VyOS Testing – DMVPN

Tonight, I set up a small VyOS DMVPN environment:

VyOS DMVPN Test - Hypervisor
VyOS DMVPN Test – Hypervisor

All of the VyOS instances are set up in the same manner as the previous tests I’ve been doing (1 core, 512MB RAM, 8GB Disk).  You can see the other stuff I’ve been doing here.

Logically, the environment looks like this:

VyOS DMVPN Test - Logical
VyOS DMVPN Test – Logical

This is a simple topology, where all four VyOS instances are connected to the common VLAN (VL255) as the “physical” transit medium.  The networks behind each of the three Spoke instances are logically separated, VLANs 1001, 1002, and 1003.  Each of those networks has a small Ubuntu VM attached so that I can run iperf through each portion of the environment.

Configuration is pretty simple.  I basically used the template from the VyOS Wiki, substituting my own localized addressing:

VyOS HUB:

set system host-name 'VyOS-Hub'
set interfaces ethernet eth0 address '10.0.255.1/24'
set interfaces ethernet eth0 description 'Outside'
set interfaces tunnel tun0 address '10.0.0.1/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '10.0.255.1'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '1'
set protocols bgp 65000 neighbor 10.0.0.11 peer-group 'DMVPNPEERS'
set protocols bgp 65000 neighbor 10.0.0.12 peer-group 'DMVPNPEERS'
set protocols bgp 65000 neighbor 10.0.0.13 peer-group 'DMVPNPEERS'
set protocols bgp 65000 parameters router-id '10.0.0.1'
set protocols bgp 65000 peer-group DMVPNPEERS 'passive'
set protocols bgp 65000 peer-group DMVPNPEERS remote-as '65000'
set protocols bgp 65000 peer-group DMVPNPEERS 'route-reflector-client'
set protocols bgp 65000 peer-group DMVPNPEERS soft-reconfiguration 'inbound'
set protocols bgp 65000 peer-group DMVPNPEERS update-source '10.0.0.1'
set protocols nhrp tunnel tun0 cisco-authentication 'SECRET'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 multicast 'dynamic'
set protocols nhrp tunnel tun0 'redirect'
set vpn ipsec esp-group ESP-HUB1 compression 'disable'
set vpn ipsec esp-group ESP-HUB1 lifetime '1800'
set vpn ipsec esp-group ESP-HUB1 mode 'tunnel'
set vpn ipsec esp-group ESP-HUB1 pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB1 proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB1 proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB1 proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB1 ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB1 key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB1 lifetime '3600'
set vpn ipsec ike-group IKE-HUB1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB1 proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB1 proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB1 proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'SECRET'
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB1'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB1'

VyOS Spoke1:

set system host-name 'VyOS-Spoke1'
set interfaces ethernet eth0 address '10.0.255.11/24'
set interfaces ethernet eth0 description 'Outside'
set interfaces ethernet eth1 address '10.0.1.1/24'
set interfaces ethernet eth1 description 'Inside'
set interfaces tunnel tun0 address '10.0.0.11/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '10.0.255.11'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '1'
set protocols bgp 65000 neighbor 10.0.0.1 remote-as '65000'
set protocols bgp 65000 neighbor 10.0.0.1 update-source '10.0.0.11'
set protocols bgp 65000 network '10.0.1.0/24'
set protocols bgp 65000 parameters router-id '10.0.0.11'
set protocols nhrp tunnel tun0 cisco-authentication 'SECRET'
set protocols nhrp tunnel tun0 map 10.0.0.1/24 nbma-address '10.0.255.1'
set protocols nhrp tunnel tun0 map 10.0.0.1/24 'register'
set protocols nhrp tunnel tun0 multicast 'nhs'
set protocols nhrp tunnel tun0 'redirect'
set protocols nhrp tunnel tun0 'shortcut'
set vpn ipsec esp-group ESP-SPOKE1 compression 'disable'
set vpn ipsec esp-group ESP-SPOKE1 lifetime '1800'
set vpn ipsec esp-group ESP-SPOKE1 mode 'tunnel'
set vpn ipsec esp-group ESP-SPOKE1 pfs 'dh-group2'
set vpn ipsec esp-group ESP-SPOKE1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-SPOKE1 proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-SPOKE1 proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-SPOKE1 proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-SPOKE1 ikev2-reauth 'no'
set vpn ipsec ike-group IKE-SPOKE1 key-exchange 'ikev1'
set vpn ipsec ike-group IKE-SPOKE1 lifetime '3600'
set vpn ipsec ike-group IKE-SPOKE1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-SPOKE1 proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-SPOKE1 proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-SPOKE1 proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'SECRET'
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN esp-group 'ESP-SPOKE1'
set vpn ipsec profile NHRPVPN ike-group 'IKE-SPOKE1'

Spokes 2 & 3 use an identical configuration to Spoke 1.

You’ll notice that instead of adding static routes, I’m running BGP between each Spoke and the Hub router, but not between spokes.  I made some decisions in setting up BGP on the Hub that I’d like to review:

  • I’m using iBGP on my DMVPN cloud.
  • I’ve set up a PEER-GROUP on the Hub router.  This minimizes the amount of configuration I need to do for each BGP peer – which will end up being however many Spokes you end up with.  In this manner, when I want to add a new spoke, I simply add one statement to the config:

set protocols bgp 65000 neighbor 10.0.0.11 peer-group ‘DMVPNPEERS’

  • As part of my PEER-GROUP definition, I’ve told BGP that all members of the group are to be treated as route-reflector-clients.  Ordinarily, in iBGP, there’s a requirement for a full mesh.  Using the Route Reflector feature lets me get around this, telling my Hub to re-advertise all of the Spoke learned routes to all of the other Spokes.

Under normal circumstance, when using iBGP, an iBGP router will not advertise routes learned from another one iBGP speaker to a second iBGP speaker.

To illustrate, I’ve temporarily removed the route-reflector-client statement from the config on my Hub router.  You can see that the Hub has all of his BGP sessions up, and has installed the learned routes into his own table:

 

VyOS-Hub:~$ sh ip bgp sum
BGP router identifier 10.0.0.1, local AS number 65000
IPv4 Unicast - max multipaths: ebgp 1 ibgp 1
RIB entries 5, using 480 bytes of memory
Peers 3, using 13 KiB of memory
Peer groups 1, using 32 bytes of memory
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.11       4 65000     109     114        0    0    0 00:06:33        1
10.0.0.12       4 65000     109     114        0    0    0 00:06:37        1
10.0.0.13       4 65000     107     112        0    0    0 00:04:39        1
Total number of neighbors 3

VyOS-Hub:~$ sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route
C>* 10.0.0.0/24 is directly connected, tun0
B>* 10.0.1.0/24 [200/1] via 10.0.0.11, tun0, 00:06:35
B>* 10.0.2.0/24 [200/1] via 10.0.0.12, tun0, 00:06:39
B>* 10.0.3.0/24 [200/1] via 10.0.0.13, tun0, 00:04:41
C>* 10.0.255.0/24 is directly connected, eth0
C>* 127.0.0.0/8 is directly connected, lo

If we run the same commands on one of the Spoke routers, though, we see something different:

VyOS-Spoke1:~$ sh ip bgp sum
BGP router identifier 10.0.0.11, local AS number 65000
IPv4 Unicast - max multipaths: ebgp 1 ibgp 1
RIB entries 1, using 96 bytes of memory
Peers 1, using 4560 bytes of memory
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.1        4 65000     116     117        0    0    0 00:10:20        0
Total number of neighbors 1

vyos@VyOS-Spoke1:~$ sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route
C>* 10.0.0.0/24 is directly connected, tun0
C>* 10.0.1.0/24 is directly connected, eth1
C>* 10.0.255.0/24 is directly connected, eth0
C>* 127.0.0.0/8 is directly connected, lo

When we use route-reflector-client, we tell BGP to relax its’ iBGP re-advertisement restrictions.  When I add it back to my peer-group definition on the Hub router, and wait for the BGP sessions to reset, Spoke1 looks a lot better:

VyOS-Spoke1:~$ sh ip bgp sum
BGP router identifier 10.0.0.11, local AS number 65000
IPv4 Unicast - max multipaths: ebgp 1 ibgp 1
RIB entries 5, using 480 bytes of memory
Peers 1, using 4560 bytes of memory
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.1        4 65000     126     126        0    0    0 00:02:03        2
Total number of neighbors 1

vyos@VyOS-Spoke1:~$ sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route
S>* 0.0.0.0/0 [1/0] via 10.0.100.1, eth0
C>* 10.0.0.0/24 is directly connected, tun0
C>* 10.0.1.0/24 is directly connected, eth1
B>* 10.0.2.0/24 [200/1] via 10.0.0.12, tun0, 00:00:05
B>* 10.0.3.0/24 [200/1] via 10.0.0.13, tun0, 00:02:00
C>* 10.0.255.0/24 is directly connected, eth0
C>* 127.0.0.0/8 is directly connected, lo

So the routes are now back – and pay particular attention to the next-hop, which I highlighted in green.

