<p dir="ltr">Thanks.<br>
I double check the firewall rules (and Security Group) and they are OK. This EC2 instance also talks fine with other destinations (a Virtual Gateway).<br>
I also saw traffic in both directions using tcpdump on both sides.</p>
<p dir="ltr">BUT! After I sent this question and doing more tests I tried to just blow up this instance and let the automatic configuration (Autoscaling group) bring up a fresh EC2 instance and things started working again (I.e. I can ping hosts over the tunnel).</p>
<p dir="ltr">I suspect that the enabling of nat-traversal on the VyOS side after a few attempts from this specific instance, which was the only change I made, somehow didn't register with the instance but once I switched to a fresh instance it worked.</p>
<p dir="ltr">Cheers,<br>
Amos</p>
<div class="gmail_quote">On 12 Feb 2016 7:03 p.m., "Nick Howitt" <<a href="mailto:nick@howitts.co.uk">nick@howitts.co.uk</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The tunnel is up. Check your firewall rules.<br>
<br>
On 2016-02-11 23:13, Amos Shapira wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,<br>
<br>
I'm trying to connect a VyOS 1.1.6, which comes with IPSec U4.5.2, to<br>
a Ubuntu 14.04 LTS EC2 instance running 2.6.38.<br>
<br>
I think I got the link up but I can't get any traffic over it. Here is<br>
a log of the startup from scratch:<br>
<br>
FEB 11 22:47:13 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #1: INITIATING MAIN MODE<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM<br>
<a href="http://203.191.19.3:4500" rel="noreferrer" target="_blank">203.191.19.3:4500</a> [1]: IGNORING UNKNOWN VENDOR ID PAYLOAD<br>
[882FE56D6FD20DBC2251613B2EBE5BEB]<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM<br>
<a href="http://203.191.19.3:4500" rel="noreferrer" target="_blank">203.191.19.3:4500</a> [1]: RECEIVED VENDOR ID PAYLOAD [CISCO-UNITY]<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM<br>
<a href="http://203.191.19.3:4500" rel="noreferrer" target="_blank">203.191.19.3:4500</a> [1]: RECEIVED VENDOR ID PAYLOAD [XAUTH]<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM<br>
<a href="http://203.191.19.3:4500" rel="noreferrer" target="_blank">203.191.19.3:4500</a> [1]: RECEIVED VENDOR ID PAYLOAD [DEAD PEER<br>
DETECTION]<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM<br>
<a href="http://203.191.19.3:4500" rel="noreferrer" target="_blank">203.191.19.3:4500</a> [1]: RECEIVED VENDOR ID PAYLOAD [RFC 3947] METHOD<br>
SET TO=115<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM<br>
<a href="http://203.191.19.3:4500" rel="noreferrer" target="_blank">203.191.19.3:4500</a> [1]: RECEIVED VENDOR ID PAYLOAD<br>
[DRAFT-IETF-IPSEC-NAT-T-IKE-03] METH=108, BUT ALREADY USING METHOD 115<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM<br>
<a href="http://203.191.19.3:4500" rel="noreferrer" target="_blank">203.191.19.3:4500</a> [1]: RECEIVED VENDOR ID PAYLOAD<br>
[DRAFT-IETF-IPSEC-NAT-T-IKE-02] METH=107, BUT ALREADY USING METHOD 115<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM<br>
