The Water Cooler

Back to discussions
Expand all | Collapse all

Packets not routed via IPSec tunnels

  • 1.  Packets not routed via IPSec tunnels

    Posted Oct 23, 2018 01:54 AM

    I'm running Brocade vRouter 5600.

    I've got 2 gateways running in high availability, and they've run in a couple of years working fine.

    I'm trying to setup a VPN/IPSec on one of my gateways, and have packets routed via the 4 tunnels created.

     

    This is my configurations commands:

     

     

    set security vpn ipsec esp-group MY-ESP compression 'disable'
set security vpn ipsec esp-group MY-ESP lifetime '3600'
set security vpn ipsec esp-group MY-ESP mode 'tunnel'
set security vpn ipsec esp-group MY-ESP pfs 'dh-group5'
set security vpn ipsec esp-group MY-ESP proposal 1 encryption 'aes256'
set security vpn ipsec esp-group MY-ESP proposal 1 hash 'sha1'

set security vpn ipsec ike-group MY-IKEV1 dead-peer-detection action 'restart'
set security vpn ipsec ike-group MY-IKEV1 dead-peer-detection interval '20'
set security vpn ipsec ike-group MY-IKEV1 dead-peer-detection timeout '90'
set security vpn ipsec ike-group MY-IKEV1 ike-version '1'
set security vpn ipsec ike-group MY-IKEV1 lifetime '86400'
set security vpn ipsec ike-group MY-IKEV1 proposal 1 dh-group '5'
set security vpn ipsec ike-group MY-IKEV1 proposal 1 encryption 'aes256'
set security vpn ipsec ike-group MY-IKEV1 proposal 1 hash 'sha1'

set security vpn ipsec site-to-site peer 70.21.22.99 authentication mode 'pre-shared-secret'
set security vpn ipsec site-to-site peer 70.21.22.99 authentication pre-shared-secret 'PSK'
set security vpn ipsec site-to-site peer 70.21.22.99 connection-type 'initiate'
set security vpn ipsec site-to-site peer 70.21.22.99 default-esp-group 'MY-ESP'
set security vpn ipsec site-to-site peer 70.21.22.99 description 'MY VPN GW1'
set security vpn ipsec site-to-site peer 70.21.22.99 ike-group 'MY-IKEV1'
set security vpn ipsec site-to-site peer 70.21.22.99 local-address '5.67.88.253' 
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 0 local prefix '201.199.10.11/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 0 remote prefix '70.99.100.11/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 1 local prefix '211.198.11.22/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 1 remote prefix '70.99.100.9032'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 2 local prefix '211.198.11.90/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 2 remote prefix '70.101.100.11/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 3 local prefix '201.199.11.66/32'
set security vpn ipsec site-to-site peer 70.21.22.99 tunnel 3 remote prefix '5.100.90.21/32'

     

    This result in the following with show vpn ipsec sa peer 70.21.22.99:

     

     

    Peer ID / IP Local ID / IP
------------ -------------
70.21.22.99 5.67.88.253
Description: MY VPN GW1
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
0 7 up 0.0/0.0 aes256 sha1 5 93 3600
1 8 up 0.0/0.0 aes256 sha1 5 93 3600
2 9 up 0.0/0.0 aes256 sha1 5 93 3600
3 10 up 0.0/0.0 aes256 sha1 5 93 3600

     

     

    But when I ex. try to ping 70.99.100.11 the "Bytes Out/In" doesn't change, and my remote peer cannot see any packets entering their gateway.

    How can I make sure packets for the remote IP adresses are routed via my VPN/IPSec tunnels?


    #TheWaterCooler