This is a useful element of route-reflection.  One of the rules for performing route-reflection is that the BGP speaker is NOT allowed to alter the next-hop address when re-advertising.

This is exactly the behavior we’re looking for in a DMVPN environment, as it preserves the correct tunnel address of the Spoke that originates the route.  This is what allows direct forwarding between spokes, rather than having to send traffic through the Hub as an intermediate hop.

Most DMVPN deployments are obviously Cisco environments, and more often than not, they rely on EIGRP.  I don’t have any heartburn with EIGRP, generally speaking, and I do like to use it for DMVPN, but to get this specific behavior, you have to do two things:

  • Disable split-horizons on the Tunnel interface
  • Disable ‘next-hop-self’ on the Tunnel interface

With BGP, we can get to the same place.

From the Hub router, you can see all of the NHRP registrations that came in from the Spokes:

VyOS-Hub:~$ sh nhrp tunnel 
Status: ok
Interface: tun0
Type: local

Protocol-Address: 10.0.0.255/32
Alias-Address: 10.0.0.1
Flags: up
Interface: tun0
Type: local
Protocol-Address: 10.0.0.1/32
Flags: up

Interface: tun0
Type: dynamic
Protocol-Address: 10.0.0.13/32
NBMA-Address: 10.0.255.13
Flags: up
Expires-In: 118:38

Interface: tun0
Type: dynamic
Protocol-Address: 10.0.0.12/32
NBMA-Address: 10.0.255.12
Flags: up
Expires-In: 118:33

Interface: tun0
Type: dynamic
Protocol-Address: 10.0.0.11/32
NBMA-Address: 10.0.255.11
Flags: up
Expires-In: 118:22

The Spoke routers show the same mappings:

VyOS-Spoke1:~$ sh nhrp tun
Status: ok
Interface: tun0
Type: local
Protocol-Address: 10.0.0.255/32
Alias-Address: 10.0.0.11
Flags: up

Interface: tun0
Type: local
Protocol-Address: 10.0.0.11/32
Flags: up

Interface: tun0
Type: cached
Protocol-Address: 10.0.0.12/32
NBMA-Address: 10.0.255.12
Flags: up
Expires-In: 85:20

Interface: tun0
Type: cached
Protocol-Address: 10.0.0.13/32
NBMA-Address: 10.0.255.13
Flags: up
Expires-In: 84:46

Interface: tun0
Type: static
Protocol-Address: 10.0.0.1/24
NBMA-Address: 10.0.255.1
Flags: used up

After I got everything up and running, I did some simultaneous bi-directional iperf testing from each of the three test VMs.  Here’s what that looked like (and I sorted the results to make them easier to read):

vyos-1-1:~$ iperf -c 10.0.2.10 -p 5002 -t 60 -i 10 -d
------------------------------------------------------------
Server listening on TCP port 5002
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
------------------------------------------------------------
Client connecting to 10.0.2.10, TCP port 5002
TCP window size:  178 KByte (default)
------------------------------------------------------------
[  4] local 10.0.1.10 port 5002 connected with 10.0.2.10 port 34168
[  5] local 10.0.1.10 port 33472 connected with 10.0.2.10 port 5002
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec   177 MBytes   148 Mbits/sec
[  4] 10.0-20.0 sec   131 MBytes   110 Mbits/sec
[  4] 20.0-30.0 sec   134 MBytes   112 Mbits/sec
[  4] 30.0-40.0 sec   129 MBytes   108 Mbits/sec
[  4] 40.0-50.0 sec   137 MBytes   115 Mbits/sec
[  4] 50.0-60.0 sec   184 MBytes   154 Mbits/sec
[  5]  0.0-10.0 sec  99.6 MBytes  83.6 Mbits/sec
[  5] 10.0-20.0 sec   124 MBytes   104 Mbits/sec
[  5] 20.0-30.0 sec   128 MBytes   108 Mbits/sec
[  5] 30.0-40.0 sec   130 MBytes   109 Mbits/sec
[  5] 40.0-50.0 sec   112 MBytes  94.1 Mbits/sec
[  5] 50.0-60.0 sec  76.4 MBytes  64.1 Mbits/sec

[  4]  0.0-60.1 sec   895 MBytes   125 Mbits/sec
[  5]  0.0-60.0 sec   670 MBytes  93.6 Mbits/sec

vyos-2-2:~$ iperf -c 10.0.3.10 -p 5003 -t 60 -i 10 -d
------------------------------------------------------------
Server listening on TCP port 5003
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
------------------------------------------------------------
Client connecting to 10.0.3.10, TCP port 5003
TCP window size: 85.0 KByte (default)
------------------------------------------------------------
[  4] local 10.0.2.10 port 5003 connected with 10.0.3.10 port 43638
[  5] local 10.0.2.10 port 53328 connected with 10.0.3.10 port 5003
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec   181 MBytes   152 Mbits/sec
[  4] 10.0-20.0 sec   151 MBytes   127 Mbits/sec
[  4] 20.0-30.0 sec   133 MBytes   112 Mbits/sec
[  4] 30.0-40.0 sec   145 MBytes   122 Mbits/sec
[  4] 40.0-50.0 sec   137 MBytes   115 Mbits/sec
[  4] 50.0-60.0 sec   149 MBytes   125 Mbits/sec
[  5]  0.0-10.0 sec  54.5 MBytes  45.7 Mbits/sec
[  5] 10.0-20.0 sec  91.8 MBytes  77.0 Mbits/sec
[  5] 20.0-30.0 sec   129 MBytes   108 Mbits/sec
[  5] 30.0-40.0 sec   122 MBytes   102 Mbits/sec
[  5] 40.0-50.0 sec   126 MBytes   106 Mbits/sec
[  5] 50.0-60.0 sec   144 MBytes   121 Mbits/sec

[  4]  0.0-60.2 sec   900 MBytes   125 Mbits/sec
[  5]  0.0-60.1 sec   667 MBytes  93.1 Mbits/sec

vyos-3-3:~$ iperf -c 10.0.1.10 -p 5001 -t 60 -i 10 -d
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
------------------------------------------------------------
------------------------------------------------------------
Client connecting to 10.0.1.10, TCP port 5001
TCP window size:  238 KByte (default)
------------------------------------------------------------
[  4] local 10.0.3.10 port 5001 connected with 10.0.1.10 port 38362
[  5] local 10.0.3.10 port 57486 connected with 10.0.1.10 port 5001
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-10.0 sec   179 MBytes   150 Mbits/sec
[  4] 10.0-20.0 sec   177 MBytes   149 Mbits/sec
[  4] 20.0-30.0 sec   167 MBytes   140 Mbits/sec
[  4] 30.0-40.0 sec   137 MBytes   115 Mbits/sec
[  4] 40.0-50.0 sec   142 MBytes   119 Mbits/sec
[  4] 50.0-60.0 sec  89.0 MBytes  74.7 Mbits/sec
[  5]  0.0-10.0 sec   147 MBytes   124 Mbits/sec
[  5] 10.0-20.0 sec   112 MBytes  93.8 Mbits/sec
[  5] 20.0-30.0 sec   104 MBytes  87.1 Mbits/sec
[  5] 30.0-40.0 sec   114 MBytes  95.2 Mbits/sec
[  5] 40.0-50.0 sec   122 MBytes   102 Mbits/sec
[  5] 50.0-60.0 sec   163 MBytes   137 Mbits/sec

[  4]  0.0-60.3 sec   894 MBytes   124 Mbits/sec
[  5]  0.0-60.0 sec   762 MBytes   106 Mbits/sec
Share this post:
Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail
war Written by:

10 Comments

  1. Thiyagu
    September 29, 2016
    Reply

    Awesome…

  2. October 6, 2016
    Reply

    Hello,

    Great write up. One minor thing though regarding your statement “This is what allows direct forwarding between spokes, rather than having to send traffic through the Hub as an intermediate hop.”