<a href="http://203.191.19.3:4500" rel="noreferrer" target="_blank">203.191.19.3:4500</a> [1]: RECEIVED VENDOR ID PAYLOAD<br>
[DRAFT-IETF-IPSEC-NAT-T-IKE-02_N] METH=106, BUT ALREADY USING METHOD<br>
115<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM<br>
<a href="http://203.191.19.3:4500" rel="noreferrer" target="_blank">203.191.19.3:4500</a> [1]: RECEIVED VENDOR ID PAYLOAD<br>
[DRAFT-IETF-IPSEC-NAT-T-IKE-00]<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #2: RESPONDING TO MAIN MODE<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #2: TRANSITION FROM STATE STATE_MAIN_R0<br>
TO STATE STATE_MAIN_R1<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #2: STATE_MAIN_R1: SENT MR1, EXPECTING<br>
MI2<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #2: NAT-TRAVERSAL: RESULT USING<br>
DRAFT-IETF-IPSEC-NAT-T-IKE (MACOS X): BOTH ARE NATED<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #2: TRANSITION FROM STATE STATE_MAIN_R1<br>
TO STATE STATE_MAIN_R2<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #2: STATE_MAIN_R2: SENT MR2, EXPECTING<br>
MI3<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #2: MAIN MODE PEER ID IS ID_IPV4_ADDR:<br>
'203.191.19.3'<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #2: TRANSITION FROM STATE STATE_MAIN_R2<br>
TO STATE STATE_MAIN_R3<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #2: STATE_MAIN_R3: SENT MR3, ISAKMP SA<br>
ESTABLISHED {AUTH=OAKLEY_PRESHARED_KEY CIPHER=AES_256 PRF=OAKLEY_SHA<br>
GROUP=MODP1024}<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #2: THE PEER PROPOSED: <a href="http://172.22.0.0/16:0/0" rel="noreferrer" target="_blank">172.22.0.0/16:0/0</a><br>
[2] -> <a href="http://192.168.2.0/24:0/0" rel="noreferrer" target="_blank">192.168.2.0/24:0/0</a> [3]<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #3: RESPONDING TO QUICK MODE PROPOSAL<br>
{MSGID:CD7B50CB}<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #3:     US:<br>
<a href="http://172.22.0.0/16===172.22.0.207%5B52.63.20.251%5D---172.22.0.1" rel="noreferrer" target="_blank">172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1</a> [4]<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #3:   THEM:<br>
203.191.19.3<203.191.19.3>===<a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">192.168.2.0/24</a> [5]<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #3: TRANSITION FROM STATE STATE_QUICK_R0<br>
TO STATE STATE_QUICK_R1<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #3: STATE_QUICK_R1: SENT QR1, INBOUND<br>
IPSEC SA INSTALLED, EXPECTING QI2<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #3: TRANSITION FROM STATE STATE_QUICK_R1<br>
TO STATE STATE_QUICK_R2<br>
FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:<br>
"SYDNEY-HUB-SYDNEY-OFFICE-1" #3: STATE_QUICK_R2: IPSEC SA ESTABLISHED<br>
TUNNEL MODE {ESP/NAT=>0XCD5A1422 <0X9998C8E5 XFRM=AES_256-HMAC_SHA1<br>
NATOA=NONE NATD=<a href="http://203.191.19.3:4500" rel="noreferrer" target="_blank">203.191.19.3:4500</a> [1] DPD=NONE}<br>
