Regular Member
Posts: 327
Registered: ‎08-10-2011
Kudos: 118
Solutions: 8

Re: changing to ikev2 breaks IPSEC tunnel

I noticed the following differences between the config you posted and the one I posted....

compression disable
lifetime 3600
mode tunnel
pfs enable

 

And I also have these

dh-group 21
encryption aes256
hash sha512

 

Are any of these incompatabe with ikev2?

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: changing to ikev2 breaks IPSEC tunnel


@looney128 wrote:

I noticed the following differences between the config you posted and the one I posted....

compression disable
lifetime 3600
mode tunnel
pfs enable

 

And I also have these

dh-group 21
encryption aes256
hash sha512

 

Are any of these incompatabe with ikev2?


The first 4 are default values, so I deleted them.  Not sure if there are incompatabilities with the others.  If I get a chance I'll try.

EdgeMAX Router Software Development
Regular Member
Posts: 327
Registered: ‎08-10-2011
Kudos: 118
Solutions: 8

Re: changing to ikev2 breaks IPSEC tunnel

Ok.  Now I am going to show my Noobness.

Could you point me to a wiki or somehting else that instructs me how to load a patch?

 

Thanks

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: changing to ikev2 breaks IPSEC tunnel


@looney128 wrote:

Ok.  Now I am going to show my Noobness.

Could you point me to a wiki or somehting else that instructs me how to load a patch?

 

Thanks


Download that "tar" ball to the router (I had to tar it as the forum wouldn't upload a file ending in .deb - sigh).

 

Once on the router:

1) tar xvf vyatta-op-vpn.deb.tar

2) sudo dpkg -i vyatta-op-vpn_9dev_all.deb

 

After that "show version all" should indicate that you've "Updated" a package on the system.

 

ubnt@R1:~$ show version all
Version:      v1.6.0
Build ID:     4716006
Build on:     10/31/14 17:31
Copyright:    2012-2014 Ubiquiti Networks, Inc.
HW model:     EdgeRouter Lite 3-Port
HW S/N:       DC9FDB17138C
Uptime:       19:43:22 up 37 min,  1 user,  load average: 0.00, 0.01, 0.05

Uii vyatta-op-vpn             9:9dev               (baseline: 1:0.14.4)

 

EdgeMAX Router Software Development
Regular Member
Posts: 327
Registered: ‎08-10-2011
Kudos: 118
Solutions: 8

Re: changing to ikev2 breaks IPSEC tunnel

@UBNT-stig I installed your patch.  Thanks!  That is really helping narrow down what is going on.  I then set both my HQ router and Remote Router to using AES128 SHA1 and DH 14, as your example had, to see if I can get the ikev2 tunnel up.

The remote site had phase1 (show vpn ike sa) up, but phase2 (show vpn ipsec sa) down.

The HQ site did not even list the tunnel at all, so that tells me it could not even create the phase1.

I attached a sanitized config of both....   puzzled Confused5

 

Thanks for the attention.

Attachment
Attachment
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: changing to ikev2 breaks IPSEC tunnel

@looney128 Since I had a ipsec setup that I was using for a KB articled, I was able to boot your configs.  I changed the public addresses to match my lab configuration and after boot I see:

 

ubnt@Main:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
20.0.0.2                                30.0.0.2                               

    State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----    -------  -----  ------  ------
    up     aes128   sha1_96 PRF_HMAC_SHA1/MODP_2048 no     3600    28800  

 
ubnt@Main:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
20.0.0.2                                30.0.0.2                               

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    1       down   n/a            n/a      n/a   no     0       3600    all

 

 

As I mentioned before that it seems like ikev2 requires data to bring up phase 2, so I did:

 

ubnt@Main:~$ /bin/ping -I eth0 172.21.4.40
PING 172.21.4.40 (172.21.4.40) from 30.0.0.2 eth0: 56(84) bytes of data.
64 bytes from 172.21.4.40: icmp_req=2 ttl=64 time=1.19 ms
64 bytes from 172.21.4.40: icmp_req=3 ttl=64 time=0.750 ms
64 bytes from 172.21.4.40: icmp_req=4 ttl=64 time=0.704 ms
64 bytes from 172.21.4.40: icmp_req=5 ttl=64 time=0.707 ms
64 bytes from 172.21.4.40: icmp_req=6 ttl=64 time=0.704 ms
^C
--- 172.21.4.40 ping statistics ---
6 packets transmitted, 5 received, 16% packet loss, time 5013ms
rtt min/avg/max/mdev = 0.704/0.812/1.197/0.194 ms

ubnt@Main:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
20.0.0.2                                30.0.0.2                               

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    1       up     672.0/672.0    aes128   sha1_96 no     1140    3600    all

 

 Bingo - working.

