04:57 vyos charon: 13[CFG] selected peer config “vpnprof-dmvpn-tun0”
Dec 9 13:04:57 vyos charon: 13[IKE] IKE_SA vpnprof-dmvpn-tun0[117] established between 116.90.86.181[116.90.86.181]…115.60.57.13[100.64.21.35]
Dec 9 13:04:57 vyos charon: 13[IKE] scheduling rekeying in 3588s
Dec 9 13:04:57 vyos charon: 13[IKE] maximum IKE_SA lifetime 3948s
Dec 9 13:04:57 vyos charon: 13[ENC] generating ID_PROT response 0 [ ID HASH ]
Dec 9 13:04:57 vyos charon: 13[NET] sending packet: from 116.90.86.181[4500] to 115.60.57.13[23132] (76 bytes)
Dec 9 13:04:57 vyos charon: 07[NET] received packet: from 115.60.57.13[23132] to 116.90.86.181[4500] (332 bytes)
Dec 9 13:04:57 vyos charon: 07[ENC] parsed QUICK_MODE request 614827736 [ HASH SA No KE ID ID ]
Dec 9 13:04:57 vyos charon: 07[IKE] no matching CHILD_SA config found
In Spock site show log all | grep charon
Dec 9 13:05:13 vyos charon: 07[CFG] vici terminate with source me 100.64.21.35 and other 116.90.86.181
Dec 9 13:05:13 vyos charon: 06[IKE] deleting IKE_SA vpnprof-dmvpn-tun0[38] between 100.64.21.35[100.64.21.35]…116.90.86.181[116.90.86.181]
Dec 9 13:05:13 vyos charon: 06[IKE] sending DELETE for IKE_SA vpnprof-dmvpn-tun0[38]
Dec 9 13:05:13 vyos charon: 06[ENC] generating INFORMATIONAL_V1 request 1310358166 [ HASH D ]
Dec 9 13:05:13 vyos charon: 06[NET] sending packet: from 100.64.21.35[4500] to 116.90.86.181[4500] (92 bytes)
Dec 9 13:05:13 vyos charon: 06[CFG] vici initiate ‘dmvpn’, me 100.64.21.35, other 116.90.86.181, limits 0
Dec 9 13:05:13 vyos charon: 07[IKE] initiating Main Mode IKE_SA vpnprof-dmvpn-tun0[39] to 116.90.86.181
Dec 9 13:05:13 vyos charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Dec 9 13:05:13 vyos charon: 07[NET] sending packet: from 100.64.21.35[500] to 116.90.86.181[500] (216 bytes)
Dec 9 13:05:13 vyos charon: 05[NET] received packet: from 116.90.86.181[500] to 100.64.21.35[500] (160 bytes)
Dec 9 13:05:13 vyos charon: 05[ENC] parsed ID_PROT response 0 [ SA V V V V ]
Dec 9 13:05:13 vyos charon: 05[IKE] received XAuth vendor ID
Dec 9 13:05:13 vyos charon: 05[IKE] received DPD vendor ID
Dec 9 13:05:13 vyos charon: 05[IKE] received FRAGMENTATION vendor ID
Dec 9 13:05:13 vyos charon: 05[IKE] received NAT-T (RFC 3947) vendor ID
Dec 9 13:05:13 vyos charon: 05[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 9 13:05:13 vyos charon: 05[NET] sending packet: from 100.64.21.35[500] to 116.90.86.181[500] (244 bytes)
Dec 9 13:05:13 vyos charon: 07[NET] received packet: from 116.90.86.181[500] to 100.64.21.35[500] (244 bytes)
Dec 9 13:05:13 vyos charon: 07[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 9 13:05:13 vyos charon: 07[IKE] local host is behind NAT, sending keep alives
Dec 9 13:05:13 vyos charon: 07[ENC] generating ID_PROT request 0 [ ID HASH ]
Dec 9 13:05:13 vyos charon: 07[NET] sending packet: from 100.64.21.35[4500] to 116.90.86.181[4500] (76 bytes)
Dec 9 13:05:13 vyos charon: 13[NET] received packet: from 116.90.86.181[4500] to 100.64.21.35[4500] (76 bytes)
Dec 9 13:05:13 vyos charon: 13[ENC] parsed ID_PROT response 0 [ ID HASH ]
Dec 9 13:05:13 vyos charon: 13[IKE] IKE_SA vpnprof-dmvpn-tun0[39] established between 100.64.21.35[100.64.21.35]…116.90.86.181[116.90.86.181]
Dec 9 13:05:13 vyos charon: 13[IKE] scheduling rekeying in 3304s
Dec 9 13:05:13 vyos charon: 13[IKE] maximum IKE_SA lifetime 3664s
Dec 9 13:05:13 vyos charon: 13[ENC] generating QUICK_MODE request 614827736 [ HASH SA No KE ID ID ]
Dec 9 13:05:13 vyos charon: 13[NET] sending packet: from 100.64.21.35[4500] to 116.90.86.181[4500] (332 bytes)
Dec 9 13:05:13 vyos charon: 04[NET] received packet: from 116.90.86.181[4500] to 100.64.21.35[4500] (76 bytes)
Dec 9 13:05:13 vyos charon: 04[ENC] parsed INFORMATIONAL_V1 request 3550378600 [ HASH N(INVAL_ID) ]
Dec 9 13:05:13 vyos charon: 04[IKE] received INVALID_ID_INFORMATION error notify
I change vpn log to level 2, see follow info.
