VyOS Test Environment Built

I completed setting up the test environment I described in the previous post.  As I described, this is what I have sitting out there right now, utilizing some newly added capacity at a couple of co-lo sites:

VyOS Test Environment - Co-lo
VyOS Test Environment – Co-lo

The hosts at each co-lo are re-purposed Dell R720s that look like this:

Dell R720 Hypervisors
Dell R720 Hypervisors

Additionally, I spun up a few new instances at home to duplicate one of those sites:

VyOS Test Environment - Home
VyOS Test Environment – Home

My server at home is well documented.  It’s a Xeon-D based Supermicro box.

Want a sneak peak of the crypto numbers between the two hosts at co-lo #1?

vyos-iperf-ipsec1

vyos-iperf-ipsec2

Not too shabby!

Share this post:
Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail
war Written by:

2 Comments

  1. syed
    April 13, 2017
    Reply

    Just checking have you tried Gre over IPsec b/w VyOS and Vyatta ?
    Problem Description:
    =============
    Gre over Ipsec b/w Vyos and Vyatta not working , IKE is up but IPsec down.

    GRE-IPSEC B/w VYOS and Vyatta:
    ====================

    Topology:
    =========

    VYOS(172.31.61.122)—1:1NAT GW —Y.Y.Y.Y———————GRE-IPSEC——————(X.X.X.X)—VYATTA

    WHERE X.X.X.X & Y.Y.Y.Y ARE PUBLIC IPs

    VYOS-STATIC-NAT-AWS:
    ====================

    wanclouds@VyOS-AMI-ZAYAD:~$ show configuration commands | grep vpn
    set vpn ipsec esp-group ESP-1W0 lifetime ‘86400’
    set vpn ipsec esp-group ESP-1W0 mode ‘transport’
    set vpn ipsec esp-group ESP-1W0 pfs ‘dh-group5’
    set vpn ipsec esp-group ESP-1W0 proposal 1 encryption ‘3des’
    set vpn ipsec esp-group ESP-1W0 proposal 1 hash ‘md5’
    set vpn ipsec ike-group IKE-1W0 lifetime ‘86400’
    set vpn ipsec ike-group IKE-1W0 proposal 1 dh-group ‘5’
    set vpn ipsec ike-group IKE-1W0 proposal 1 encryption ‘aes256’
    set vpn ipsec ike-group IKE-1W0 proposal 1 hash ‘md5’
    set vpn ipsec ipsec-interfaces interface ‘eth0’
    set vpn ipsec nat-traversal ‘enable’
    set vpn ipsec site-to-site peer X.X.X.X authentication id ‘419b9c8ee2544d598bf209173640f934’
    set vpn ipsec site-to-site peer X.X.X.X authentication mode ‘pre-shared-secret’
    set vpn ipsec site-to-site peer X.X.X.X authentication pre-shared-secret ‘62066c88582a411390965d7827d2780c’
    set vpn ipsec site-to-site peer X.X.X.X authentication remote-id ‘419b9c8ee2544d598bf209173640f934’
    set vpn ipsec site-to-site peer X.X.X.X default-esp-group ‘ESP-1W0’
    set vpn ipsec site-to-site peer X.X.X.X ike-group ‘IKE-1W0’
    set vpn ipsec site-to-site peer X.X.X.X local-address ‘172.31.61.122’
    set vpn ipsec site-to-site peer X.X.X.X tunnel 0 protocol ‘gre’
    wanclouds@VyOS-AMI-ZAYAD:~$
    wanclouds@VyOS-AMI-ZAYAD:~$
    wanclouds@VyOS-AMI-ZAYAD:~$ show configuration commands | grep tunnel
    set interfaces tunnel tun0 address ‘172.168.100.198/24’
    set interfaces tunnel tun0 encapsulation ‘gre’
    set interfaces tunnel tun0 local-ip ‘172.31.61.122’
    set interfaces tunnel tun0 multicast ‘enable’
    set interfaces tunnel tun0 remote-ip ‘X.X.X.X’
    set vpn ipsec site-to-site peer X.X.X.X tunnel 0 protocol ‘gre’
    wanclouds@VyOS-AMI-ZAYAD:~$
    wanclouds@VyOS-AMI-ZAYAD:~$
    wanclouds@VyOS-AMI-ZAYAD:~$ show log
    log login
    wanclouds@VyOS-AMI-ZAYAD:~$ show vpn ike sa
    Peer ID / IP Local ID / IP
    ———— ————-
    X.X.X.X 172.31.61.122

