<div dir="ltr">Hello,<div><br></div><div>I'm trying to connect a VyOS 1.1.6, which comes with IPSec U4.5.2, to a Ubuntu 14.04 LTS EC2 instance running 2.6.38.</div><div><br></div><div>I think I got the link up but I can't get any traffic over it. Here is a log of the startup from scratch:</div><div><br></div><div><div><font face="monospace, monospace"><b>Feb 11 22:47:13 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #1: initiating Main Mode</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from <a href="http://203.191.19.3:4500">203.191.19.3:4500</a>: ignoring unknown Vendor ID payload [882fe56d6fd20dbc2251613b2ebe5beb]</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from <a href="http://203.191.19.3:4500">203.191.19.3:4500</a>: received Vendor ID payload [Cisco-Unity]</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from <a href="http://203.191.19.3:4500">203.191.19.3:4500</a>: received Vendor ID payload [XAUTH]</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from <a href="http://203.191.19.3:4500">203.191.19.3:4500</a>: received Vendor ID payload [Dead Peer Detection]</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from <a href="http://203.191.19.3:4500">203.191.19.3:4500</a>: received Vendor ID payload [RFC 3947] method set to=115</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from <a href="http://203.191.19.3:4500">203.191.19.3:4500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from <a href="http://203.191.19.3:4500">203.191.19.3:4500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from <a href="http://203.191.19.3:4500">203.191.19.3:4500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from <a href="http://203.191.19.3:4500">203.191.19.3:4500</a>: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #2: responding to Main Mode</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #2: STATE_MAIN_R1: sent MR1, expecting MI2</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #2: STATE_MAIN_R2: sent MR2, expecting MI3</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #2: Main mode peer ID is ID_IPV4_ADDR: '203.191.19.3'</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #2: the peer proposed: <a href="http://172.22.0.0/16:0/0">172.22.0.0/16:0/0</a> -> <a href="http://192.168.2.0/24:0/0">192.168.2.0/24:0/0</a></b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #3: responding to Quick Mode proposal {msgid:cd7b50cb}</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #3: us: <a href="http://172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1">172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1</a></b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #3: them: 203.191.19.3<203.191.19.3>===<a href="http://192.168.2.0/24">192.168.2.0/24</a></b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2</b></font></div><div><font face="monospace, monospace"><b>Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0xcd5a1422 <0x9998c8e5 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=<a href="http://203.191.19.3:4500">203.191.19.3:4500</a> DPD=none}</b></font></div><div><br></div><div>And here is the output of "ipsec auto --status":</div><div><br></div><div><div><font face="monospace, monospace"><b>000 using kernel interface: netkey</b></font></div><div><font face="monospace, monospace"><b>000 interface lo/lo ::1</b></font></div><div><font face="monospace, monospace"><b>000 interface lo/lo 127.0.0.1</b></font></div><div><font face="monospace, monospace"><b>000 interface lo/lo 127.0.0.1</b></font></div><div><font face="monospace, monospace"><b>000 interface eth0/eth0 172.22.0.207</b></font></div><div><font face="monospace, monospace"><b>000 interface eth0/eth0 172.22.0.207</b></font></div><div><font face="monospace, monospace"><b>000 interface eth0/eth0 52.63.20.251</b></font></div><div><font face="monospace, monospace"><b>000 interface eth0/eth0 52.63.20.251</b></font></div><div><font face="monospace, monospace"><b>000 %myid = (none)</b></font></div><div><font face="monospace, monospace"><b>000 debug none</b></font></div><div><font