 

Below are the configs I hacked up:

 

ubnt@ubnt:~$ cat /config/config.boot
firewall {
    group {
        network-group Cnet {
            network 192.168.10.0/24
        }
        network-group Net1 {
            network 172.21.0.0/16
        }
        network-group Net2 {
            network 172.19.2.0/24
        }
        network-group Net3 {
            network 172.19.3.0/24
        }
        network-group Net4 {
            network 172.19.1.0/24
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        enable-default-log
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            destination {
                group {
                    network-group Net1
                }
            }
            source {
                group {
                    network-group Cnet
                }
            }
        }
        rule 22 {
            action accept
            destination {
                group {
                    network-group Net1
                }
            }
            ipsec {
                match-ipsec
            }
            source {
                group {
                    network-group Net4
                }
            }
        }
        rule 23 {
            action accept
            destination {
                group {
                    network-group Net1
                }
            }
            source {
                group {
                    network-group Net2
                }
            }
        }
        rule 24 {
            action accept
            destination {
                group {
                    network-group Net1
                }
            }
            source {
                group {
                    network-group Net3
                }
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 8 {
            action accept
            description OpenVPN
            destination {
                port 1194
            }
            protocol udp
        }
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Allow VPN traffic from Cnet to Net1 Router"
            destination {
                address 172.21.4.40
            }
            source {
                group {
                    network-group Cnet
                }
            }
        }
        rule 22 {
            action accept
            description "Allow SSH to router from Cnet"
            protocol tcp
            source {
                port 22
            }
        }
        rule 23 {
            action accept
            description "Allow VPN traffic from Net4 to Net1 Router"
            destination {
                address 172.21.4.40
            }
            source {
                group {
                    network-group Net4
                }
            }
        }
        rule 24 {
            action accept
            description "Allow VNP traffic from Net2 to Net1 Router"
            destination {
                address 172.21.4.40
            }
            source {
                group {
                    network-group Net2
                }
            }
        }
        rule 25 {
            action accept
            description "Allow VNP traffic from Net3 to Net1 Router"
            destination {
                address 172.21.4.40
            }
            source {
                group {
                    network-group Net3
                }
            }
        }
    }
}
interfaces {
    ethernet eth0 {
        address 172.21.4.40/24
        description Local
    }
    ethernet eth1 {
        address 20.0.0.2/30
        description ATT
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        disable
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 20.0.0.1 {
            }
        }
        route 172.19.1.0/24 {
            next-hop 192.168.70.101 {
            }
        }
        route 172.21.5.0/24 {
            next-hop 172.21.4.1 {
            }
        }
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth2
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 1 {
            description "Forward SSH to Juneau from wttn"
            destination {
                address 172.21.4.40
            }
            inbound-interface eth1
            inside-address {
                port 22
            }
            log disable
            protocol tcp
            source {
                port 22
            }
            type destination
        }
        rule 5010 {
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
            }
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        esp-group FOO1 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        esp-group FOO2 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 21
                encryption aes256
                hash sha1
            }
        }
        ike-group FOO1 {
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 21
                encryption aes256
                hash sha1
            }
        }
        ike-group FOO2 {
            key-exchange ikev2
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
        site-to-site {
            peer 30.0.0.2 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret secret
                }
                connection-type initiate
                ike-group FOO2
                local-address 20.0.0.2
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO2
                    local {
                        prefix 172.21.0.0/16
                    }
                    remote {
                        prefix 192.168.10.0/24
                    }
                }
            }
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.6.0.4716006.141031.1731 */

