I have been experiencing an issue where every 2 or so weeks a VPN connection from one vyatta vrouter (mine) to another vyatta vrouter (owned and operated by a 3rd party) will drop. When it drops, I try to reset the vpn on my router and it won't come up. But if the other person resets the vpn on his router it DOES come up.
So the main issues are:
1. The VPN is dropping out constantly every few weeks
2. I can't restore the VPN by resetting it from my router with reset vpn ipsec-peer x.x.x.x whereas the 3rd party can
These are the messages I see in the logs while the VPN is down (note x.x.x.x represents my public ip address). It just repeats these messages over and over 1-2 times per minute:
packet from x.x.x.x:4500: received Vendor ID payload [strongSwan]
packet from x.x.x.x:4500: ignoring Vendor ID payload [Cisco-Unity]
packet from x.x.x.x:4500: received Vendor ID payload [XAUTH]
packet from x.x.x.x:4500: received Vendor ID payload [Dead Peer Detection]
packet from x.x.x.x:4500: received Vendor ID payload [RFC 3947]
packet from x.x.x.x:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from x.x.x.x:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
packet from x.x.x.x:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
packet from x.x.x.x:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
initial Main Mode message received on x.x.x.x:4500 but no connection has been authorized with policy=PSK
Here is the sanitised VPN config on my end:
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group5'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'md5'
set vpn ipsec ike-group IKE dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE dead-peer-detection interval '15'
set vpn ipsec ike-group IKE dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE lifetime '86400'
set vpn ipsec ike-group IKE proposal 1 dh-group '5'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer x.x.x.x authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret 'secretgoeshere'
set vpn ipsec site-to-site peer x.x.x.x connection-type 'initiate'
set vpn ipsec site-to-site peer x.x.x.x default-esp-group 'ESP'
set vpn ipsec site-to-site peer x.x.x.x ike-group 'IKE'
set vpn ipsec site-to-site peer x.x.x.x local-address 'x.x.x.x' <- local address is my public address on eth0
set vpn ipsec site-to-site peer x.x.x.x tunnel 2 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 2 allow-public-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 2 local prefix '192.168.x.x/24'
set vpn ipsec site-to-site peer x.x.x.x tunnel 2 remote prefix '10.x.x.x/27'
set vpn ipsec site-to-site peer x.x.x.x tunnel 3 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 3 allow-public-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 3 local prefix '192.168.x.x/24'
set vpn ipsec site-to-site peer x.x.x.x tunnel 3 remote prefix '10.x.x.x/27'
set vpn ipsec site-to-site peer x.x.x.x tunnel 4 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 4 allow-public-networks 'disable'
set vpn ipsec site-to-site peer x.x.x.x tunnel 4 local prefix '192.168.x.x/24'
set vpn ipsec site-to-site peer x.x.x.x tunnel 4 remote prefix '10.x.x.x/27'
The config on the other end is identical (with the local and remote prefixes reversed, and different public ip address) although it has this extra configuration:
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec site-to-site peer x.x.x.x authentication id 'x.x.x.x'
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth 'inherit'
Why does it drop every few weeeks? Why does it not allow me bring it up and reset it whereas you can on the other (3rd party's) end?