Virtual Router/ Firewall/ VPN

Reply
Occasional Contributor
Posts: 7
Registered: ‎06-13-2016

GRE Over IPsec not working B/w V5400 and VyOS

Problem Description:
=============
Gre over Ipsec b/w Vyos and Vyatta not working , IKE is up but IPsec down.


GRE-IPSEC B/w VYOS and Vyatta:
====================

Topology:
=========

VYOS(172.31.61.122)—1:1NAT GW —Y.Y.Y.Y———————GRE-IPSEC——————(X.X.X.X)—VYATTA

WHERE X.X.X.X & Y.Y.Y.Y ARE PUBLIC IPs


VYOS-STATIC-NAT-AWS:
====================

wanclouds@VyOS-AMI-ZAYAD:~$ show configuration commands | grep vpn
set vpn ipsec esp-group ESP-1W0 lifetime '86400'
set vpn ipsec esp-group ESP-1W0 mode 'transport'
set vpn ipsec esp-group ESP-1W0 pfs 'dh-group5'
set vpn ipsec esp-group ESP-1W0 proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-1W0 proposal 1 hash 'md5'
set vpn ipsec ike-group IKE-1W0 lifetime '86400'
set vpn ipsec ike-group IKE-1W0 proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-1W0 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-1W0 proposal 1 hash 'md5'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer X.X.X.X authentication id '419b9c8ee2544d598bf209173640f934'
set vpn ipsec site-to-site peer X.X.X.X authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer X.X.X.X authentication pre-shared-secret '62066c88582a411390965d7827d2780c'
set vpn ipsec site-to-site peer X.X.X.X authentication remote-id '419b9c8ee2544d598bf209173640f934'
set vpn ipsec site-to-site peer X.X.X.X default-esp-group 'ESP-1W0'
set vpn ipsec site-to-site peer X.X.X.X ike-group 'IKE-1W0'
set vpn ipsec site-to-site peer X.X.X.X local-address '172.31.61.122'
set vpn ipsec site-to-site peer X.X.X.X tunnel 0 protocol 'gre'
wanclouds@VyOS-AMI-ZAYAD:~$ 
wanclouds@VyOS-AMI-ZAYAD:~$ 
wanclouds@VyOS-AMI-ZAYAD:~$ show configuration commands | grep tunnel
set interfaces tunnel tun0 address '172.168.100.198/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip '172.31.61.122'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 remote-ip 'X.X.X.X'
set vpn ipsec site-to-site peer X.X.X.X tunnel 0 protocol 'gre'
wanclouds@VyOS-AMI-ZAYAD:~$ 
wanclouds@VyOS-AMI-ZAYAD:~$ 
wanclouds@VyOS-AMI-ZAYAD:~$ show log
log    login  
wanclouds@VyOS-AMI-ZAYAD:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
X.X.X.X                            172.31.61.122                          

    State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----    -------  -----  ------  ------
    up     aes256   md5     5        yes    3658    86400  

 
wanclouds@VyOS-AMI-ZAYAD:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
X.X.X.X                            172.31.61.122                          

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    0       down   n/a            n/a      n/a     yes    0       86400   gre

 
wanclouds@VyOS-AMI-ZAYAD:~$ show log
log    login  
wanclouds@VyOS-AMI-ZAYAD:~$ show log tail -20
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #410: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #410: starting keying attempt 37 of an unlimited number
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #428: initiating Quick Mode PSK+ENCRYPT+PFS+UP to replace #410 {using isakmp#15}
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: ignoring informational payload, type INVALID_MESSAGE_ID
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: next payload type of ISAKMP Hash Payload has an unknown value: 58
Apr 11 21:30:45 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: malformed payload in packet
Apr 11 21:30:47 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: ignoring informational payload, type INVALID_MESSAGE_ID
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: last message repeated 3 times
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #411: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #411: starting keying attempt 42 of an unlimited number
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #429: initiating Quick Mode PSK+ENCRYPT+PFS+UP to replace #411 {using isakmp#15}
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: next payload type of ISAKMP Hash Payload has an unknown value: 72
Apr 11 21:30:54 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: malformed payload in packet
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: ignoring informational payload, type INVALID_MESSAGE_ID
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #412: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #412: starting keying attempt 15 of an unlimited number
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #430: initiating Quick Mode PSK+ENCRYPT+PFS+UP to replace #412 {using isakmp#15}
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: ignoring informational payload, type INVALID_MESSAGE_ID
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: byte 2 of ISAKMP Hash Payload must be zero, but is not
Apr 11 21:30:56 VyOS-AMI-ZAYAD pluto[12059]: "peer-X.X.X.X-tunnel-0" #15: malformed payload in packet
wanclouds@VyOS-AMI-ZAYAD:~$ 
wanclouds@VyOS-AMI-ZAYAD:~$ 