<br>
And here is the output of "ipsec auto --status":<br>
<br>
000 USING KERNEL INTERFACE: NETKEY<br>
000 INTERFACE LO/LO ::1<br>
000 INTERFACE LO/LO 127.0.0.1<br>
000 INTERFACE LO/LO 127.0.0.1<br>
000 INTERFACE ETH0/ETH0 172.22.0.207<br>
000 INTERFACE ETH0/ETH0 172.22.0.207<br>
000 INTERFACE ETH0/ETH0 52.63.20.251<br>
000 INTERFACE ETH0/ETH0 52.63.20.251<br>
000 %MYID = (NONE)<br>
000 DEBUG NONE<br>
000<br>
000 VIRTUAL_PRIVATE (%PRIV):<br>
000 - ALLOWED 6 SUBNETS: <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a> [6], <a href="http://192.168.0.0/16" rel="noreferrer" target="_blank">192.168.0.0/16</a> [7],<br>
<a href="http://172.16.0.0/12" rel="noreferrer" target="_blank">172.16.0.0/12</a> [8], <a href="http://25.0.0.0/8" rel="noreferrer" target="_blank">25.0.0.0/8</a> [9], FD00::/8, FE80::/10<br>
000 - DISALLOWED 1 SUBNET: <a href="http://172.22.0.0/16" rel="noreferrer" target="_blank">172.22.0.0/16</a> [10]<br>
000<br>
000 ALGORITHM ESP ENCRYPT: ID=2, NAME=ESP_DES, IVLEN=8, KEYSIZEMIN=64,<br>
KEYSIZEMAX=64<br>
000 ALGORITHM ESP ENCRYPT: ID=3, NAME=ESP_3DES, IVLEN=8,<br>
KEYSIZEMIN=192, KEYSIZEMAX=192<br>
000 ALGORITHM ESP ENCRYPT: ID=6, NAME=ESP_CAST, IVLEN=8,<br>
KEYSIZEMIN=40, KEYSIZEMAX=128<br>
000 ALGORITHM ESP ENCRYPT: ID=7, NAME=ESP_BLOWFISH, IVLEN=8,<br>
KEYSIZEMIN=40, KEYSIZEMAX=448<br>
000 ALGORITHM ESP ENCRYPT: ID=11, NAME=ESP_NULL, IVLEN=0,<br>
KEYSIZEMIN=0, KEYSIZEMAX=0<br>
000 ALGORITHM ESP ENCRYPT: ID=12, NAME=ESP_AES, IVLEN=8,<br>
KEYSIZEMIN=128, KEYSIZEMAX=256<br>
000 ALGORITHM ESP ENCRYPT: ID=13, NAME=ESP_AES_CTR, IVLEN=8,<br>
KEYSIZEMIN=160, KEYSIZEMAX=288<br>
000 ALGORITHM ESP ENCRYPT: ID=14, NAME=ESP_AES_CCM_A, IVLEN=8,<br>
KEYSIZEMIN=128, KEYSIZEMAX=256<br>
000 ALGORITHM ESP ENCRYPT: ID=15, NAME=ESP_AES_CCM_B, IVLEN=8,<br>
KEYSIZEMIN=128, KEYSIZEMAX=256<br>
000 ALGORITHM ESP ENCRYPT: ID=16, NAME=ESP_AES_CCM_C, IVLEN=8,<br>
KEYSIZEMIN=128, KEYSIZEMAX=256<br>
000 ALGORITHM ESP ENCRYPT: ID=18, NAME=ESP_AES_GCM_A, IVLEN=8,<br>
KEYSIZEMIN=128, KEYSIZEMAX=256<br>
000 ALGORITHM ESP ENCRYPT: ID=19, NAME=ESP_AES_GCM_B, IVLEN=8,<br>
KEYSIZEMIN=128, KEYSIZEMAX=256<br>
000 ALGORITHM ESP ENCRYPT: ID=20, NAME=ESP_AES_GCM_C, IVLEN=8,<br>
KEYSIZEMIN=128, KEYSIZEMAX=256<br>
000 ALGORITHM ESP ENCRYPT: ID=22, NAME=ESP_CAMELLIA, IVLEN=8,<br>
KEYSIZEMIN=128, KEYSIZEMAX=256<br>
000 ALGORITHM ESP ENCRYPT: ID=252, NAME=ESP_SERPENT, IVLEN=8,<br>
KEYSIZEMIN=128, KEYSIZEMAX=256<br>
000 ALGORITHM ESP ENCRYPT: ID=253, NAME=ESP_TWOFISH, IVLEN=8,<br>
KEYSIZEMIN=128, KEYSIZEMAX=256<br>
000 ALGORITHM ESP AUTH ATTR: ID=1, NAME=AUTH_ALGORITHM_HMAC_MD5,<br>
KEYSIZEMIN=128, KEYSIZEMAX=128<br>
000 ALGORITHM ESP AUTH ATTR: ID=2, NAME=AUTH_ALGORITHM_HMAC_SHA1,<br>
KEYSIZEMIN=160, KEYSIZEMAX=160<br>
000 ALGORITHM ESP AUTH ATTR: ID=5, NAME=AUTH_ALGORITHM_HMAC_SHA2_256,<br>
KEYSIZEMIN=256, KEYSIZEMAX=256<br>
000 ALGORITHM ESP AUTH ATTR: ID=6, NAME=AUTH_ALGORITHM_HMAC_SHA2_384,<br>
KEYSIZEMIN=384, KEYSIZEMAX=384<br>