face="monospace, monospace"><b>000</b></font></div><div><font face="monospace, monospace"><b>000 virtual_private (%priv):</b></font></div><div><font face="monospace, monospace"><b>000 - allowed 6 subnets: <a href="http://10.0.0.0/8">10.0.0.0/8</a>, <a href="http://192.168.0.0/16">192.168.0.0/16</a>, <a href="http://172.16.0.0/12">172.16.0.0/12</a>, <a href="http://25.0.0.0/8">25.0.0.0/8</a>, fd00::/8, fe80::/10</b></font></div><div><font face="monospace, monospace"><b>000 - disallowed 1 subnet: <a href="http://172.22.0.0/16">172.22.0.0/16</a></b></font></div><div><font face="monospace, monospace"><b>000</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128</b></font></div><div><font face="monospace, monospace"><b>000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0</b></font></div><div><font face="monospace, monospace"><b>000</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048</b></font></div><div><font face="monospace, monospace"><b>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048</b></font></div><div><font face="monospace, monospace"><b>000</b></font></div><div><font face="monospace, monospace"><b>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}</b></font></div><div><font face="monospace, monospace"><b>000</b></font></div><div><font face="monospace, monospace"><b>000 "sydney-hub-sydney-office-1": <a href="http://172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1...203.191.19.3">172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1...203.191.19.3</a><203.191.19.3>===<a href="http://192.168.2.0/24">192.168.2.0/24</a>; erouted; eroute owner: #3</b></font></div><div><font face="monospace, monospace"><b>000 "sydney-hub-sydney-office-1": myip=52.63.20.251; hisip=unset;</b></font></div><div><font face="monospace, monospace"><b>000 "sydney-hub-sydney-office-1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0</b></font></div><div><font face="monospace, monospace"><b>000 "sydney-hub-sydney-office-1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,24; interface: eth0;</b></font></div><div><font face="monospace, monospace"><b>000 "sydney-hub-sydney-office-1": newest ISAKMP SA: #2; newest IPsec SA: #3;</b></font></div><div><font face="monospace, monospace"><b>000 "sydney-hub-sydney-office-1": IKE algorithm newest: AES_CBC_256-SHA1-MODP1024</b></font></div><div><font face="monospace, monospace"><b>000</b></font></div><div><font face="monospace, monospace"><b>000 #3: "sydney-hub-sydney-office-1":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3237s; newest IPSEC; eroute owner; isakmp#2; idle; import:not set</b></font></div><div><font face="monospace, monospace"><b>000 #3: "sydney-hub-sydney-office-1" <a href="mailto:esp.cd5a1422@203.191.19.3">esp.cd5a1422@203.191.19.3</a> <a href="mailto:esp.9998c8e5@172.22.0.207">esp.9998c8e5@172.22.0.207</a> <a href="mailto:tun.0@203.191.19.3">tun.0@203.191.19.3</a> <a href="mailto:tun.0@172.22.0.207">tun.0@172.22.0.207</a> ref=0 refhim=4294901761</b></font></div><div><font face="monospace, monospace"><b>000 #2: "sydney-hub-sydney-office-1":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3237s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set</b></font></div><div><font face="monospace, monospace"><b>000 #1: "sydney-hub-sydney-office-1":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 21s; nodpd; idle; import:admin initiate</b></font></div><div><font face="monospace, monospace"><b>000 #1: pending Phase 2 for "sydney-hub-sydney-office-1" replacing #0</b></font></div><div><font face="monospace, monospace"><b>000</b></font></div></div><div><br></div><div>But ping to the address of the VyOS host (or any host on the other side) doesn't get any response. I verified that ping from other IPSec tunnels (which use either Vyatta or AWS Virtual Gateway) works fine.