 

ubnt@Main:~$ cat /config/config.boot
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group Cnet {
            network 192.168.10.0/24
        }
        network-group DodgeNetwork {
            network 172.21.0.0/16
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        enable-default-log
        rule 2 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 3 {
            action drop
            state {
                invalid enable
            }
        }
        rule 4 {
            action accept
            destination {
                group {
                    network-group Cnet
                }
            }
            source {
                group {
                    network-group DodgeNetwork
                }
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 2 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 3 {
            action drop
            state {
                invalid enable
            }
        }
        rule 4 {
            action accept
            description "Allow VPN traffic from Work to the router"
            destination {
                address 192.168.10.1
            }
            source {
                group {
                    network-group DodgeNetwork
                }
            }
        }
        rule 5 {
            action accept
            description "Allow SSH to router from Juneau"
            protocol tcp
            source {
                port 22
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.10.1/24
        description House
        duplex auto
        speed auto
    }
    ethernet eth1 {
        address 30.0.0.2/30
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.2.1/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name House {
            authoritative disable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 208.67.222.222
                dns-server 208.67.220.220
                lease 86400
                start 192.168.10.100 {
                    stop 192.168.10.252
                }
            }
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 1 {
            description "Forward SSH to ERL from Work WAN"
            destination {
                address 192.168.10.1
            }
            inbound-interface eth1
            inside-address {
                port 22
            }
            log disable
            protocol tcp
            source {
                port 22
            }
            type destination
        }
        rule 5010 {
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address 30.0.0.1
    host-name Main
    login {
        user ubnt {
            authentication {
                encrypted-password $1$zKNoUbAo$gomzUbYvgyUMcD436Wo66.
            }
            level admin
        }
    }
    name-server 208.67.222.222
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            key-exchange ikev2
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
        site-to-site {
            peer 20.0.0.2 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret secret
                }
                connection-type initiate
                ike-group FOO0
                local-address any
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.10.0/24
                    }
                    remote {
                        prefix 172.21.0.0/16
                    }
                }
            }
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.6.0.4716006.141031.1731 */

 

EdgeMAX Router Software Development
Regular Member
Posts: 327
Registered: ‎08-10-2011
Kudos: 118
Solutions: 8

Re: changing to ikev2 breaks IPSEC tunnel

Even more frustrating!

Could there be something else going on with the router?  Something not reseting?

Just not making since.......

If our configs are the same.....it should work.....

Should I reload 1.6?

 

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: changing to ikev2 breaks IPSEC tunnel

My test was done with v1.6.0, but I'm not sure it would make a difference.

 

BTW, I'm new to ikev2 - what is it about ikev2 that you need that ikev1 can't do?

EdgeMAX Router Software Development
Regular Member
Posts: 327
Registered: ‎08-10-2011
Kudos: 118
Solutions: 8

Re: changing to ikev2 breaks IPSEC tunnel

Two things that I like about ikev2.

One, reduced bandwidth.  We have cable modems at remote sites and even though the download speeds are screaming....upload speeds are still on the low side.

Two, its ability to check if the connection is alive or not.  I have had instances with ipsec tunnels that the router would think the tunnel is up, but no trffic was going through it......only brining the tunnel down and back up was the only way to bring it back alive.  Some departments that connect to us, using sonicwalls, etc, had to reboot the router intirely to bring the tunnel back up.  I know keepalives (pings) etc keep tunnels up, but I would rather have it done at a lower level.

So with reduced bandwidth and more reliable connections is where I want to go. 

 

 

If it won't make a difference if I reload 1.6 or not.....not sure where to go from here....except maybe swapping the unit out with another....

Established Member
Posts: 803
Registered: ‎01-29-2014
Kudos: 322
Solutions: 36

Re: changing to ikev2 breaks IPSEC tunnel

Just a quick 'me too'.   I have two ERPOEs with an IPSEC Tunnel working between them using IKEV1.

 

If I change to IKEV2, I cannot get traffic to pass.  If I change back, I can.  No other config changes.

 

I did try (several times) pinging across the tunnel to try and force the tunnel up, restarting vpn, etc etc. No dice.

 

It seems (as I am the third person in this thread with this issue) there may be some issue with IKEv2 at this point.

 

Maybe the 1.7 version will have ironed out some of the bugs? 

 

(FWIW, I am runnning a load-balance config on one of the two ERPOEs, which complicates things I know.   I have already worked through the ipsec routing issues though, and the tunnels are working perfectly with IKEv1, and not at all with IKEv2, with no other config changes.)

