This is a bit frustrating. I had this briefly working and went to switch to using Dynamic DNS names instead of IP addresses, it took the tunnel down (expected) and never came back up (not expected). In particular, these are two EdgeRouter Lite units that have both been updated to the latest firmware, v1.9.0, and this is the relevant config and output from both devices. You can see the "ubnt" ERL is clearly making attempts to reach the "apartment" ERL and that's ending up in the logs. For some reason, though, it looks like the "apartment" ERL is NOT attempting to reach the "ubnt" ERL nor is it responding to the packets its receiving beyond logging the attempt. WTF?
First, the apartment ERL:
jamesb2147@apartment:~$show configuration all [snipped down to vpn section]
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
site-to-site {
peer parents.embaucha.com {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
description "Parents house"
ike-group FOO0
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.254.0/24
}
remote {
prefix 192.168.2.0/24
}
}
}
}
}
}
jamesb2147@apartment:~$Now, the ubnt ERL config:
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
site-to-site {
peer apartment.embaucha.com {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
description ApartmentComcastConnection
ike-group FOO0
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.2.0/24
}
remote {
prefix 192.168.254.0/24
}
}
}
}
}
}
jamesb2147@ubnt:~$
Apartment ERL VPN logs, state, and status (notice the "state" has no result):
jamesb2147@apartment:~$ show vpn log tail Aug 25 13:15:13 14[IKE] <1> 98.223.90.74 is initiating a Main Mode IKE_SA Aug 25 13:16:11 08[KNL] interface ifb_eth0 deactivated Aug 25 13:16:11 06[KNL] fe80::e092:26ff:fe33:9b9e disappeared from ifb_eth0 Aug 25 13:16:11 04[KNL] interface ifb_eth0 deleted Aug 25 13:17:55 00[DMN] signal of type SIGINT received. Shutting down Aug 25 13:17:58 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64) Aug 25 13:18:03 14[IKE] <1> 98.223.90.74 is initiating a Main Mode IKE_SA Aug 25 13:18:25 00[DMN] signal of type SIGINT received. Shutting down Aug 25 13:18:28 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64) Aug 25 13:21:13 12[IKE] <1> 98.223.90.74 is initiating a Main Mode IKE_SA ^C jamesb2147@apartment:~$ show vpn ipsec state jamesb2147@apartment:~$ show vpn ipsec status IPSec Process Running PID: 3866 0 Active IPsec Tunnels IPsec Interfaces : jamesb2147@apartment:~$
Ubnt ERL VPN logs, state, and status:
jamesb2147@ubnt:~$ show vpn log tail
Aug 25 13:09:29 06[KNL] creating acquire job for policy 192.168.2.145/32[tcp/46141] === 192.168.254.65/32[tcp/http-alt] with reqid {1}
Aug 25 13:09:30 16[IKE] <peer-apartment.embaucha.com-tunnel-1|3> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[3] to 73.210.40.85
Aug 25 13:12:14 12[KNL] creating acquire job for policy 192.168.2.145/32[tcp/46147] === 192.168.254.65/32[tcp/http-alt] with reqid {1}
Aug 25 13:12:15 13[IKE] <peer-apartment.embaucha.com-tunnel-1|4> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[4] to 73.210.40.85
Aug 25 13:15:12 10[KNL] creating acquire job for policy 192.168.2.145/32[tcp/55534] === 192.168.254.31/32[tcp/http-alt] with reqid {1}
Aug 25 13:15:13 11[IKE] <peer-apartment.embaucha.com-tunnel-1|5> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[5] to 73.210.40.85
Aug 25 13:17:57 06[KNL] creating acquire job for policy 192.168.2.145/32[tcp/43752] === 192.168.254.31/32[tcp/http-alt] with reqid {1}
Aug 25 13:17:58 16[IKE] <peer-apartment.embaucha.com-tunnel-1|6> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[6] to 73.210.40.85
Aug 25 13:21:12 11[KNL] creating acquire job for policy 192.168.2.145/32[tcp/44190] === 192.168.254.65/32[tcp/http-alt] with reqid {1}
Aug 25 13:21:13 12[IKE] <peer-apartment.embaucha.com-tunnel-1|7> initiating Main Mode IKE_SA peer-apartment.embaucha.com-tunnel-1[7] to 73.210.40.85
^C
jamesb2147@ubnt:~$ show vpn ipsec state
src 98.223.90.74 dst 73.210.40.85
proto esp spi 0x00000000 reqid 1 mode tunnel
replay-window 0
sel src 192.168.2.145/32 dst 192.168.254.65/32 proto tcp sport 44190 dport 8080
jamesb2147@ubnt:~$ show vpn ipsec status
IPSec Process Running PID: 6359
0 Active IPsec Tunnels
IPsec Interfaces :
jamesb2147@ubnt:~$Any help would be much appreciated. I don't know where to go from here. Is there any code outside of the VPN section that *might* conflict with a VPN config? It just boggles my mind that I had this working perfectly fine yesterday, and that switching to DNS peers (instead of explicit IP peers) somehow messed that up.
Thanks for any help and have a great day!