Hello,
I'm in the process of establishing a bridge from my ERX at home to my Linux server hosted in a datacenter... Goal is to setup a gre over ipsec tunnel and play with it. Many caveats I have to deal with as 1) I'm new to IPsec and into HowTos since 48h or so, 2) I'm behind an ISP modem, so NAT'ed...
Anyhow, I'm posting here for a specific issue: ERX's VPN deamon is starting but it won't even try to initiate a connexion with my peer (hosted server is in respond mode (add=route) obviously). Not errors shown in "vpn log". Again, it just starts ("ipsec statusall" shows the full monty). Not to mention logs on my right side show not attempts to connect.
(manual ipsec up name_of_the_tunnel leads to connection and successful authentication...)
Of course I have
set vpn ipsec site-to-site peer my_peer connection-type initiate
But despite this setting, /etc/iperf.conf is set to auto=route which is not what I was expecting. But it explains why I'm not attempting to connect from the ERX (that said from my 48h old experience...).
So I had a look into /opt/vyatta/sbin/vpn-config.pl and it seems there is an issue here :
#
# Start automatically
#
if ($any_peer) {
$genout .= "\tauto=add\n";
$genout .= "\tkeyingtries=%forever\n";
} else {
my $conntype = $vcVPN->returnValue("ipsec site-to-site peer $peer connection-type");
if (defined($conntype)) {
if ($conntype eq "initiate") {
$genout .= "\tauto=route\n";
$genout .= "\tkeyingtries=%forever\n";
} elsif ($conntype eq "respond") {
$genout .= "\tauto=route\n";
## We want to act as a responder. Ideally we do not want to ever
## be a initiator, but we can't avoid it if SPD entries are installed
## to protect selected traffic from going out unencrypted. The best we
## can do is to not try to attempt keying forever.
$genout .= "\tkeyingtries=1\n";
}
} else {
$genout .= "\tauto=route\n";
}
}
To me, if conntype is initiate, it should set $genout to auto=start.
So this might be a bug to report and kill for the next EdgeOS release... 