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5480
Solutions: 1656
Contributions: 2

Re: changing to ikev2 breaks IPSEC tunnel

The IKEv2 support was contributed by @TriJetScud from this thread. Maybe he can provide some insight?

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: changing to ikev2 breaks IPSEC tunnel

When I was using ikev2 it seemed like it required traffic to trigger phase2.  Also the "show vpn" commands didn't work well with ikev2, but I pulled in several fixes from VyOS.  Those changes are in the current v1.7 alpha/beta program.

EdgeMAX Router Software Development
Established Member
Posts: 803
Registered: ‎01-29-2014
Kudos: 322
Solutions: 36

Re: changing to ikev2 breaks IPSEC tunnel

got it working !  Icon Razz

 

The issue for me was that the ike-group definition I was using did not include an explicit dh-group specification.  When I added that, my tunnel came up and starting passing traffic.

 

It appears that ikev1  config has a default dh-group that is assumed (I haven't bothered to track down which dh group it assumes).  

 

Ikev2 does NOT appear to have a default dh-group, and the tunnel won't come up without it being expressed, and matching on both sides.

 

so, in my config, this works fine for ikev1, but does not work at all for ikev2:

 ike-group IKE_Default {
     dead-peer-detection {
         action restart
         interval 30
         timeout 120
     }
     key-exchange ikev1
     lifetime 28800
     proposal 1 {
         encryption aes256
         hash sha512
     }
     proposal 2 {
         encryption aes256
         hash sha1
     }
     proposal 3 {
         encryption 3des
         hash sha512
     }
     proposal 4 {
         encryption 3des
         hash sha1
     }
 }

to use IKEv2, I set up a new ike-group, including the DH-group parameter, and all is now working:

 ike-group IKE_V2 {
     key-exchange ikev2
     lifetime 28800
     proposal 1 {
         dh-group 14
         encryption aes256
         hash sha512
     }
     proposal 2 {
         dh-group 14
         encryption aes256
         hash sha1
     }
     proposal 3 {
         dh-group 14
         encryption 3des
         hash sha512
     }
     proposal 4 {
         dh-group 14
         encryption 3des
         hash sha1
     }
     proposal 5 {
         dh-group 14
         encryption aes128
         hash sha1
     }
 }

 So now, with these two ike-groups setup, I can toggle between ikev1 and ikev2 just by changing the ike-group specified in the site-to-site peer:

show site-to-site peer xxx.xxx.xxx.23
 authentication {
     mode x509
     remote-id "mydetailsremovedfromhere"
     x509 {
         ca-cert-file /config/auth/cacert.pem
         cert-file /config/auth/rGateway.pem.crt
         key {
             file /config/auth/rGateway.pem.key
             password mypassword
         }
     }
 }
 connection-type initiate
 default-esp-group ESP_Default
 description "Site to Site to IPSEC"
 ike-group IKE_V2 //  < just change ike-group to switch between the IKE_V1 or IKE_V2 setup
 local-address xxx.xxx.xxx.203
 tunnel 1 {
     allow-nat-networks disable
     allow-public-networks disable
     local {
         prefix 192.168.195.0/24
     }
     remote {
         prefix 192.168.150.0/24
     }
 }
 tunnel 2 {
     allow-nat-networks disable
     allow-public-networks disable
     local {
         prefix 192.168.200.0/24
     }
     remote {
         prefix 192.168.150.0/24
     }
 }

 

 

 

 

Established Member
Posts: 803
Registered: ‎01-29-2014
Kudos: 322
Solutions: 36

Re: changing to ikev2 breaks IPSEC tunnel

still not working correctly though Man Sad

 

Looking more closely, I discovered that only one of two tunnels came up.   This is very strange, as the configuration for each is identical: 

 tunnel 1 {
     allow-nat-networks disable
     allow-public-networks disable
     local {
         prefix 192.168.195.0/24
     }
     remote {
         prefix 192.168.150.0/24
     }
 }
 tunnel 2 {
     allow-nat-networks disable
     allow-public-networks disable
     local {
         prefix 192.168.200.0/24
     }
     remote {
         prefix 192.168.150.0/24
     }
 }

 I found that tunnel 1 one came up, or tunnel 2 came up, but never, ever, both.