VYATTA-PUBLIC-IP:
===============

vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep vpn
set vpn ipsec esp-group ESP-1W0 lifetime '86400'
set vpn ipsec esp-group ESP-1W0 mode 'transport'
set vpn ipsec esp-group ESP-1W0 pfs 'dh-group5'
set vpn ipsec esp-group ESP-1W0 proposal 1 encryption '3des'
set vpn ipsec esp-group ESP-1W0 proposal 1 hash 'md5'
set vpn ipsec ike-group IKE-1W0 lifetime '86400'
set vpn ipsec ike-group IKE-1W0 proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-1W0 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-1W0 proposal 1 hash 'md5'
set vpn ipsec ipsec-interfaces interface 'bond1v1'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication id '419b9c8ee2544d598bf209173640f934'
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication pre-shared-secret '62066c88582a411390965d7827d2780c'
set vpn ipsec site-to-site peer Y.Y.Y.Y authentication remote-id '419b9c8ee2544d598bf209173640f934'
set vpn ipsec site-to-site peer Y.Y.Y.Y default-esp-group 'ESP-1W0'
set vpn ipsec site-to-site peer Y.Y.Y.Y ike-group 'IKE-1W0'
set vpn ipsec site-to-site peer Y.Y.Y.Y local-address 'X.X.X.X'
set vpn ipsec site-to-site peer Y.Y.Y.Y tunnel 0 protocol 'gre'
vyatta@gw-melbourne1-02-06-2016:~$ 
vyatta@gw-melbourne1-02-06-2016:~$ 
vyatta@gw-melbourne1-02-06-2016:~$ 
vyatta@gw-melbourne1-02-06-2016:~$ show configuration commands | grep tunnel
set interfaces tunnel tun0 address '172.168.100.163/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 local-ip 'X.X.X.X'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 remote-ip 'Y.Y.Y.Y'
set vpn ipsec site-to-site peer Y.Y.Y.Y tunnel 0 protocol 'gre'
vyatta@gw-melbourne1-02-06-2016:~$ 
vyatta@gw-melbourne1-02-06-2016:~$ 
vyatta@gw-melbourne1-02-06-2016:~$ show vpn ike sa                          
Peer ID / IP                            Local ID / IP               
------------                            -------------
Y.Y.Y.Y                           X.X.X.X                           

    State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----  -------  -----  ------  ------
    up     aes256   md5   5        yes    3377    86400  

 
vyatta@gw-melbourne1-02-06-2016:~$ 
vyatta@gw-melbourne1-02-06-2016:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
Y.Y.Y.Y                           X.X.X.X                           

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    0       down   n/a            n/a      n/a   yes    0       86400   gre

 

      
vyatta@gw-melbourne1-02-06-2016:~$ show log tail -25
Apr 11 16:32:18 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:18 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[419b9c8ee2544d598bf209173640f934]:47/0...Y.Y.Y.Y:4500[419b9c8ee2544d598bf209173640f934]:47/0===172.31.61.122/32
Apr 11 16:32:18 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_ID_INFORMATION to Y.Y.Y.Y:4500
Apr 11 16:32:19 gw-melbourne1-02-06-2016 sshd[10183]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.177.172.60  user=root
Apr 11 16:32:20 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x8e4cb23d (perhaps this is a duplicated packet)
Apr 11 16:32:20 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:21 gw-melbourne1-02-06-2016 sshd[10181]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.177.172.60  user=root
Apr 11 16:32:21 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x80a5a69d (perhaps this is a duplicated packet)
Apr 11 16:32:21 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:23 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[419b9c8ee2544d598bf209173640f934]:47/0...Y.Y.Y.Y:4500[419b9c8ee2544d598bf209173640f934]:47/0===172.31.61.122/32
Apr 11 16:32:23 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_ID_INFORMATION to Y.Y.Y.Y:4500
Apr 11 16:32:24 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xe95143e1 (perhaps this is a duplicated packet)
Apr 11 16:32:24 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:25 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xac9835cc (perhaps this is a duplicated packet)
Apr 11 16:32:25 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:26 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x1c6d8a04 (perhaps this is a duplicated packet)
Apr 11 16:32:26 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:28 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x10df76cd (perhaps this is a duplicated packet)
Apr 11 16:32:28 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x83384514 (perhaps this is a duplicated packet)
Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: cannot respond to IPsec SA request because no connection is known for X.X.X.X:4500[419b9c8ee2544d598bf209173640f934]:47/0...Y.Y.Y.Y:4500[419b9c8ee2544d598bf209173640f934]:47/0===172.31.61.122/32
Apr 11 16:32:32 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_ID_INFORMATION to Y.Y.Y.Y:4500
Apr 11 16:32:33 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x142e7918 (perhaps this is a duplicated packet)
Apr 11 16:32:33 gw-melbourne1-02-06-2016 pluto[7603]: "peer-Y.Y.Y.Y-tunnel-0" #1: sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:4500
vyatta@gw-melbourne1-02-06-2016:~$

TAC Mod
Posts: 99
Registered: ‎04-07-2011

Re: GRE Over IPsec not working B/w V5400 and VyOS

Hello sfaiz13@gmail.com

 

I spoke with a TAC representative regarding your post and this was their response:

 

"I am not familiar with VyOS and I don’t think Brocade supports VyOS. Please test it via 5400 to 5400 to see if it works, then we can go from there..."

 

If you could test that out for us, we'll do our best to troubleshoot the issue with you.

 

Best Regards,

 

Denise K.

Brocade Community Team

@DeniseK

 

 

Occasional Contributor
Posts: 7
Registered: ‎06-13-2016

Re: GRE Over IPsec not working B/w V5400 and VyOS

Thanks Denise for looking into sure will update with 5400 and 5400 gre over ipsec as i already did and it wasnot working too.

 

Regards

Syed.

Highlighted
TAC Mod
Posts: 99
Registered: ‎04-07-2011

Re: GRE Over IPsec not working B/w V5400 and VyOS

[ Edited ]

Hi @syed-faiz

 

Glad you tested it already! Here's the response back from TAC:

 

"If 5400 to 5400 is not working, then it sounds like a misconfiguration problem. One thing that you could try is to restart the VPN service after making changes; i.e., sudo ipsec restart and observe the log (e.g. tail –f /var/log/messages) to see if there is any obvious error. If that doesn’t help, I would suggest that you open a TAC case, as this will need further debug and troubleshooting."

 

We hope this helps! Please let us know if you have any further questions.

 

Regards,

 

Denise

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.