Welcome Guest, Not a member yet? Create Account  




VTI on IKEv2 issue on 999.201802130337

#1

I tested IPSec use VTI and IKEv2 between VyOS and Cisco Router.

It seems IPSec was complete(P1 and P2 were OK), but ping’s behavior looks strange.

PING from VyOS to Cisco.
# Tunnel Interface's address is 172.16.20.0/24.
a) ping 172.16.20.1 interfafce vit1   ---> Success.
b) ping 172.16.20.1 interfafce 172.16.20.2   ---> Failed.
PING from Cisco to VyOS. 
c) ping 172.16.20.2 source tunnel 1  ---> Failed.
d) ping 172.16.20.2 source 172.16.20.1  ---> Failed.

IPSec Status:
Code:
vyos@VPN1:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
Global_IP1                            10.200.10.73

   Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
   ------  -----  -------------  -------  ----    -----  ------  ------  -----
   vti     up     252.0/5.7K     aes256   sha256_128 no     2160    3600    all


Cisco#sh crypto session
Crypto session current status

Interface: Tunnel1
Profile: IKEv2_Profile_VyOS
Session status: UP-ACTIVE
Peer: Global_IP2 port 1024
  Session ID: 1627
  IKEv2 SA: local 192.168.1.2/4500 remote [size=small][font=Monaco, Consolas, Courier, monospace]Global_IP2[/font][/size]/1024 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map

Ping Results:
Code:
- Pattern a
vyos@VPN1:~$ ping 172.16.20.1 interface vti1
PING 172.16.20.1 (172.16.20.1) from 172.16.20.2 vti1: 56(84) bytes of data.
64 bytes from 172.16.20.1: icmp_seq=1 ttl=255 time=6.23 ms
64 bytes from 172.16.20.1: icmp_seq=2 ttl=255 time=6.42 ms
^C
--- 172.16.20.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 6.235/6.331/6.427/0.096 ms

- Pattern b
vyos@VPN1:~$ ping 172.16.20.1 interface 172.16.20.2
PING 172.16.20.1 (172.16.20.1) from 172.16.20.2 : 56(84) bytes of data.

^C
--- 172.16.20.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4005ms

- Pattern c
Cisco#ping 172.16.20.2 source tunnel 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.20.1
.....
Success rate is 0 percent (0/5)

- Pattern d
Cisco#ping 172.16.20.2 source 172.16.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.20.1
.....
Success rate is 0 percent (0/5)

VyOS Configuration:
Code:
set interfaces vti vti1 address '172.16.20.2/24'

set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '3600'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group14'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev2'
set vpn ipsec ike-group IKE lifetime '3600'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer Global_IP1 authentication id '10.200.10.73'
set vpn ipsec site-to-site peer Global_IP1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer Global_IP1 authentication pre-shared-secret 'password'
set vpn ipsec site-to-site peer Global_IP1 authentication remote-id '192.168.1.2'
set vpn ipsec site-to-site peer Global_IP1 connection-type 'initiate'
set vpn ipsec site-to-site peer Global_IP1 default-esp-group 'ESP'
set vpn ipsec site-to-site peer Global_IP1 ike-group 'IKE'
set vpn ipsec site-to-site peer Global_IP1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer Global_IP1 local-address '10.200.10.73'
set vpn ipsec site-to-site peer Global_IP1 vti bind 'vti1'
set vpn ipsec site-to-site peer Global_IP1 vti esp-group 'ESP'
Reply





Users browsing this thread:
2 Guest(s)