My output from 'sudo ipsec status'  was showing both paths, and the SA, but only one tunnel ever reached the stage of 'Installed Tunnel'

 

Routed Connections:
peer-xx.xx.xx.xx-tunnel-1{1}: ROUTED, TUNNEL peer-xx.xx.xx.xx-tunnel-1{1}: 192.168.195.0/24 === 192.168.150.0/24 peer-xx.xx.xx.xx-tunnel-2{2}: ROUTED, TUNNEL peer-xx.xx.xx.xx-tunnel-2{2}: 192.168.200.0/24 === 192.168.150.0/24 Security Associations: peer-xx.xx.xx.xx-tunnel-1[8]: ESTABLISHED 3 minutes ago,..snip peer-xx.xx.xx.xx-tunnel-1{11}: INSTALLED, TUNNEL, ESP SPIs: c8161435_i c0993a4a_o peer-xx.xx.xx.xx-tunnel-1{11}: 192.168.195.0/24 === 192.168.150.0/24

 

the time taken to go from 'established' to 'installed, tunnel' was slow too -  about 3 minutes - and pinging across the tunnel didn't seem to make much difference.

 

So, presently, I have had to revert to IKEv1, which establishes faster, and allows both tunnels to come up.  Man Sad

 

 

 

 

 

Member
Posts: 107
Registered: ‎05-22-2014
Kudos: 94
Solutions: 3

Re: changing to ikev2 breaks IPSEC tunnel

In strongSwan's IKEv2 implementation (which both VyOS and EdgeOS uses), the dh-group for the ESP payload is definied within the esp= configuration parameter. However in my tests, even specifiying the dhgroup parameter in the ESP payload for strongSwan 4.5.2, the IKEv2 daemon doesn't seem to pick it up right.

However I am working towards migrating away from strongSwan 4.5.2 on VyOS and moving it into 5.2.2 since that version seemed to have fixed most of the IKEv2 related problems we're seeing.

Senior Member
Posts: 3,363
Registered: ‎05-19-2013
Kudos: 1462
Solutions: 34

Re: changing to ikev2 breaks IPSEC tunnel


@UBNT-stig wrote:

One thing I have noticed with ikev2 is that it doesn't seem to bring up the tunnel until data triggers it.  I've been talking with one of the VyOS developers who thinks he might have a patch for that.


I have just tested ikev2 on 1.7alpha and it seems even when traffic is triggered, the tunnel does not come up. Used ping and http traffic.

Emerging Member
Posts: 71
Registered: ‎10-03-2014
Kudos: 35
Solutions: 1

Re: changing to ikev2 breaks IPSEC tunnel

Hi @looney128 I had similar problem getting IKEv2 going and after some low-down debugging of the negotiation I found that attempting to use 'pfs enable' caused the two ends to screw up the ESP negotiation. Try your original working IKEv1 set-up, change to IKEv2 and disable the 'pfs' setting. Let us know if that works for you too.

New Member
Posts: 30
Registered: ‎11-15-2015
Solutions: 1

Re: changing to ikev2 breaks IPSEC tunnel

[ Edited ]

Thanks for this, it resolved my issue. My config would work with ikev1, when I changed to ikev2, it would fail to come up. Disabling PFS and ALSO passing traffic with the above mentioned ping brought up the tunnel.

@whereisaaron Can you elaborate on how you found this? What message did you see in what log that made you conclude this?

@TriJetScud, do you know any reason why PFS would cause it to fail?

New Member
Posts: 30
Registered: ‎11-15-2015
Solutions: 1

Re: changing to ikev2 breaks IPSEC tunnel

A point thats possibly worth mentioning, one side of my VPN is behind NAT, which I believe without traversal screws up ESP negotation? PFS is part of ESP so dont know if its related, even though I have traversal enabled on both sides.

 

FWIW I have edgerouter 1.9.1 on one side and VyOS 1.1.7 in an AWS VPC on the other side (1:1 NAT).

Member
Posts: 107
Registered: ‎05-22-2014
Kudos: 94
Solutions: 3

Re: changing to ikev2 breaks IPSEC tunnel

I think VyOS 1.1.x is still on StrongSwan 4.5.2, hence why PFS groups on IKEv2 breaks with EdgeOS. EdgeOS since 1.8 is using strongSwan for it's IKE marshaling daemon, and stongSwan prior to the 5.x series didn't support PFS in the ESP side of things, so that's why PFS is broken with IKEv2 with VyOS 1.1.x.