    This is misleading and somewhat incorrect. NHRP supports direct forwarding of spokes to each other natively without the use of BGP via the commands “set protocols nhrp tunnel tun0 ‘redirect'” and “set protocols nhrp tunnel tun0 ‘shortcut'”

    My spokes get periodic updates from the HUB on routes however they route directly to each other as a “shortcut”. I am not using BGP. One thing to remember is you need to add an incoming rule and allow GRE on all the spokes so they can create direct routes and talk directly to each other until their cache expires and they need get new updates from the HUB.. Great feature as if the hub goes down all the spokes will continue to route direct to each other until they get new updates from the HUB.

    Happy VyOS’ing!

    • October 6, 2016
      Reply

      I think we’re talking about different things.

      I didn’t mean to suggest that BGP (or another routing protocol) was necessary for each of the spokes to find each others’ tunnel endpoints. That is absolutely the function of NHRP, mapping the tunnel addresses to the underlying transport addresses…

      I’m referring to the networks that lay behind each of the DMVPN spokes.

      Referring to the logical diagram above, absent a routing protocol advertising each of the inside networks…

      – 10.0.1.0/24
      – 10.0.2.0/24
      – 10.0.3.0/24

      …Host1 (10.0.1.10) would not be able to reach Host2 (10.0.2.10) or Host3 (10.0.3.10).

      Certainly, from VyOS1’s tunnel address (10.0.0.11) I would be able to ping the VyOS2 and VyOS3 tunnels addresses, 10.0.0.12 & 10.0.0.13 respectively. NHRP is the only thing needed for that – but NHRP does not convey any information beyond that.

  3. syed faizullah
    October 9, 2016
    Reply

    Thanks for your post is the vpn ipsec supported tested/verified behind Nat.As NHRP is working fine but not vpn ipsec.

    Topology(Both device behind in static Nat)
    Hub(AWS)—————(AWS)SPoke

    vyos@VyOS-AMI-SYED:~$ show configuration commands | grep tunnel
    set interfaces tunnel tun0 address ‘172.16.200.1/24’
    set interfaces tunnel tun0 encapsulation ‘gre’
    set interfaces tunnel tun0 local-ip ‘172.31.30.23’
    set interfaces tunnel tun0 multicast ‘enable’
    set protocols nhrp tunnel tun0 multicast ‘dynamic’
    set protocols nhrp tunnel tun0 ‘redirect’
    set vpn ipsec esp-group ESP-1H mode ‘tunnel’
    set vpn ipsec profile DMVPN bind tunnel ‘tun0’
    vyos@VyOS-AMI-SYED:~$
    vyos@VyOS-AMI-SYED:~$
    vyos@VyOS-AMI-SYED:~$ show configuration commands | grep vpn
    set vpn ipsec esp-group ESP-1H compression ‘disable’
    set vpn ipsec esp-group ESP-1H lifetime ’30’
    set vpn ipsec esp-group ESP-1H mode ‘tunnel’
    set vpn ipsec esp-group ESP-1H pfs ‘dh-group5’
    set vpn ipsec esp-group ESP-1H proposal 1 encryption ‘aes256’
    set vpn ipsec esp-group ESP-1H proposal 1 hash ‘sha1’
    set vpn ipsec esp-group ESP-1H proposal 2 encryption ‘3des’
    set vpn ipsec esp-group ESP-1H proposal 2 hash ‘md5’
    set vpn ipsec ike-group IKE-1H key-exchange ‘ikev1′
    set vpn ipsec ike-group IKE-1H lifetime ’30’
    set vpn ipsec ike-group IKE-1H proposal 1 encryption ‘aes256’
    set vpn ipsec ike-group IKE-1H proposal 1 hash ‘sha1’
    set vpn ipsec ike-group IKE-1H proposal 2 encryption ‘aes256’
    set vpn ipsec ike-group IKE-1H proposal 2 hash ‘md5’
    set vpn ipsec ipsec-interfaces interface ‘eth0’
    set vpn ipsec nat-traversal ‘enable’
    set vpn ipsec profile DMVPN authentication mode ‘pre-shared-secret’
    set vpn ipsec profile DMVPN authentication pre-shared-secret ‘NET123’
    set vpn ipsec profile DMVPN bind tunnel ‘tun0’
    set vpn ipsec profile DMVPN esp-group ‘ESP-1H’
    set vpn ipsec profile DMVPN ike-group ‘IKE-1H’
    vyos@VyOS-AMI-SYED:~$
    vyos@VyOS-AMI-SYED:~$
    vyos@VyOS-AMI-SYED:~$ show configuration commands | grep bgp
    set protocols bgp 64615 neighbor 172.16.200.2 ‘nexthop-self’
    set protocols bgp 64615 neighbor 172.16.200.2 password ‘BGPpassword’
    set protocols bgp 64615 neighbor 172.16.200.2 remote-as ‘64757’
    set protocols bgp 64615 neighbor 172.16.200.2 update-source ‘172.16.200.1’
    vyos@VyOS-AMI-SYED:~$
    vyos@VyOS-AMI-SYED:~$
    vyos@VyOS-AMI-SYED:~$ show cry

    Invalid command: show [cry]

    vyos@VyOS-AMI-SYED:~$ show vpn ipsec sa
    Peer ID / IP Local ID / IP
    ———— ————-
    0.0.0.0 172.31.30.23

    Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
    —— —– ————- ——- —- —– —— —— —–
    tun0 down n/a n/a n/a no 0 30 gre

    vyos@VyOS-AMI-SYED:~$ show ip bgp summary
    BGP router identifier 172.31.30.23, local AS number 64615
    IPv4 Unicast – max multipaths: ebgp 1 ibgp 1
    RIB entries 0, using 0 bytes of memory
    Peers 1, using 4560 bytes of memory

    Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
    172.16.200.2 4 64757 1704 1705 0 0 0 1d04h22m 0

    Total number of neighbors 1
    vyos@VyOS-AMI-SYED:~$
    vyos@VyOS-AMI-SYED:~$ show nhrp tunnel
    Status: ok

    Interface: tun0
    Type: local
    Protocol-Address: 172.16.200.255/32
    Alias-Address: 172.16.200.1
    Flags: up

    Interface: tun0
    Type: local
    Protocol-Address: 172.16.200.1/32
    Flags: up

    Interface: tun0
    Type: dynamic
    Protocol-Address: 172.16.200.2/32
    NBMA-Address: 54.172.31.11
    NBMA-NAT-OA-Address: 172.31.61.122
    Flags: up
    Expires-In: 107:18