000 ALGORITHM ESP AUTH ATTR: ID=7, NAME=AUTH_ALGORITHM_HMAC_SHA2_512,<br>
KEYSIZEMIN=512, KEYSIZEMAX=512<br>
000 ALGORITHM ESP AUTH ATTR: ID=8, NAME=AUTH_ALGORITHM_HMAC_RIPEMD,<br>
KEYSIZEMIN=160, KEYSIZEMAX=160<br>
000 ALGORITHM ESP AUTH ATTR: ID=9, NAME=AUTH_ALGORITHM_AES_CBC,<br>
KEYSIZEMIN=128, KEYSIZEMAX=128<br>
000 ALGORITHM ESP AUTH ATTR: ID=251, NAME=AUTH_ALGORITHM_NULL_KAME,<br>
KEYSIZEMIN=0, KEYSIZEMAX=0<br>
000<br>
000 ALGORITHM IKE ENCRYPT: ID=0, NAME=(NULL), BLOCKSIZE=16,<br>
KEYDEFLEN=131<br>
000 ALGORITHM IKE ENCRYPT: ID=5, NAME=OAKLEY_3DES_CBC, BLOCKSIZE=8,<br>
KEYDEFLEN=192<br>
000 ALGORITHM IKE ENCRYPT: ID=7, NAME=OAKLEY_AES_CBC, BLOCKSIZE=16,<br>
KEYDEFLEN=128<br>
000 ALGORITHM IKE HASH: ID=1, NAME=OAKLEY_MD5, HASHSIZE=16<br>
000 ALGORITHM IKE HASH: ID=2, NAME=OAKLEY_SHA1, HASHSIZE=20<br>
000 ALGORITHM IKE HASH: ID=4, NAME=OAKLEY_SHA2_256, HASHSIZE=32<br>
000 ALGORITHM IKE HASH: ID=6, NAME=OAKLEY_SHA2_512, HASHSIZE=64<br>
000 ALGORITHM IKE DH GROUP: ID=2, NAME=OAKLEY_GROUP_MODP1024,<br>
BITS=1024<br>
000 ALGORITHM IKE DH GROUP: ID=5, NAME=OAKLEY_GROUP_MODP1536,<br>
BITS=1536<br>
000 ALGORITHM IKE DH GROUP: ID=14, NAME=OAKLEY_GROUP_MODP2048,<br>
BITS=2048<br>
000 ALGORITHM IKE DH GROUP: ID=15, NAME=OAKLEY_GROUP_MODP3072,<br>
BITS=3072<br>
000 ALGORITHM IKE DH GROUP: ID=16, NAME=OAKLEY_GROUP_MODP4096,<br>
BITS=4096<br>
000 ALGORITHM IKE DH GROUP: ID=17, NAME=OAKLEY_GROUP_MODP6144,<br>
BITS=6144<br>
000 ALGORITHM IKE DH GROUP: ID=18, NAME=OAKLEY_GROUP_MODP8192,<br>
BITS=8192<br>
000 ALGORITHM IKE DH GROUP: ID=22, NAME=OAKLEY_GROUP_DH22, BITS=1024<br>
000 ALGORITHM IKE DH GROUP: ID=23, NAME=OAKLEY_GROUP_DH23, BITS=2048<br>
000 ALGORITHM IKE DH GROUP: ID=24, NAME=OAKLEY_GROUP_DH24, BITS=2048<br>
000<br>
000 STATS DB_OPS: {CURR_CNT, TOTAL_CNT, MAXSZ} :CONTEXT={0,0,0}<br>
TRANS={0,0,0} ATTRS={0,0,0}<br>
000<br>
000 "SYDNEY-HUB-SYDNEY-OFFICE-1":<br>
<a href="http://172.22.0.0/16===172.22.0.207%5B52.63.20.251%5D---172.22.0.1...203.191.19.3" rel="noreferrer" target="_blank">172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1...203.191.19.3</a><br>
[11]<203.191.19.3>===<a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">192.168.2.0/24</a> [5]; EROUTED; EROUTE OWNER: #3<br>
000 "SYDNEY-HUB-SYDNEY-OFFICE-1":     MYIP=52.63.20.251; HISIP=UNSET;<br>
000 "SYDNEY-HUB-SYDNEY-OFFICE-1":   IKE_LIFE: 3600S; IPSEC_LIFE:<br>
28800S; REKEY_MARGIN: 540S; REKEY_FUZZ: 100%; KEYINGTRIES: 0<br>
000 "SYDNEY-HUB-SYDNEY-OFFICE-1":   POLICY:<br>
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2ALLOW+SAREFTRACK+LKOD+RKOD; PRIO:<br>
16,24; INTERFACE: ETH0;<br>
000 "SYDNEY-HUB-SYDNEY-OFFICE-1":   NEWEST ISAKMP SA: #2; NEWEST IPSEC<br>
SA: #3;<br>
000 "SYDNEY-HUB-SYDNEY-OFFICE-1":   IKE ALGORITHM NEWEST:<br>
AES_CBC_256-SHA1-MODP1024<br>
000<br>
000 #3: "SYDNEY-HUB-SYDNEY-OFFICE-1":4500 STATE_QUICK_R2 (IPSEC SA<br>
ESTABLISHED); EVENT_SA_REPLACE IN 3237S; NEWEST IPSEC; EROUTE OWNER;<br>
ISAKMP#2; IDLE; IMPORT:NOT SET<br>