In Spock Site:
Dec 10 05:05:59 vyos charon[12687]: 13[CFG] proposing traffic selectors for us:
Dec 10 05:05:59 vyos charon[12687]: 13[CFG] 100.64.161.96/32[gre] (This IP is my PPPOE interface DHCP IP)
Dec 10 05:05:59 vyos charon[12687]: 13[CFG] proposing traffic selectors for other:
Dec 10 05:05:59 vyos charon[12687]: 13[CFG] 116.90.86.181/32[gre]
Dec 10 05:05:59 vyos charon[12687]: 13[ENC] generating QUICK_MODE request 3607804314 [ HASH SA No KE ID ID ]
Dec 10 05:05:59 vyos charon[12687]: 13[NET] sending packet: from 100.64.161.96[4500] to 116.90.86.181[4500] (332 bytes)
Dec 10 05:05:59 vyos charon[12687]: 12[NET] received packet: from 116.90.86.181[4500] to 100.64.161.96[4500] (76 bytes)
Dec 10 05:05:59 vyos charon[12687]: 12[ENC] parsed INFORMATIONAL_V1 request 2361528290 [ HASH N(INVAL_ID) ]
Dec 10 05:05:59 vyos charon[12687]: 12[IKE] received INVALID_ID_INFORMATION error notify
In Hub Site:
Dec 10 05:11:38 vyos charon: 05[NET] sending packet: from 116.90.86.181[4500] to 115.60.62.155[1026] (76 bytes)
Dec 10 05:11:38 vyos charon: 06[NET] received packet: from 115.60.62.155[1026] to 116.90.86.181[4500] (332 bytes)
Dec 10 05:11:38 vyos charon: 06[ENC] parsed QUICK_MODE request 2409290503 [ HASH SA No KE ID ID ]
Dec 10 05:11:38 vyos charon: 06[CFG] looking for a child config for 116.90.86.181/32[gre] === 100.64.161.96/32[gre]
Dec 10 05:11:38 vyos charon: 06[CFG] proposing traffic selectors for us:
Dec 10 05:11:38 vyos charon: 06[CFG] 116.90.86.181/32[gre]
Dec 10 05:11:38 vyos charon: 06[CFG] proposing traffic selectors for other:
Dec 10 05:11:38 vyos charon: 06[CFG] 115.60.62.155/32[gre](This IP is my public IP over NAT)
Dec 10 05:11:38 vyos charon: 06[IKE] no matching CHILD_SA config found
In the spoke site run show vpn debug
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.4-amd64-vyos, x86_64):
uptime: 18 hours, since Dec 09 11:49:39 2018
malloc: sbrk 2953216, mmap 0, used 1079040, free 1874176
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 63
loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
100.64.161.96
Connections:
vpnprof-dmvpn-tun0: %any…%any IKEv1
vpnprof-dmvpn-tun0: local: [100.64.161.96] uses pre-shared key authentication
vpnprof-dmvpn-tun0: remote: uses pre-shared key authentication
dmvpn: child: dynamic[gre] === dynamic[gre] TUNNEL
Security Associations (1 up, 0 connecting):
vpnprof-dmvpn-tun0[554]: ESTABLISHED 70 seconds ago, 100.64.161.96[100.64.161.96]…116.90.86.181[116.90.86.181]
vpnprof-dmvpn-tun0[554]: IKEv1 SPIs: 1d80a49b252bba19_i* 4fee3d2118f59b23_r, rekeying in 57 minutes
vpnprof-dmvpn-tun0[554]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
In the hub site run show vpn debug
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.4-amd64-vyos, x86_64):
uptime: 14 hours, since Dec 09 15:18:01 2018
malloc: sbrk 2973696, mmap 0, used 837248, free 2136448
worker threads: 10 of 16 idle, 5/0/1/0 working, job queue: 0/0/0/0, scheduled: 62
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
116.90.86.181
Connections:
vpnprof-dmvpn-tun0: %any…%any IKEv1
vpnprof-dmvpn-tun0: local: [116.90.86.181] uses pre-shared key authentication
vpnprof-dmvpn-tun0: remote: uses pre-shared key authentication
dmvpn: child: dynamic[gre] === dynamic[gre] TUNNEL
Security Associations (1 up, 1 connecting):
vpnprof-dmvpn-tun0[2]: CONNECTING, 116.90.86.181[%any]…192.168.200.1[%any]
vpnprof-dmvpn-tun0[2]: IKEv1 SPIs: ec31392f2e4f28e6_i* 0000000000000000_r
vpnprof-dmvpn-tun0[2]: Tasks queued: QUICK_MODE
vpnprof-dmvpn-tun0[2]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
vpnprof-dmvpn-tun0[452]: ESTABLISHED 2 minutes ago, 116.90.86.181[116.90.86.181]…115.60.62.155[100.64.161.96]
vpnprof-dmvpn-tun0[452]: IKEv1 SPIs: 1d80a49b252bba19_i 4fee3d2118f59b23_r*, rekeying in 56 minutes
vpnprof-dmvpn-tun0[452]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IP: 100.64.161.96/32 is Spock site pppoe interface IP address
IP: 115.60.62.155/32 is Spock site public IP address over nat
IP:116.90.86.181/32 is Hub site public static IP
may be help us help me fix that issue.