    vyos@VyOS-AMI-SYED:~$ show log vpn all
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 8 22:51:44 VyOS-AMI-SYED ipsec_starter[8780]: pluto (8782) started after 20 ms
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: including NAT-Traversal patch (Version 0.6c) [disabled]
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: listening for IKE messages
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: adding interface tun0/tun0 172.16.200.1:500
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: adding interface eth0/eth0 172.31.30.23:500
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: adding interface lo/lo 127.0.0.1:500
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: adding interface lo/lo ::1:500
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: forgetting secrets
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: forgetting secrets
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 22:51:44 VyOS-AMI-SYED pluto[8782]: added connection description “vpnprof-tunnel-tun0”
    Oct 8 23:01:34 VyOS-AMI-SYED pluto[8782]: packet from 54.172.31.11:500: received Vendor ID payload [strongSwan]
    Oct 8 23:01:34 VyOS-AMI-SYED pluto[8782]: packet from 54.172.31.11:500: ignoring Vendor ID payload [Cisco-Unity]
    Oct 8 23:01:34 VyOS-AMI-SYED pluto[8782]: packet from 54.172.31.11:500: received Vendor ID payload [XAUTH]
    Oct 8 23:01:34 VyOS-AMI-SYED pluto[8782]: packet from 54.172.31.11:500: received Vendor ID payload [Dead Peer Detection]
    Oct 8 23:01:34 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[1] 54.172.31.11 #1: responding to Main Mode from unknown peer 54.172.31.11
    Oct 8 23:01:34 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[1] 54.172.31.11 #1: Peer ID is ID_IPV4_ADDR: ‘172.31.61.122’
    Oct 8 23:01:34 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #1: deleting connection “vpnprof-tunnel-tun0” instance with peer 54.172.31.11 {isakmp=#0/ipsec=#0}
    Oct 8 23:01:34 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #1: sent MR3, ISAKMP SA established
    Oct 8 23:01:34 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #1: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 8 23:01:44 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Oct 8 23:01:44 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #1: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 8 23:02:04 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Oct 8 23:02:04 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #1: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 8 23:02:44 VyOS-AMI-SYED pluto[8782]: packet from 54.172.31.11:500: received Vendor ID payload [strongSwan]
    Oct 8 23:02:44 VyOS-AMI-SYED pluto[8782]: packet from 54.172.31.11:500: ignoring Vendor ID payload [Cisco-Unity]
    Oct 8 23:02:44 VyOS-AMI-SYED pluto[8782]: packet from 54.172.31.11:500: received Vendor ID payload [XAUTH]
    Oct 8 23:02:44 VyOS-AMI-SYED pluto[8782]: packet from 54.172.31.11:500: received Vendor ID payload [Dead Peer Detection]
    Oct 8 23:02:44 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #2: responding to Main Mode from unknown peer 54.172.31.11
    Oct 8 23:02:44 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #2: Peer ID is ID_IPV4_ADDR: ‘172.31.61.122’
    Oct 8 23:02:44 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #2: sent MR3, ISAKMP SA established
    Oct 8 23:02:44 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #2: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 8 23:02:54 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #2: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Oct 8 23:02:54 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #2: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 8 23:03:14 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #2: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Oct 8 23:03:15 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #2: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 8 23:03:54 VyOS-AMI-SYED pluto[8782]: packet from 54.172.31.11:500: received Vendor ID payload [strongSwan]
    Oct 8 23:03:54 VyOS-AMI-SYED pluto[8782]: packet from 54.172.31.11:500: ignoring Vendor ID payload [Cisco-Unity]
    Oct 8 23:03:54 VyOS-AMI-SYED pluto[8782]: packet from 54.172.31.11:500: received Vendor ID payload [XAUTH]
    Oct 8 23:03:54 VyOS-AMI-SYED pluto[8782]: packet from 54.172.31.11:500: received Vendor ID payload [Dead Peer Detection]
    Oct 8 23:03:54 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #3: responding to Main Mode from unknown peer 54.172.31.11
    Oct 8 23:03:54 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #3: Peer ID is ID_IPV4_ADDR: ‘172.31.61.122’
    Oct 8 23:03:54 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #3: sent MR3, ISAKMP SA established
    Oct 8 23:03:54 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #3: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 8 23:04:04 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #3: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Oct 8 23:04:04 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #3: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 8 23:04:24 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #3: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Oct 8 23:04:24 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #3: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: forgetting secrets
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: forgetting secrets
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: forgetting secrets
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: shutting down
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: forgetting secrets
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0″[2] 54.172.31.11: deleting connection “vpnprof-tunnel-tun0” instance with peer 54.172.31.11 {isakmp=#3/ipsec=#0}
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0” #3: deleting state (STATE_MAIN_R3)
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0” #1: deleting state (STATE_MAIN_R3)
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0” #2: deleting state (STATE_MAIN_R3)
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: “vpnprof-tunnel-tun0”: deleting connection
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: shutting down interface lo/lo ::1
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: shutting down interface lo/lo 127.0.0.1
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: shutting down interface eth0/eth0 172.31.30.23
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[8782]: shutting down interface tun0/tun0 172.16.200.1
    Oct 8 23:26:13 VyOS-AMI-SYED ipsec_starter[8780]: pluto stopped after 20 ms
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: including NAT-Traversal patch (Version 0.6c)
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 8 23:26:13 VyOS-AMI-SYED ipsec_starter[8780]: pluto (10699) started after 20 ms
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: listening for IKE messages
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: adding interface tun0/tun0 172.16.200.1:500
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: adding interface tun0/tun0 172.16.200.1:4500
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: adding interface eth0/eth0 172.31.30.23:500
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: adding interface eth0/eth0 172.31.30.23:4500
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: adding interface lo/lo 127.0.0.1:500
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: adding interface lo/lo 127.0.0.1:4500
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: adding interface lo/lo ::1:500
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 23:26:13 VyOS-AMI-SYED pluto[10699]: added connection description “vpnprof-tunnel-tun0”
    Oct 8 23:26:26 VyOS-AMI-SYED pluto[10699]: shutting down
    Oct 8 23:26:26 VyOS-AMI-SYED pluto[10699]: forgetting secrets
    Oct 8 23:26:26 VyOS-AMI-SYED pluto[10699]: “vpnprof-tunnel-tun0”: deleting connection
    Oct 8 23:26:26 VyOS-AMI-SYED pluto[10699]: shutting down interface lo/lo ::1
    Oct 8 23:26:26 VyOS-AMI-SYED pluto[10699]: shutting down interface lo/lo 127.0.0.1
    Oct 8 23:26:26 VyOS-AMI-SYED pluto[10699]: shutting down interface lo/lo 127.0.0.1
    Oct 8 23:26:26 VyOS-AMI-SYED pluto[10699]: shutting down interface eth0/eth0 172.31.30.23
    Oct 8 23:26:26 VyOS-AMI-SYED pluto[10699]: shutting down interface eth0/eth0 172.31.30.23
    Oct 8 23:26:26 VyOS-AMI-SYED pluto[10699]: shutting down interface tun0/tun0 172.16.200.1
    Oct 8 23:26:26 VyOS-AMI-SYED pluto[10699]: shutting down interface tun0/tun0 172.16.200.1
    Oct 8 23:26:26 VyOS-AMI-SYED ipsec_starter[8780]: pluto stopped after 20 ms
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: including NAT-Traversal patch (Version 0.6c)
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:26:30 VyOS-AMI-SYED ipsec_starter[10889]: pluto (10890) started after 20 ms
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: listening for IKE messages
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: adding interface tun0/tun0 172.16.200.1:500
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: adding interface tun0/tun0 172.16.200.1:4500
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: adding interface eth0/eth0 172.31.30.23:500
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: adding interface eth0/eth0 172.31.30.23:4500
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: adding interface lo/lo 127.0.0.1:500
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: adding interface lo/lo 127.0.0.1:4500
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: adding interface lo/lo ::1:500
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 23:26:30 VyOS-AMI-SYED pluto[10890]: added connection description “vpnprof-tunnel-tun0”
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: forgetting secrets
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: forgetting secrets
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: “vpnprof-tunnel-tun0”: deleting connection
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: added connection description “vpnprof-tunnel-tun0”
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: forgetting secrets
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: forgetting secrets
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 23:28:19 VyOS-AMI-SYED pluto[10890]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:28:25 VyOS-AMI-SYED pluto[10890]: shutting down
    Oct 8 23:28:25 VyOS-AMI-SYED pluto[10890]: forgetting secrets
    Oct 8 23:28:25 VyOS-AMI-SYED pluto[10890]: “vpnprof-tunnel-tun0”: deleting connection
    Oct 8 23:28:25 VyOS-AMI-SYED pluto[10890]: shutting down interface lo/lo ::1
    Oct 8 23:28:25 VyOS-AMI-SYED pluto[10890]: shutting down interface lo/lo 127.0.0.1
    Oct 8 23:28:25 VyOS-AMI-SYED pluto[10890]: shutting down interface lo/lo 127.0.0.1
    Oct 8 23:28:25 VyOS-AMI-SYED pluto[10890]: shutting down interface eth0/eth0 172.31.30.23
    Oct 8 23:28:25 VyOS-AMI-SYED pluto[10890]: shutting down interface eth0/eth0 172.31.30.23
    Oct 8 23:28:25 VyOS-AMI-SYED pluto[10890]: shutting down interface tun0/tun0 172.16.200.1
    Oct 8 23:28:25 VyOS-AMI-SYED pluto[10890]: shutting down interface tun0/tun0 172.16.200.1
    Oct 8 23:28:25 VyOS-AMI-SYED ipsec_starter[10889]: pluto stopped after 20 ms
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: including NAT-Traversal patch (Version 0.6c)