000 #3: "SYDNEY-HUB-SYDNEY-OFFICE-1" <a href="mailto:ESP.CD5A1422@203.191.19.3" target="_blank">ESP.CD5A1422@203.191.19.3</a><br>
<a href="mailto:ESP.9998C8E5@172.22.0.207" target="_blank">ESP.9998C8E5@172.22.0.207</a> <a href="mailto:TUN.0@203.191.19.3" target="_blank">TUN.0@203.191.19.3</a> <a href="mailto:TUN.0@172.22.0.207" target="_blank">TUN.0@172.22.0.207</a> REF=0<br>
REFHIM=4294901761<br>
000 #2: "SYDNEY-HUB-SYDNEY-OFFICE-1":4500 STATE_MAIN_R3 (SENT MR3,<br>
ISAKMP SA ESTABLISHED); EVENT_SA_REPLACE IN 3237S; NEWEST ISAKMP;<br>
LASTDPD=-1S(SEQ IN:0 OUT:0); IDLE; IMPORT:NOT SET<br>
000 #1: "SYDNEY-HUB-SYDNEY-OFFICE-1":500 STATE_MAIN_I1 (SENT MI1,<br>
EXPECTING MR1); EVENT_RETRANSMIT IN 21S; NODPD; IDLE; IMPORT:ADMIN<br>
INITIATE<br>
000 #1: PENDING PHASE 2 FOR "SYDNEY-HUB-SYDNEY-OFFICE-1" REPLACING #0<br>
000<br>
<br>
But ping to the address of the VyOS host (or any host on the other<br>
side) doesn't get any response. I verified that ping from other IPSec<br>
tunnels (which use either Vyatta or AWS Virtual Gateway) works fine.<br>
<br>
Here is the configuration of the tunnel from the EC2 side:<br>
<br>
VERSION 2.0<br>
CONFIG SETUP<br>
 DUMPDIR=/VAR/RUN/PLUTO/<br>
 NAT_TRAVERSAL=YES<br>
<br>
VIRTUAL_PRIVATE=%V4:<a href="http://10.0.0.0/8,%V4:192.168.0.0/16,%V4:172.16.0.0/12,%V4:25.0.0.0/8,%V6:FD00::/8,%V6:FE80::/10,%V4:!172.22.0.0/16" rel="noreferrer" target="_blank">10.0.0.0/8,%V4:192.168.0.0/16,%V4:172.16.0.0/12,%V4:25.0.0.0/8,%V6:FD00::/8,%V6:FE80::/10,%V4:!172.22.0.0/16</a><br>
[12]<br>
 OE=OFF<br>
 PROTOSTACK=NETKEY<br>
 INTERFACES=%DEFAULTROUTE<br>
<br>
CONN SYDNEY-HUB-SYDNEY-OFFICE-1<br>
<br>
    TYPE=TUNNEL<br>
    AUTHBY=SECRET<br>
    FORCEENCAPS=YES<br>
    AUTO=START<br>
    LEFT=%DEFAULTROUTE<br>
    LEFTID=52.63.20.251<br>
    LEFTSOURCEIP=52.63.20.251<br>
    LEFTNEXTHOP=%DEFAULTROUTE<br>
    LEFTSUBNET=<a href="http://172.22.0.0/16" rel="noreferrer" target="_blank">172.22.0.0/16</a> [10]<br>
    RIGHT=203.191.19.3<br>
    RIGHTID=203.191.19.3<br>
    RIGHTSUBNET=<a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">192.168.2.0/24</a> [5]<br>
<br>
And here it is from the VyOS side (I tried to include all relevant<br>
global settings too):<br>
<br>
VERSION 2.0<br>
CONFIG SETUP<br>
<br>
        CHARONSTART=YES<br>
        INTERFACES="%NONE"<br>
        NAT_TRAVERSAL=YES<br>
<br>
CONN PEER-52.63.20.251-TUNNEL-1<br>
        LEFT=203.191.19.3<br>
        RIGHT=52.63.20.251<br>
        LEFTSUBNET=<a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">192.168.2.0/24</a> [5]<br>
        RIGHTSUBNET=<a href="http://172.22.0.0/16" rel="noreferrer" target="_blank">172.22.0.0/16</a> [10]<br>
        LEFTSOURCEIP=192.168.2.254<br>
        IKE=AES256-SHA1-MODP1024!<br>
        KEYEXCHANGE=IKEV1<br>
        IKELIFETIME=86400S<br>
        ESP=AES256-SHA1,3DES-MD5!<br>
        KEYLIFE=3600S<br>
        REKEYMARGIN=540S<br>
        TYPE=TUNNEL<br>
        PFS=YES<br>
        COMPRESS=NO<br>
        AUTHBY=SECRET<br>
        AUTO=START<br>
        KEYINGTRIES=%FOREVER<br>
<br>
Here is the "ipsec status" output from the VyOS side for that link (I<br>