    State Encrypt Hash D-H Grp NAT-T A-Time L-Time
    —– ——- —- ——- —– —— ——
    up aes256 md5 5 yes 3658 86400

    wanclouds@VyOS-AMI-ZAYAD:~$ show vpn ipsec sa
    Peer ID / IP Local ID / IP
    ———— ————-
    X.X.X.X 172.31.61.122

    Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
    —— —– ————- ——- —- —– —— —— —–
    0 down n/a n/a n/a yes 0 86400 gre

    wanclouds@VyOS-AMI-ZAYAD:~$ show log
    log login
    wanclouds@VyOS-AMI-ZAYAD:~$ show log tail -20
    Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #410: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #410: starting keying attempt 37 of an unlimited number
    Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #428: initiating Quick Mode PSK+ENCRYPT+PFS+UP to replace #410 {using isakmp#15}
    Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: ignoring informational payload, type INVALID_MESSAGE_ID
    Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: next payload type of ISAKMP Hash Payload has an unknown value: 58
    Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: malformed payload in packet
    Apr 11 21:30:47 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: ignoring informational payload, type INVALID_MESSAGE_ID
    Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: last message repeated 3 times
    Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #411: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #411: starting keying attempt 42 of an unlimited number
    Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #429: initiating Quick Mode PSK+ENCRYPT+PFS+UP to replace #411 {using isakmp#15}
    Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: next payload type of ISAKMP Hash Payload has an unknown value: 72
    Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: malformed payload in packet
    Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: ignoring informational payload, type INVALID_MESSAGE_ID
    Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #412: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #412: starting keying attempt 15 of an unlimited number
    Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #430: initiating Quick Mode PSK+ENCRYPT+PFS+UP to replace #412 {using isakmp#15}
    Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: ignoring informational payload, type INVALID_MESSAGE_ID
    Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: byte 2 of ISAKMP Hash Payload must be zero, but is not
    Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: “peer-X.X.X.X-tunnel-0” #15: malformed payload in packet
    wanclouds@VyOS-AMI-ZAYAD:~$
    wanclouds@VyOS-AMI-ZAYAD:~$

    VYATTA-PUBLIC-IP:
    ===============

    vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep vpn
    set vpn ipsec esp-group ESP-1W0 lifetime ‘86400’
    set vpn ipsec esp-group ESP-1W0 mode ‘transport’
    set vpn ipsec esp-group ESP-1W0 pfs ‘dh-group5’
    set vpn ipsec esp-group ESP-1W0 proposal 1 encryption ‘3des’
    set vpn ipsec esp-group ESP-1W0 proposal 1 hash ‘md5’
    set vpn ipsec ike-group IKE-1W0 lifetime ‘86400’
    set vpn ipsec ike-group IKE-1W0 proposal 1 dh-group ‘5’
    set vpn ipsec ike-group IKE-1W0 proposal 1 encryption ‘aes256’
    set vpn ipsec ike-group IKE-1W0 proposal 1 hash ‘md5’
    set vpn ipsec ipsec-interfaces interface ‘bond1v1’
    set vpn ipsec nat-traversal ‘enable’
    set vpn ipsec site-to-site peer Y.Y.Y.Y authentication id ‘419b9c8ee2544d598bf209173640f934’
    set vpn ipsec site-to-site peer Y.Y.Y.Y authentication mode ‘pre-shared-secret’
    set vpn ipsec site-to-site peer Y.Y.Y.Y authentication pre-shared-secret ‘62066c88582a411390965d7827d2780c’
    set vpn ipsec site-to-site peer Y.Y.Y.Y authentication remote-id ‘419b9c8ee2544d598bf209173640f934’
    set vpn ipsec site-to-site peer Y.Y.Y.Y default-esp-group ‘ESP-1W0’
    set vpn ipsec site-to-site peer Y.Y.Y.Y ike-group ‘IKE-1W0’
    set vpn ipsec site-to-site peer Y.Y.Y.Y local-address ‘X.X.X.X’
    set vpn ipsec site-to-site peer Y.Y.Y.Y tunnel 0 protocol ‘gre’
    vyatta@gw-melbourne1-02-06-2016:~$
    vyatta@gw-melbourne1-02-06-2016:~$
    vyatta@gw-melbourne1-02-06-2016:~$
    vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep tunnel
    set interfaces tunnel tun0 address ‘172.168.100.163/24’
    set interfaces tunnel tun0 encapsulation ‘gre’
    set interfaces tunnel tun0 local-ip ‘X.X.X.X’
    set interfaces tunnel tun0 multicast ‘enable’
    set interfaces tunnel tun0 remote-ip ‘Y.Y.Y.Y’
    set vpn ipsec site-to-site peer Y.Y.Y.Y tunnel 0 protocol ‘gre’
    vyatta@gw-melbourne1-02-06-2016:~$
    vyatta@gw-melbourne1-02-06-2016:~$
    vyatta@gw-melbourne1-02-06-2016:~$ show vpn ike sa
    Peer ID / IP Local ID / IP
    ———— ————-
    Y.Y.Y.Y X.X.X.X