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:28:28 VyOS-AMI-SYED ipsec_starter[11253]: pluto (11254) started after 20 ms
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: listening for IKE messages
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: adding interface tun0/tun0 172.16.200.1:500
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: adding interface tun0/tun0 172.16.200.1:4500
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: adding interface eth0/eth0 172.31.30.23:500
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: adding interface eth0/eth0 172.31.30.23:4500
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: adding interface lo/lo 127.0.0.1:500
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: adding interface lo/lo 127.0.0.1:4500
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: adding interface lo/lo ::1:500
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: loaded PSK secret for 172.31.30.23 %any
    Oct 8 23:28:28 VyOS-AMI-SYED pluto[11254]: added connection description “vpnprof-tunnel-tun0”
    Oct 9 01:36:09 VyOS-AMI-SYED pluto[11254]: “vpnprof-tunnel-tun0″[1] 216.218.206.110:37132 #1: responding to Main Mode from unknown peer 216.218.206.110:37132
    Oct 9 01:36:09 VyOS-AMI-SYED pluto[11254]: “vpnprof-tunnel-tun0″[1] 216.218.206.110:37132 #1: CAST_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
    Oct 9 01:36:09 VyOS-AMI-SYED pluto[11254]: “vpnprof-tunnel-tun0″[1] 216.218.206.110:37132 #1: no acceptable Oakley Transform
    Oct 9 01:36:09 VyOS-AMI-SYED pluto[11254]: “vpnprof-tunnel-tun0″[1] 216.218.206.110:37132 #1: sending notification NO_PROPOSAL_CHOSEN to 216.218.206.110:37132
    Oct 9 01:36:09 VyOS-AMI-SYED pluto[11254]: “vpnprof-tunnel-tun0″[1] 216.218.206.110:37132: deleting connection “vpnprof-tunnel-tun0” instance with peer 216.218.206.110 {isakmp=#0/ipsec=#0}
    Oct 10 00:25:44 VyOS-AMI-SYED pluto[11254]: “vpnprof-tunnel-tun0″[2] 216.218.206.70:59385 #2: responding to Main Mode from unknown peer 216.218.206.70:59385
    Oct 10 00:25:44 VyOS-AMI-SYED pluto[11254]: “vpnprof-tunnel-tun0″[2] 216.218.206.70:59385 #2: CAST_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
    Oct 10 00:25:44 VyOS-AMI-SYED pluto[11254]: “vpnprof-tunnel-tun0″[2] 216.218.206.70:59385 #2: no acceptable Oakley Transform
    Oct 10 00:25:44 VyOS-AMI-SYED pluto[11254]: “vpnprof-tunnel-tun0″[2] 216.218.206.70:59385 #2: sending notification NO_PROPOSAL_CHOSEN to 216.218.206.70:59385
    Oct 10 00:25:44 VyOS-AMI-SYED pluto[11254]: “vpnprof-tunnel-tun0″[2] 216.218.206.70:59385: deleting connection “vpnprof-tunnel-tun0” instance with peer 216.218.206.70 {isakmp=#0/ipsec=#0}
    Oct 10 02:30:06 VyOS-AMI-SYED pluto[11254]: shutting down
    Oct 10 02:30:06 VyOS-AMI-SYED pluto[11254]: forgetting secrets
    Oct 10 02:30:06 VyOS-AMI-SYED pluto[11254]: “vpnprof-tunnel-tun0”: deleting connection
    Oct 10 02:30:06 VyOS-AMI-SYED pluto[11254]: shutting down interface lo/lo ::1
    Oct 10 02:30:06 VyOS-AMI-SYED pluto[11254]: shutting down interface lo/lo 127.0.0.1
    Oct 10 02:30:06 VyOS-AMI-SYED pluto[11254]: shutting down interface lo/lo 127.0.0.1
    Oct 10 02:30:06 VyOS-AMI-SYED pluto[11254]: shutting down interface eth0/eth0 172.31.30.23
    Oct 10 02:30:06 VyOS-AMI-SYED pluto[11254]: shutting down interface eth0/eth0 172.31.30.23
    Oct 10 02:30:06 VyOS-AMI-SYED pluto[11254]: shutting down interface tun0/tun0 172.16.200.1
    Oct 10 02:30:06 VyOS-AMI-SYED pluto[11254]: shutting down interface tun0/tun0 172.16.200.1
    Oct 10 02:30:06 VyOS-AMI-SYED ipsec_starter[11253]: pluto stopped after 20 ms
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: including NAT-Traversal patch (Version 0.6c)
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 10 02:30:09 VyOS-AMI-SYED ipsec_starter[17217]: pluto (17218) started after 20 ms
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: listening for IKE messages
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: adding interface tun0/tun0 172.16.200.1:500
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: adding interface tun0/tun0 172.16.200.1:4500
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: adding interface eth0/eth0 172.31.30.23:500
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: adding interface eth0/eth0 172.31.30.23:4500
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: adding interface lo/lo 127.0.0.1:500
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: adding interface lo/lo 127.0.0.1:4500
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: adding interface lo/lo ::1:500
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: loading secrets from “/etc/ipsec.secrets”
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: loading secrets from “/etc/dmvpn.secrets”
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: loaded PSK secret for 172.31.30.23 %any
    Oct 10 02:30:09 VyOS-AMI-SYED pluto[17218]: added connection description “vpnprof-tunnel-tun0”
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:500: received Vendor ID payload [strongSwan]
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:500: ignoring Vendor ID payload [Cisco-Unity]
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:500: received Vendor ID payload [XAUTH]
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:500: received Vendor ID payload [Dead Peer Detection]
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:500: received Vendor ID payload [RFC 3947]
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[1] 54.172.31.11 #1: responding to Main Mode from unknown peer 54.172.31.11
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[1] 54.172.31.11 #1: NAT-Traversal: Result using RFC 3947: both are NATed
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[1] 54.172.31.11 #1: Peer ID is ID_IPV4_ADDR: ‘172.31.61.122’
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11 #1: deleting connection “vpnprof-tunnel-tun0” instance with peer 54.172.31.11 {isakmp=#0/ipsec=#0}
    Oct 10 02:31:48 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #1: sent MR3, ISAKMP SA established
    Oct 10 02:31:49 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #1: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 10 02:31:59 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Oct 10 02:31:59 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #1: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 10 02:32:18 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Oct 10 02:32:18 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #1: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: received Vendor ID payload [strongSwan]
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: ignoring Vendor ID payload [Cisco-Unity]
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: received Vendor ID payload [XAUTH]
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: received Vendor ID payload [Dead Peer Detection]
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: received Vendor ID payload [RFC 3947]
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #2: responding to Main Mode from unknown peer 54.172.31.11:4500
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #2: NAT-Traversal: Result using RFC 3947: both are NATed
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #2: Peer ID is ID_IPV4_ADDR: ‘172.31.61.122’
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #2: sent MR3, ISAKMP SA established
    Oct 10 02:32:58 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #2: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 10 02:33:08 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #2: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Oct 10 02:33:08 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #2: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 10 02:33:28 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #2: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Oct 10 02:33:28 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #2: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: received Vendor ID payload [strongSwan]
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: ignoring Vendor ID payload [Cisco-Unity]
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: received Vendor ID payload [XAUTH]
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: received Vendor ID payload [Dead Peer Detection]
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: received Vendor ID payload [RFC 3947]
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: packet from 54.172.31.11:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #3: responding to Main Mode from unknown peer 54.172.31.11:4500
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #3: NAT-Traversal: Result using RFC 3947: both are NATed
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #3: Peer ID is ID_IPV4_ADDR: ‘172.31.61.122’
    Oct 10 02:34:08 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #3: sent MR3, ISAKMP SA established
    Oct 10 02:34:09 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #3: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 10 02:34:19 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #3: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Oct 10 02:34:19 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #3: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 10 02:34:38 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #3: retransmitting in response to duplicate packet; already STATE_MAIN_R3
    Oct 10 02:34:38 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500 #3: ignoring informational payload, type INVALID_ID_INFORMATION
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: shutting down
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: forgetting secrets
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0″[2] 54.172.31.11:4500: deleting connection “vpnprof-tunnel-tun0” instance with peer 54.172.31.11 {isakmp=#3/ipsec=#0}
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0” #1: deleting state (STATE_MAIN_R3)
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0” #2: deleting state (STATE_MAIN_R3)
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0” #3: deleting state (STATE_MAIN_R3)
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: “vpnprof-tunnel-tun0”: deleting connection
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: shutting down interface lo/lo ::1
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: shutting down interface lo/lo 127.0.0.1
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: shutting down interface lo/lo 127.0.0.1
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: shutting down interface eth0/eth0 172.31.30.23
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: shutting down interface eth0/eth0 172.31.30.23
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: shutting down interface tun0/tun0 172.16.200.1
    Oct 10 03:02:03 VyOS-AMI-SYED pluto[17218]: shutting down interface tun0/tun0 172.16.200.1
    Oct 10 03:02:03 VyOS-AMI-SYED ipsec_starter[17217]: pluto stopped after 20 ms
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: including NAT-Traversal patch (Version 0.6c)
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 10 03:02:06 VyOS-AMI-SYED ipsec_starter[17994]: pluto (17995) started after 20 ms
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: listening for IKE messages
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: adding interface tun0/tun0 172.16.200.1:500
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: adding interface tun0/tun0 172.16.200.1:4500
