New Member
Posts: 28
Registered: ‎11-15-2015
Solutions: 1

Re: changing to ikev2 breaks IPSEC tunnel

oh I see.

 

I came across this thread by you: https://forum.vyos.net/showthread.php?tid=16631

 

Is it possible to just upgrade the Strongswan package on current helium release? I saw something about 5.x not being backported to heliums debian release.

Member
Posts: 107
Registered: ‎05-22-2014
Kudos: 94
Solutions: 3

Re: changing to ikev2 breaks IPSEC tunnel

You can not upgrade the strongSwan package on VyOS 1.1.x (aka helium), since the underlying configuration code and operational commands also needs to be stongSwan 5.x aware.

 

However, you can try downloading those ISO's that people have built or get the 1.2.x rolling release and see if it works for your Amazon VPC deployment.

Emerging Member
Posts: 56
Registered: ‎03-12-2015
Kudos: 88

Re: changing to ikev2 breaks IPSEC tunnel


@ubinewbie wrote:

A point thats possibly worth mentioning, one side of my VPN is behind NAT, which I believe without traversal screws up ESP negotation? PFS is part of ESP so dont know if its related, even though I have traversal enabled on both sides.

 

FWIW I have edgerouter 1.9.1 on one side and VyOS 1.1.7 in an AWS VPC on the other side (1:1 NAT).


I have the same issue as discussed in this topic.

Left side is the Edge Router POE-X-SFP with 1.9.7 and StrongSwan version 5.x
Right side is the VyOS 1.1.7 in an AWS VPC with 1:1 NAT which has StrongSwan 4.x

With Ikev1 I'v got everething is working, but when I switch to Ikev2 I'v got tunnel UP, but traffic is not passing.

Could somebody confirm me that the problem is due to Old v4.x version of VyOS and PFS group settings?

Emerging Member
Posts: 56
Registered: ‎03-12-2015
Kudos: 88

Re: changing to ikev2 breaks IPSEC tunnel

Here is text from VyOS configuration

vyos@gw-eu-central-1# set vpn ipsec site-to-site peer 1.1.1.2 ikev2-reauth
Possible completions:
    yes Enable remote host re-autentication during an IKE re-key. Currently broken due to a strong swan bug
    no Disable remote host re-authenticaton during an IKE re-key.
    inherit Inherit the reauth configuration form your IKE-group (Default)

So some Ikev2 options are oficialy broken Icon Mad

New Member
Posts: 28
Registered: ‎11-15-2015
Solutions: 1

Re: changing to ikev2 breaks IPSEC tunnel

Did you disable PFS?

Emerging Member
Posts: 56
Registered: ‎03-12-2015
Kudos: 88

Re: changing to ikev2 breaks IPSEC tunnel


@ubinewbie wrote:

Did you disable PFS?


Yes, that is the reason for my post.

New Member
Posts: 28
Registered: ‎11-15-2015
Solutions: 1

Re: changing to ikev2 breaks IPSEC tunnel

I found it quite fiddly, as IPSEC can be.. This is the config on the edgerouter that works for me, obviously adjust for the VYOS side:

 

set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec auto-update '60'
set vpn ipsec nat-traversal 'enable'

set vpn ipsec esp-group esp_1 compression disable
set vpn ipsec esp-group esp_1 lifetime 1800
set vpn ipsec esp-group esp_1 mode tunnel
set vpn ipsec esp-group esp_1 pfs disable
set vpn ipsec esp-group esp_1 proposal 1 encryption aes256
set vpn ipsec esp-group esp_1 proposal 1 hash sha1

set vpn ipsec ike-group ike_1 dead-peer-detection action restart
set vpn ipsec ike-group ike_1 dead-peer-detection interval 30
set vpn ipsec ike-group ike_1 dead-peer-detection timeout 120
set vpn ipsec ike-group ike_1 ikev2-reauth no
set vpn ipsec ike-group ike_1 key-exchange ikev2
set vpn ipsec ike-group ike_1 lifetime 3600
set vpn ipsec ike-group ike_1 proposal 1 dh-group 2
set vpn ipsec ike-group ike_1 proposal 1 encryption aes256
set vpn ipsec ike-group ike_1 proposal 1 hash sha1

set vpn ipsec site-to-site peer 'VYOS-pub-IP' authentication id 'localID'
set vpn ipsec site-to-site peer 'VYOS-pub-IP' authentication remote-id 'RemoteID'
set vpn ipsec site-to-site peer 'VYOS-pub-IP' authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 'VYOS-pub-IP' authentication pre-shared-secret 'SomeSecretKey'
set vpn ipsec site-to-site peer 'VYOS-pub-IP' connection-type 'initiate'
set vpn ipsec site-to-site peer 'VYOS-pub-IP' default-esp-group 'esp_1'
set vpn ipsec site-to-site peer 'VYOS-pub-IP' ike-group 'ike_1'
set vpn ipsec site-to-site peer 'VYOS-pub-IP' local-address 'EdgeRouter-public-ip'
set vpn ipsec site-to-site peer 'VYOS-pub-IP' tunnel 1 local prefix '192.168.x.x/24'
set vpn ipsec site-to-site peer 'VYOS-pub-IP' tunnel 1 remote prefix '10.x.x.x/x'

Emerging Member
Posts: 56
Registered: ‎03-12-2015
Kudos: 88

Re: changing to ikev2 breaks IPSEC tunnel

Ike v1 works without problem. This issue is about ike v2.

By the way, VyOS 1.1.8  was released several days ago.


VyOS 1.1.8 
strongswan 4.5.2-1.1-bpo6


VyOS 1.1.7:   
strongswan 4.5.2-1.1-bpo60+vyos1+helium6


It will not fix the issue probably, because UBNT has much newer version. 

UBNT 1.9.7
strongswan 5.2.2-ubnt2

Highlighted
New Member
Posts: 28
Registered: ‎11-15-2015
Solutions: 1

Re: changing to ikev2 breaks IPSEC tunnel

VyOS 1.2.0 is available now as beta, I have it running with the latest Edgerouter OS with Ikev2 working, which is great!

 

1.2.0 has a newer version of strongswan.