    State Encrypt Hash D-H Grp NAT-T A-Time L-Time
    —– ——- —- ——- —– —— ——
    up aes256 md5 5 yes 3377 86400

    vyatta@gw-melbourne1-02-06-2016:~$
    vyatta@gw-melbourne1-02-06-2016:~$ show vpn ipsec sa
    Peer ID / IP Local ID / IP
    ———— ————-
    Y.Y.Y.Y X.X.X.X

    Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
    —— —– ————- ——- —- —– —— —— —–
    0 down n/a n/a n/a yes 0 86400 gre

    vyatta@gw-melbourne1-02-06-2016:~$ show log tail -25
    Apr 11 16:32:18 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
    Apr 11 16:32:18 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[419b9c8ee2544d598bf209173640f934]:47/0…Y.Y.Y.Y:4500[419b9c8ee2544d598bf209173640f934]:47/0===172.31.61.122/32
    Apr 11 16:32:18 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_ID_INFORMATION to Y.Y.Y.Y:4500
    Apr 11 16:32:19 gw-melbourne1-02-06-2016 sshd[10183]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.177.172.60 user=root
    Apr 11 16:32:20 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x8e4cb23d (perhaps this is a duplicated packet)
    Apr 11 16:32:20 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
    Apr 11 16:32:21 gw-melbourne1-02-06-2016 sshd[10181]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.177.172.60 user=root
    Apr 11 16:32:21 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x80a5a69d (perhaps this is a duplicated packet)
    Apr 11 16:32:21 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
    Apr 11 16:32:23 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[419b9c8ee2544d598bf209173640f934]:47/0…Y.Y.Y.Y:4500[419b9c8ee2544d598bf209173640f934]:47/0===172.31.61.122/32
    Apr 11 16:32:23 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_ID_INFORMATION to Y.Y.Y.Y:4500
    Apr 11 16:32:24 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xe95143e1 (perhaps this is a duplicated packet)
    Apr 11 16:32:24 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
    Apr 11 16:32:25 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xac9835cc (perhaps this is a duplicated packet)
    Apr 11 16:32:25 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
    Apr 11 16:32:26 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x1c6d8a04 (perhaps this is a duplicated packet)
    Apr 11 16:32:26 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
    Apr 11 16:32:28 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x10df76cd (perhaps this is a duplicated packet)
    Apr 11 16:32:28 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
    Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x83384514 (perhaps this is a duplicated packet)
    Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
    Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[419b9c8ee2544d598bf209173640f934]:47/0…Y.Y.Y.Y:4500[419b9c8ee2544d598bf209173640f934]:47/0===172.31.61.122/32
    Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_ID_INFORMATION to Y.Y.Y.Y:4500
    Apr 11 16:32:33 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x142e7918 (perhaps this is a duplicated packet)
    Apr 11 16:32:33 gw-melbourne1-02-06-2016 pluto[7603]: “peer-Y.Y.Y.Y-tunnel-0” #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
    vyatta@gw-melbourne1-02-06-2016:~$

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.