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: adding interface eth0/eth0 172.31.30.23:500
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: adding interface eth0/eth0 172.31.30.23:4500
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: adding interface lo/lo 127.0.0.1:500
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: adding interface lo/lo 127.0.0.1:4500
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: adding interface lo/lo ::1:500
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: loading secrets from “/etc/ipsec.secrets”
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: loading secrets from “/etc/dmvpn.secrets”
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: loaded PSK secret for 172.31.30.23 %any
    Oct 10 03:02:06 VyOS-AMI-SYED pluto[17995]: added connection description “vpnprof-tunnel-tun0”
    Oct 10 03:04:25 VyOS-AMI-SYED pluto[17995]: shutting down
    Oct 10 03:04:25 VyOS-AMI-SYED pluto[17995]: forgetting secrets
    Oct 10 03:04:25 VyOS-AMI-SYED pluto[17995]: “vpnprof-tunnel-tun0”: deleting connection
    Oct 10 03:04:25 VyOS-AMI-SYED pluto[17995]: shutting down interface lo/lo ::1
    Oct 10 03:04:25 VyOS-AMI-SYED pluto[17995]: shutting down interface lo/lo 127.0.0.1
    Oct 10 03:04:25 VyOS-AMI-SYED pluto[17995]: shutting down interface lo/lo 127.0.0.1
    Oct 10 03:04:25 VyOS-AMI-SYED pluto[17995]: shutting down interface eth0/eth0 172.31.30.23
    Oct 10 03:04:25 VyOS-AMI-SYED pluto[17995]: shutting down interface eth0/eth0 172.31.30.23
    Oct 10 03:04:25 VyOS-AMI-SYED pluto[17995]: shutting down interface tun0/tun0 172.16.200.1
    Oct 10 03:04:25 VyOS-AMI-SYED pluto[17995]: shutting down interface tun0/tun0 172.16.200.1
    Oct 10 03:04:25 VyOS-AMI-SYED ipsec_starter[17994]: pluto stopped after 20 ms
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: including NAT-Traversal patch (Version 0.6c)
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 10 03:04:29 VyOS-AMI-SYED ipsec_starter[18145]: pluto (18146) started after 20 ms
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: listening for IKE messages
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: adding interface tun0/tun0 172.16.200.1:500
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: adding interface tun0/tun0 172.16.200.1:4500
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: adding interface eth0/eth0 172.31.30.23:500
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: adding interface eth0/eth0 172.31.30.23:4500
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: adding interface lo/lo 127.0.0.1:500
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: adding interface lo/lo 127.0.0.1:4500
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: adding interface lo/lo ::1:500
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: loading secrets from “/etc/ipsec.secrets”
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: loading secrets from “/etc/dmvpn.secrets”
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: loaded PSK secret for 172.31.30.23 %any
    Oct 10 03:04:29 VyOS-AMI-SYED pluto[18146]: added connection description “vpnprof-tunnel-tun0”
    Oct 10 03:04:51 VyOS-AMI-SYED pluto[18146]: shutting down
    Oct 10 03:04:51 VyOS-AMI-SYED pluto[18146]: forgetting secrets
    Oct 10 03:04:51 VyOS-AMI-SYED pluto[18146]: “vpnprof-tunnel-tun0”: deleting connection
    Oct 10 03:04:51 VyOS-AMI-SYED pluto[18146]: shutting down interface lo/lo ::1
    Oct 10 03:04:51 VyOS-AMI-SYED pluto[18146]: shutting down interface lo/lo 127.0.0.1
    Oct 10 03:04:51 VyOS-AMI-SYED pluto[18146]: shutting down interface lo/lo 127.0.0.1
    Oct 10 03:04:51 VyOS-AMI-SYED pluto[18146]: shutting down interface eth0/eth0 172.31.30.23
    Oct 10 03:04:51 VyOS-AMI-SYED pluto[18146]: shutting down interface eth0/eth0 172.31.30.23
    Oct 10 03:04:51 VyOS-AMI-SYED pluto[18146]: shutting down interface tun0/tun0 172.16.200.1
    Oct 10 03:04:51 VyOS-AMI-SYED pluto[18146]: shutting down interface tun0/tun0 172.16.200.1
    Oct 10 03:04:51 VyOS-AMI-SYED ipsec_starter[18145]: pluto stopped after 20 ms
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: including NAT-Traversal patch (Version 0.6c)
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 10 03:04:54 VyOS-AMI-SYED ipsec_starter[18276]: pluto (18277) started after 20 ms
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: listening for IKE messages
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: adding interface tun0/tun0 172.16.200.1:500
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: adding interface tun0/tun0 172.16.200.1:4500
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: adding interface eth0/eth0 172.31.30.23:500
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: adding interface eth0/eth0 172.31.30.23:4500
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: adding interface lo/lo 127.0.0.1:500
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: adding interface lo/lo 127.0.0.1:4500
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: adding interface lo/lo ::1:500
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: loading secrets from “/etc/ipsec.secrets”
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: loading secrets from “/etc/dmvpn.secrets”
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: loaded PSK secret for 172.31.30.23 %any
    Oct 10 03:04:54 VyOS-AMI-SYED pluto[18277]: added connection description “vpnprof-tunnel-tun0”
    Oct 10 03:05:19 VyOS-AMI-SYED pluto[18277]: shutting down
    Oct 10 03:05:19 VyOS-AMI-SYED pluto[18277]: forgetting secrets
    Oct 10 03:05:19 VyOS-AMI-SYED pluto[18277]: “vpnprof-tunnel-tun0”: deleting connection
    Oct 10 03:05:19 VyOS-AMI-SYED pluto[18277]: shutting down interface lo/lo ::1
    Oct 10 03:05:19 VyOS-AMI-SYED pluto[18277]: shutting down interface lo/lo 127.0.0.1
    Oct 10 03:05:19 VyOS-AMI-SYED pluto[18277]: shutting down interface lo/lo 127.0.0.1
    Oct 10 03:05:19 VyOS-AMI-SYED pluto[18277]: shutting down interface eth0/eth0 172.31.30.23
    Oct 10 03:05:19 VyOS-AMI-SYED pluto[18277]: shutting down interface eth0/eth0 172.31.30.23
    Oct 10 03:05:19 VyOS-AMI-SYED pluto[18277]: shutting down interface tun0/tun0 172.16.200.1
    Oct 10 03:05:19 VyOS-AMI-SYED pluto[18277]: shutting down interface tun0/tun0 172.16.200.1
    Oct 10 03:05:19 VyOS-AMI-SYED ipsec_starter[18276]: pluto stopped after 20 ms
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: including NAT-Traversal patch (Version 0.6c)
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 10 03:05:22 VyOS-AMI-SYED ipsec_starter[18407]: pluto (18408) started after 20 ms
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: listening for IKE messages
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: adding interface tun0/tun0 172.16.200.1:500
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: adding interface tun0/tun0 172.16.200.1:4500
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: adding interface eth0/eth0 172.31.30.23:500
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: adding interface eth0/eth0 172.31.30.23:4500
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: adding interface lo/lo 127.0.0.1:500
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: adding interface lo/lo 127.0.0.1:4500
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: adding interface lo/lo ::1:500
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: loading secrets from “/etc/ipsec.secrets”
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: loading secrets from “/etc/dmvpn.secrets”
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: loaded PSK secret for 172.31.30.23 %any
    Oct 10 03:05:22 VyOS-AMI-SYED pluto[18408]: added connection description “vpnprof-tunnel-tun0”
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: forgetting secrets
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: loading secrets from “/etc/ipsec.secrets”
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: loading secrets from “/etc/dmvpn.secrets”
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: loaded PSK secret for 172.31.30.23 %any
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: forgetting secrets
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: loading secrets from “/etc/ipsec.secrets”
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: loading secrets from “/etc/dmvpn.secrets”
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: loaded PSK secret for 172.31.30.23 %any
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: forgetting secrets
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: loading secrets from “/etc/ipsec.secrets”
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: loading secrets from “/etc/dmvpn.secrets”
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: loaded PSK secret for 172.31.30.23 %any
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: forgetting secrets
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: loading secrets from “/etc/ipsec.secrets”
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: loading secrets from “/etc/dmvpn.secrets”
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: loaded PSK secret for 172.31.30.23 %any
    Oct 10 03:13:34 VyOS-AMI-SYED pluto[18408]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 10 03:14:58 VyOS-AMI-SYED pluto[18408]: shutting down
    Oct 10 03:14:58 VyOS-AMI-SYED pluto[18408]: forgetting secrets
    Oct 10 03:14:58 VyOS-AMI-SYED pluto[18408]: “vpnprof-tunnel-tun0”: deleting connection
    Oct 10 03:14:58 VyOS-AMI-SYED pluto[18408]: shutting down interface lo/lo ::1
    Oct 10 03:14:58 VyOS-AMI-SYED pluto[18408]: shutting down interface lo/lo 127.0.0.1
    Oct 10 03:14:58 VyOS-AMI-SYED pluto[18408]: shutting down interface lo/lo 127.0.0.1
    Oct 10 03:14:58 VyOS-AMI-SYED pluto[18408]: shutting down interface eth0/eth0 172.31.30.23
    Oct 10 03:14:58 VyOS-AMI-SYED pluto[18408]: shutting down interface eth0/eth0 172.31.30.23
    Oct 10 03:14:58 VyOS-AMI-SYED pluto[18408]: shutting down interface tun0/tun0 172.16.200.1
    Oct 10 03:14:58 VyOS-AMI-SYED pluto[18408]: shutting down interface tun0/tun0 172.16.200.1
    Oct 10 03:14:58 VyOS-AMI-SYED ipsec_starter[18407]: pluto stopped after 20 ms
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: including NAT-Traversal patch (Version 0.6c)
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 10 03:15:01 VyOS-AMI-SYED ipsec_starter[19355]: pluto (19356) started after 20 ms
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: listening for IKE messages
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: adding interface tun0/tun0 172.16.200.1:500
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: adding interface tun0/tun0 172.16.200.1:4500
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: adding interface eth0/eth0 172.31.30.23:500
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: adding interface eth0/eth0 172.31.30.23:4500
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: adding interface lo/lo 127.0.0.1:500
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: adding interface lo/lo 127.0.0.1:4500
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: adding interface lo/lo ::1:500
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: loading secrets from “/etc/ipsec.secrets”
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: loading secrets from “/etc/dmvpn.secrets”
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: loaded PSK secret for 172.31.30.23 %any
    Oct 10 03:15:01 VyOS-AMI-SYED pluto[19356]: added connection description “vpnprof-tunnel-tun0”
    vyos@VyOS-AMI-SYED:~$ show clo