left out other links):<br>
<br>
000 "PEER-52.63.20.251-TUNNEL-1":<br>
<a href="http://192.168.2.0/24===203.191.19.3:4500%5B203.191.19.3%5D...52.63.20.251:4500%5B52.63.20.251%5D===172.22.0.0/16" rel="noreferrer" target="_blank">192.168.2.0/24===203.191.19.3:4500[203.191.19.3]...52.63.20.251:4500[52.63.20.251]===172.22.0.0/16</a><br>
[13]; EROUTED; EROUTE OWNER: #265<br>
000 "PEER-52.63.20.251-TUNNEL-1":   NEWEST ISAKMP SA: #263; NEWEST<br>
IPSEC SA: #265;<br>
...<br>
<br>
000 #265: "PEER-52.63.20.251-TUNNEL-1" STATE_QUICK_I2 (SENT QI2, IPSEC<br>
SA ESTABLISHED); EVENT_SA_REPLACE IN 2420S; NEWEST IPSEC; EROUTE OWNER<br>
000 #265: "PEER-52.63.20.251-TUNNEL-1" <a href="mailto:ESP.9998C8E5@52.63.20.251" target="_blank">ESP.9998C8E5@52.63.20.251</a> (0<br>
BYTES) <a href="mailto:ESP.CD5A1422@203.191.19.3" target="_blank">ESP.CD5A1422@203.191.19.3</a> (0 BYTES); TUNNEL<br>
000 #263: "PEER-52.63.20.251-TUNNEL-1" STATE_MAIN_I4 (ISAKMP SA<br>
ESTABLISHED); EVENT_SA_REPLACE IN 84976S; NEWEST ISAKMP<br>
000<br>
SECURITY ASSOCIATIONS:<br>
  NONE<br>
<br>
Can anyone see what am I doing wrong?<br>
<br>
Thanks.<br>
<br>
Links:<br>
------<br>
[1] <a href="http://203.191.19.3:4500" rel="noreferrer" target="_blank">http://203.191.19.3:4500</a><br>
[2] <a href="http://172.22.0.0/16:0/0" rel="noreferrer" target="_blank">http://172.22.0.0/16:0/0</a><br>
[3] <a href="http://192.168.2.0/24:0/0" rel="noreferrer" target="_blank">http://192.168.2.0/24:0/0</a><br>
[4] <a href="http://172.22.0.0/16===172.22.0.207%5B52.63.20.251%5D---172.22.0.1" rel="noreferrer" target="_blank">http://172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1</a><br>
[5] <a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">http://192.168.2.0/24</a><br>
[6] <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">http://10.0.0.0/8</a><br>
[7] <a href="http://192.168.0.0/16" rel="noreferrer" target="_blank">http://192.168.0.0/16</a><br>
[8] <a href="http://172.16.0.0/12" rel="noreferrer" target="_blank">http://172.16.0.0/12</a><br>
[9] <a href="http://25.0.0.0/8" rel="noreferrer" target="_blank">http://25.0.0.0/8</a><br>
[10] <a href="http://172.22.0.0/16" rel="noreferrer" target="_blank">http://172.22.0.0/16</a><br>
[11]<br>
<a href="http://172.22.0.0/16===172.22.0.207%5B52.63.20.251%5D---172.22.0.1...203.191.19.3" rel="noreferrer" target="_blank">http://172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1...203.191.19.3</a><br>
[12]<br>
<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.22.0.0/16" rel="noreferrer" target="_blank">http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.22.0.0/16</a><br>
[13]<br>
<a href="http://192.168.2.0/24===203.191.19.3:4500%5B203.191.19.3%5D...52.63.20.251:4500%5B52.63.20.251%5D===172.22.0.0/16" rel="noreferrer" target="_blank">http://192.168.2.0/24===203.191.19.3:4500[203.191.19.3]...52.63.20.251:4500[52.63.20.251]===172.22.0.0/16</a><br>
<br>
_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</blockquote>
</blockquote></div>