VyOS 1.2 does not work with AWS VPN gateway, but some configuration works fine on VyOS 1.1.8
Closed, WontfixPublicBUG
Actions

Assigned To

Authored By

	shadowyw
	Aug 17 2018, 11:07 AM

Description

AWS VPN gateway configuration works fine on VyOS 1.1.8 but not work with VyOS 1.2

On VyOS1.2
IPsec tunnel always down

vyos@home:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
x.x.x.x                           192.168.1.51

    Description: VPC tunnel 1

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv1   aes128   sha1_96 2(MODP_1024)   no     3600    28800


vyos@home:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
x.x.x.x                            192.168.1.51

    Description: VPC tunnel 1

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    vti     down   40.0/60.0      aes128   sha1_96/modp_1024 no     -2640           all

vpn configuration part

vyos@home# show vpn
 ipsec {
     esp-group AWS {
         compression disable
         lifetime 3600
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes128
             hash sha1
         }
     }
     ike-group AWS {
         dead-peer-detection {
             action restart
             interval 15
             timeout 30
         }
         lifetime 28800
         proposal 1 {
             dh-group 2
             encryption aes128
             hash sha1
         }
     }
     ipsec-interfaces {
         interface eth0
     }
     nat-networks {
         allowed-network 0.0.0.0/0 {
         }
     }
     nat-traversal enable
     site-to-site {
         peer x.x.x.x {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret secret
             }
             description "VPC tunnel 1"
             ike-group AWS
             local-address 192.168.1.51
             vti {
                 bind vti0
                 esp-group AWS
             }
         }
     }
 }

/var/log/message sample

Aug 17 19:04:50 home charon: 16[ENC] generating INFORMATIONAL_V1 request 4210105309 [ HASH N(DPD_ACK) ]
Aug 17 19:04:50 home charon: 16[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:05:00 home charon: 11[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:05:00 home charon: 11[ENC] parsed INFORMATIONAL_V1 request 3467971564 [ HASH N(DPD) ]
Aug 17 19:05:00 home charon: 11[ENC] generating INFORMATIONAL_V1 request 1720754458 [ HASH N(DPD_ACK) ]
Aug 17 19:05:00 home charon: 11[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:05:10 home charon: 14[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:05:10 home charon: 14[ENC] parsed INFORMATIONAL_V1 request 1518925226 [ HASH N(DPD) ]
Aug 17 19:05:10 home charon: 14[ENC] generating INFORMATIONAL_V1 request 2392199914 [ HASH N(DPD_ACK) ]
Aug 17 19:05:10 home charon: 14[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:05:20 home charon: 13[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:05:20 home charon: 13[ENC] parsed INFORMATIONAL_V1 request 3474580426 [ HASH N(DPD) ]
Aug 17 19:05:20 home charon: 13[ENC] generating INFORMATIONAL_V1 request 1794201602 [ HASH N(DPD_ACK) ]
Aug 17 19:05:20 home charon: 13[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:05:31 home charon: 06[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:05:31 home charon: 06[ENC] parsed INFORMATIONAL_V1 request 3687709310 [ HASH N(DPD) ]
Aug 17 19:05:31 home charon: 06[ENC] generating INFORMATIONAL_V1 request 4260606570 [ HASH N(DPD_ACK) ]
Aug 17 19:05:31 home charon: 06[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:05:41 home charon: 15[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:05:41 home charon: 15[ENC] parsed INFORMATIONAL_V1 request 2633167795 [ HASH N(DPD) ]
Aug 17 19:05:41 home charon: 15[ENC] generating INFORMATIONAL_V1 request 3260501004 [ HASH N(DPD_ACK) ]
Aug 17 19:05:41 home charon: 15[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:05:52 home charon: 08[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:05:52 home charon: 08[ENC] parsed INFORMATIONAL_V1 request 3701430312 [ HASH N(DPD) ]
Aug 17 19:05:52 home charon: 08[ENC] generating INFORMATIONAL_V1 request 1159511259 [ HASH N(DPD_ACK) ]
Aug 17 19:05:52 home charon: 08[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:06:02 home charon: 16[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:06:02 home charon: 16[ENC] parsed INFORMATIONAL_V1 request 1080707478 [ HASH N(DPD) ]
Aug 17 19:06:02 home charon: 16[ENC] generating INFORMATIONAL_V1 request 4192344327 [ HASH N(DPD_ACK) ]
Aug 17 19:06:02 home charon: 16[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:06:12 home charon: 11[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:06:12 home charon: 11[ENC] parsed INFORMATIONAL_V1 request 3546085915 [ HASH N(DPD) ]
Aug 17 19:06:12 home charon: 11[ENC] generating INFORMATIONAL_V1 request 767929131 [ HASH N(DPD_ACK) ]
Aug 17 19:06:12 home charon: 11[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:06:23 home charon: 05[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:06:23 home charon: 05[ENC] parsed INFORMATIONAL_V1 request 2550324196 [ HASH N(DPD) ]
Aug 17 19:06:23 home charon: 05[ENC] generating INFORMATIONAL_V1 request 2494124315 [ HASH N(DPD_ACK) ]
Aug 17 19:06:23 home charon: 05[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)
Aug 17 19:06:33 home charon: 12[NET] received packet: from x.x.x.x[4500] to 192.168.1.51[4500] (92 bytes)
Aug 17 19:06:33 home charon: 12[ENC] parsed INFORMATIONAL_V1 request 1162636955 [ HASH N(DPD) ]
Aug 17 19:06:33 home charon: 12[ENC] generating INFORMATIONAL_V1 request 2581462110 [ HASH N(DPD_ACK) ]
Aug 17 19:06:33 home charon: 12[NET] sending packet: from 192.168.1.51[4500] to x.x.x.x[4500] (92 bytes)

Details

Version: vyos-1.2.0-rolling+201806151501

Event Timeline

shadowyw created this task.Aug 17 2018, 11:07 AM

We are using "Double static NAT" life hack in AWS, so IPsec protocols works actually without NAT
And it is working good.

But there is a couple of stability issues when switching from 1.1.8 to 1.2 in AWS environment, which I will report soon.
So working connection goes down after several hours.

Could you show please show interfaces?

@shadowyw try retest with latest rolling please

In T781#18637, @begetan wrote:

We are using "Double static NAT" life hack in AWS, so IPsec protocols works actually without NAT
And it is working good.

But there is a couple of stability issues when switching from 1.1.8 to 1.2 in AWS environment, which I will report soon.
So working connection goes down after several hours.

Could you show please show interfaces?

# show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.1.51/24                   u/u
eth1             10.10.0.1/24                      u/u
lo               127.0.0.1/8                       u/u
                 ::1/128
vti0             169.254.10.14/30                  u/u  VPC tunnel 1
vti1             169.254.8.58/30                   u/u  VPC tunnel 2