    Invalid command: show [clo]

    vyos@VyOS-AMI-SYED:~$ show datw

    Invalid command: show [datw]

    vyos@VyOS-AMI-SYED:~$ show date
    Mon Oct 10 03:26:56 UTC 2016
    vyos@VyOS-AMI-SYED:~$

    ===========================================================================
    spoke
    ============================================================================

    vyos@VyOS-AMI-ZAYAD:~$ show configuration commands | grep tunnel
    set interfaces tunnel tun0 address ‘172.16.200.2/24’
    set interfaces tunnel tun0 encapsulation ‘gre’
    set interfaces tunnel tun0 local-ip ‘172.31.61.122’
    set interfaces tunnel tun0 multicast ‘enable’
    set protocols nhrp tunnel tun0 map 172.16.200.1/24 nbma-address ‘54.187.74.201’
    set protocols nhrp tunnel tun0 map 172.16.200.1/24 ‘register’
    set protocols nhrp tunnel tun0 multicast ‘nhs’
    set protocols nhrp tunnel tun0 ‘redirect’
    set protocols nhrp tunnel tun0 ‘shortcut’
    set vpn ipsec esp-group ESP-1H mode ‘tunnel’
    set vpn ipsec profile DMVPN bind tunnel ‘tun0’
    vyos@VyOS-AMI-ZAYAD:~$ show configuration commands | grep vpn
    set vpn ipsec esp-group ESP-1H compression ‘disable’
    set vpn ipsec esp-group ESP-1H lifetime ’30’
    set vpn ipsec esp-group ESP-1H mode ‘tunnel’
    set vpn ipsec esp-group ESP-1H pfs ‘dh-group5’
    set vpn ipsec esp-group ESP-1H proposal 1 encryption ‘aes256’
    set vpn ipsec esp-group ESP-1H proposal 1 hash ‘sha1’
    set vpn ipsec esp-group ESP-1H proposal 2 encryption ‘3des’
    set vpn ipsec esp-group ESP-1H proposal 2 hash ‘md5’
    set vpn ipsec ike-group IKE-1H key-exchange ‘ikev1′
    set vpn ipsec ike-group IKE-1H lifetime ’30’
    set vpn ipsec ike-group IKE-1H proposal 1 encryption ‘aes256’
    set vpn ipsec ike-group IKE-1H proposal 1 hash ‘sha1’
    set vpn ipsec ike-group IKE-1H proposal 2 encryption ‘aes256’
    set vpn ipsec ike-group IKE-1H proposal 2 hash ‘md5’
    set vpn ipsec ipsec-interfaces interface ‘eth0’
    set vpn ipsec nat-traversal ‘enable’
    set vpn ipsec profile DMVPN authentication mode ‘pre-shared-secret’
    set vpn ipsec profile DMVPN authentication pre-shared-secret ‘NET123’
    set vpn ipsec profile DMVPN bind tunnel ‘tun0’
    set vpn ipsec profile DMVPN esp-group ‘ESP-1H’
    set vpn ipsec profile DMVPN ike-group ‘IKE-1H’
    vyos@VyOS-AMI-ZAYAD:~$
    vyos@VyOS-AMI-ZAYAD:~$
    vyos@VyOS-AMI-ZAYAD:~$ show configuration commands | grepbgp

    Invalid command: [grepbgp]

    vyos@VyOS-AMI-ZAYAD:~$ show configuration commands | grep bgp
    set protocols bgp 64757 neighbor 172.16.200.1 ‘nexthop-self’
    set protocols bgp 64757 neighbor 172.16.200.1 password ‘BGPpassword’
    set protocols bgp 64757 neighbor 172.16.200.1 remote-as ‘64615’
    set protocols bgp 64757 neighbor 172.16.200.1 update-source ‘172.16.200.2’
    vyos@VyOS-AMI-ZAYAD:~$
    vyos@VyOS-AMI-ZAYAD:~$
    vyos@VyOS-AMI-ZAYAD:~$ show vpn ipsec sa
    Peer ID / IP Local ID / IP
    ———— ————-
    0.0.0.0 172.31.61.122

    Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
    —— —– ————- ——- —- —– —— —— —–
    tun0 down n/a n/a n/a no 0 30 gre

    vyos@VyOS-AMI-ZAYAD:~$
    vyos@VyOS-AMI-ZAYAD:~$ show vpn lo

    Invalid command: show vpn [lo]

    vyos@VyOS-AMI-ZAYAD:~$ show log
    log login
    vyos@VyOS-AMI-ZAYAD:~$ show log vpn
    Possible completions:
    all Show log for ALL
    ipsec Show log for IPSEC
    l2tp Show log for L2TP
    pptp Show log for PPTP

    vyos@VyOS-AMI-ZAYAD:~$ show log vpn all
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 8 23:01:29 VyOS-AMI-ZAYAD ipsec_starter[7781]: pluto (7783) started after 20 ms
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: including NAT-Traversal patch (Version 0.6c) [disabled]
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: listening for IKE messages
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: adding interface tun0/tun0 172.16.200.2:500
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: adding interface eth0/eth0 172.31.61.122:500
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: adding interface lo/lo 127.0.0.1:500
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: adding interface lo/lo ::1:500
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: loaded PSK secret for 172.31.61.122 %any
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: forgetting secrets
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: loaded PSK secret for 172.31.61.122 %any
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: forgetting secrets
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: loaded PSK secret for 172.31.61.122 %any
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:01:29 VyOS-AMI-ZAYAD pluto[7783]: added connection description “vpnprof-tunnel-tun0”
    Oct 8 23:01:34 VyOS-AMI-ZAYAD pluto[7783]: added connection description “172.16.200.2-to-172.16.200.1”
    Oct 8 23:01:34 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: initiating Main Mode
    Oct 8 23:01:34 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: received Vendor ID payload [strongSwan]
    Oct 8 23:01:34 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: ignoring Vendor ID payload [Cisco-Unity]
    Oct 8 23:01:34 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: received Vendor ID payload [XAUTH]
    Oct 8 23:01:34 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: received Vendor ID payload [Dead Peer Detection]
    Oct 8 23:01:34 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: Peer ID is ID_IPV4_ADDR: ‘172.31.30.23’
    Oct 8 23:01:34 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: we require peer to have ID ‘54.187.74.201’, but peer declares ‘172.31.30.23’
    Oct 8 23:01:34 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: sending encrypted notification INVALID_ID_INFORMATION to 54.187.74.201:500
    Oct 8 23:01:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: Peer ID is ID_IPV4_ADDR: ‘172.31.30.23’
    Oct 8 23:01:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: we require peer to have ID ‘54.187.74.201’, but peer declares ‘172.31.30.23’
    Oct 8 23:01:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: sending encrypted notification INVALID_ID_INFORMATION to 54.187.74.201:500
    Oct 8 23:02:04 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: Peer ID is ID_IPV4_ADDR: ‘172.31.30.23’
    Oct 8 23:02:04 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: we require peer to have ID ‘54.187.74.201’, but peer declares ‘172.31.30.23’
    Oct 8 23:02:04 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: sending encrypted notification INVALID_ID_INFORMATION to 54.187.74.201:500
    Oct 8 23:02:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    Oct 8 23:02:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #1: starting keying attempt 2 of at most 3, but releasing whack
    Oct 8 23:02:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: initiating Main Mode to replace #1
    Oct 8 23:02:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: received Vendor ID payload [strongSwan]
    Oct 8 23:02:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: ignoring Vendor ID payload [Cisco-Unity]
    Oct 8 23:02:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: received Vendor ID payload [XAUTH]
    Oct 8 23:02:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: received Vendor ID payload [Dead Peer Detection]
    Oct 8 23:02:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: Peer ID is ID_IPV4_ADDR: ‘172.31.30.23’
    Oct 8 23:02:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: we require peer to have ID ‘54.187.74.201’, but peer declares ‘172.31.30.23’
    Oct 8 23:02:44 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: sending encrypted notification INVALID_ID_INFORMATION to 54.187.74.201:500
    Oct 8 23:02:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: Peer ID is ID_IPV4_ADDR: ‘172.31.30.23’
    Oct 8 23:02:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: we require peer to have ID ‘54.187.74.201’, but peer declares ‘172.31.30.23’
    Oct 8 23:02:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: sending encrypted notification INVALID_ID_INFORMATION to 54.187.74.201:500
    Oct 8 23:03:15 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: Peer ID is ID_IPV4_ADDR: ‘172.31.30.23’
    Oct 8 23:03:15 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: we require peer to have ID ‘54.187.74.201’, but peer declares ‘172.31.30.23’
    Oct 8 23:03:15 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: sending encrypted notification INVALID_ID_INFORMATION to 54.187.74.201:500
    Oct 8 23:03:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    Oct 8 23:03:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #2: starting keying attempt 3 of at most 3
    Oct 8 23:03:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: initiating Main Mode to replace #2
    Oct 8 23:03:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: received Vendor ID payload [strongSwan]
    Oct 8 23:03:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: ignoring Vendor ID payload [Cisco-Unity]
    Oct 8 23:03:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: received Vendor ID payload [XAUTH]
    Oct 8 23:03:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: received Vendor ID payload [Dead Peer Detection]
    Oct 8 23:03:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: Peer ID is ID_IPV4_ADDR: ‘172.31.30.23’
    Oct 8 23:03:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: we require peer to have ID ‘54.187.74.201’, but peer declares ‘172.31.30.23’
    Oct 8 23:03:54 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: sending encrypted notification INVALID_ID_INFORMATION to 54.187.74.201:500
    Oct 8 23:04:04 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: Peer ID is ID_IPV4_ADDR: ‘172.31.30.23’
    Oct 8 23:04:04 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: we require peer to have ID ‘54.187.74.201’, but peer declares ‘172.31.30.23’
    Oct 8 23:04:04 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: sending encrypted notification INVALID_ID_INFORMATION to 54.187.74.201:500
    Oct 8 23:04:24 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: Peer ID is ID_IPV4_ADDR: ‘172.31.30.23’
    Oct 8 23:04:24 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: we require peer to have ID ‘54.187.74.201’, but peer declares ‘172.31.30.23’
    Oct 8 23:04:24 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: sending encrypted notification INVALID_ID_INFORMATION to 54.187.74.201:500
    Oct 8 23:05:04 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1” #3: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
    Oct 8 23:22:47 VyOS-AMI-ZAYAD pluto[7783]: shutting down
    Oct 8 23:22:47 VyOS-AMI-ZAYAD pluto[7783]: forgetting secrets
    Oct 8 23:22:47 VyOS-AMI-ZAYAD pluto[7783]: “172.16.200.2-to-172.16.200.1”: deleting connection
    Oct 8 23:22:47 VyOS-AMI-ZAYAD pluto[7783]: “vpnprof-tunnel-tun0”: deleting connection
    Oct 8 23:22:47 VyOS-AMI-ZAYAD pluto[7783]: shutting down interface lo/lo ::1
    Oct 8 23:22:47 VyOS-AMI-ZAYAD pluto[7783]: shutting down interface lo/lo 127.0.0.1
    Oct 8 23:22:47 VyOS-AMI-ZAYAD pluto[7783]: shutting down interface eth0/eth0 172.31.61.122
    Oct 8 23:22:47 VyOS-AMI-ZAYAD pluto[7783]: shutting down interface tun0/tun0 172.16.200.2
    Oct 8 23:22:47 VyOS-AMI-ZAYAD ipsec_starter[7781]: pluto stopped after 20 ms
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: including NAT-Traversal patch (Version 0.6c) [disabled]
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:22:50 VyOS-AMI-ZAYAD ipsec_starter[10019]: pluto (10020) started after 20 ms
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: listening for IKE messages
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: adding interface tun0/tun0 172.16.200.2:500
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: adding interface eth0/eth0 172.31.61.122:500
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: adding interface lo/lo 127.0.0.1:500
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: adding interface lo/lo ::1:500
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: loaded PSK secret for 172.31.61.122 %any
    Oct 8 23:22:50 VyOS-AMI-ZAYAD pluto[10020]: added connection description “vpnprof-tunnel-tun0”
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: forgetting secrets
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: loaded PSK secret for 172.31.61.122 %any
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: forgetting secrets
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: loaded PSK secret for 172.31.61.122 %any
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: forgetting secrets
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: loaded PSK secret for 172.31.61.122 %any
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: shutting down
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: forgetting secrets
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: “vpnprof-tunnel-tun0”: deleting connection
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: shutting down interface lo/lo ::1
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: shutting down interface lo/lo 127.0.0.1
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: shutting down interface eth0/eth0 172.31.61.122
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10020]: shutting down interface tun0/tun0 172.16.200.2
    Oct 8 23:25:57 VyOS-AMI-ZAYAD ipsec_starter[10019]: pluto stopped after 20 ms
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: including NAT-Traversal patch (Version 0.6c)
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Oct 8 23:25:57 VyOS-AMI-ZAYAD ipsec_starter[10019]: pluto (10849) started after 20 ms
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: Changing to directory ‘/etc/ipsec.d/crls’
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: listening for IKE messages
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: adding interface tun0/tun0 172.16.200.2:500
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: adding interface tun0/tun0 172.16.200.2:4500
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: adding interface eth0/eth0 172.31.61.122:500
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: adding interface eth0/eth0 172.31.61.122:4500
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: adding interface lo/lo 127.0.0.1:500
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: adding interface lo/lo 127.0.0.1:4500
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: adding interface lo/lo ::1:500
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: loading secrets from “/etc/ipsec.secrets”
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: loading secrets from “/etc/dmvpn.secrets”
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: loaded PSK secret for 172.31.61.122 %any
    Oct 8 23:25:57 VyOS-AMI-ZAYAD pluto[10849]: added connection description “vpnprof-tunnel-tun0”
    Oct 8 23:26:13 VyOS-AMI-ZAYAD pluto[10849]: packet from 54.187.74.201:500: Informational Exchange is for an unknown (expired?) SA
    Oct 8 23:26:35 VyOS-AMI-ZAYAD pluto[10849]: last message repeated 2 times
    Oct 8 23:26:35 VyOS-AMI-Z

    • October 10, 2016
      Reply

      I’ve not personally tried it out in AWS yet, but I know that DMVPN works from there – we’re doing it from CSR’s right now.

      I suspect that you may need to alter the ‘set interfaces tunnel tun0 local-ip’ value on both sides to reflect your public addresses, rather than the actual address of your instance interfaces. This is just a guess – that’s where I’d start.

      If you try that, please let me know if it works.

  4. syed
    October 14, 2016
    Reply

    No the local ip should be private and remote ip will be public and private ip should be translated to public when it traverses the 1:1 Nat or Default Gateway of AWS VPC as i have tested the same setup with other cisco device and the same scenario is working perfect and i believe it could be due ipsec bug behind nat , not sure we support ipsec behind nat on VyOS .

    • October 15, 2016
      Reply

      I stood up three AWS instances this afternoon to see if I could get it working, and ran into the same results.

      I was able to get mGRE working, but the crypto component fails, much as yours did.

      In my logs, I have this entry:

      Oct 15 20:52:51 VyOS1-AWS ipsec_starter[2828]: pluto (2831) started after 40 ms
      Oct 15 20:52:51 VyOS1-AWS pluto[2831]: including NAT-Traversal patch (Version 0.6c) [disabled]

      Can’t help but wonder if would be working if that NAT-Traversal patch were [enabled], rather than [disabled]. I’ll ping the developers to see if there’s a command that should be present in order to enable it…

Leave a Reply

Your email address will not be published. Required fields are marked *