</div><div><br></div><div>Here is the configuration of the tunnel from the EC2 side:</div><div><font face="monospace, monospace"><b><br></b></font></div><div><div><font face="monospace, monospace"><b>version 2.0</b></font></div><div><font face="monospace, monospace"><b>config setup</b></font></div><div><font face="monospace, monospace"><b><span class="" style="white-space:pre"> </span>dumpdir=/var/run/pluto/</b></font></div><div><font face="monospace, monospace"><b><span class="" style="white-space:pre"> </span>nat_traversal=yes</b></font></div><div><font face="monospace, monospace"><b><span class="" style="white-space:pre"> </span>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.22.0.0/16">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.22.0.0/16</a></b></font></div><div><font face="monospace, monospace"><b><span class="" style="white-space:pre"> </span>oe=off</b></font></div><div><font face="monospace, monospace"><b><span class="" style="white-space:pre"> </span>protostack=netkey</b></font></div><div><font face="monospace, monospace"><b><span class="" style="white-space:pre"> </span>interfaces=%defaultroute</b></font></div><div><b style="font-family:monospace,monospace"><br></b></div><div><b style="font-family:monospace,monospace">conn sydney-hub-sydney-office-1</b><br></div><div><font face="monospace, monospace"><b> type=tunnel</b></font></div><div><font face="monospace, monospace"><b> authby=secret</b></font></div><div><font face="monospace, monospace"><b> forceencaps=yes</b></font></div><div><font face="monospace, monospace"><b> auto=start</b></font></div><div><font face="monospace, monospace"><b> left=%defaultroute</b></font></div><div><font face="monospace, monospace"><b> leftid=52.63.20.251</b></font></div><div><font face="monospace, monospace"><b> leftsourceip=52.63.20.251</b></font></div><div><font face="monospace, monospace"><b> leftnexthop=%defaultroute</b></font></div><div><font face="monospace, monospace"><b> leftsubnet=<a href="http://172.22.0.0/16">172.22.0.0/16</a></b></font></div><div><font face="monospace, monospace"><b> right=203.191.19.3</b></font></div><div><font face="monospace, monospace"><b> rightid=203.191.19.3</b></font></div><div><font face="monospace, monospace"><b> rightsubnet=<a href="http://192.168.2.0/24">192.168.2.0/24</a></b></font></div></div><div><br></div><div><br></div><div>And here it is from the VyOS side (I tried to include all relevant global settings too):</div><div><br></div><div><div><font face="monospace, monospace"><b>version 2.0</b></font></div><div><b style="font-family:monospace,monospace">config setup</b><br></div><div><font face="monospace, monospace"><b> charonstart=yes</b></font></div><div><font face="monospace, monospace"><b> interfaces="%none"</b></font></div><div><font face="monospace, monospace"><b> nat_traversal=yes</b></font></div></div><div><font face="monospace, monospace"><b><br></b></font></div><div><div><font face="monospace, monospace"><b>conn peer-52.63.20.251-tunnel-1</b></font></div><div><font face="monospace, monospace"><b> left=203.191.19.3</b></font></div><div><font face="monospace, monospace"><b> right=52.63.20.251</b></font></div><div><font face="monospace, monospace"><b> leftsubnet=<a href="http://192.168.2.0/24">192.168.2.0/24</a></b></font></div><div><font face="monospace, monospace"><b> rightsubnet=<a href="http://172.22.0.0/16">172.22.0.0/16</a></b></font></div><div><font face="monospace, monospace"><b> leftsourceip=192.168.2.254</b></font></div><div><font face="monospace, monospace"><b> ike=aes256-sha1-modp1024!</b></font></div><div><font face="monospace, monospace"><b> keyexchange=ikev1</b></font></div><div><font face="monospace, monospace"><b> ikelifetime=86400s</b></font></div><div><font face="monospace, monospace"><b> esp=aes256-sha1,3des-md5!</b></font></div><div><font face="monospace, monospace"><b> keylife=3600s</b></font></div><div><font face="monospace, monospace"><b> rekeymargin=540s</b></font></div><div><font face="monospace, monospace"><b> type=tunnel</b></font></div><div><font face="monospace, monospace"><b> pfs=yes</b></font></div><div><font face="monospace, monospace"><b> compress=no</b></font></div><div><font face="monospace, monospace"><b> authby=secret</b></font></div><div><font face="monospace, monospace"><b> auto=start</b></font></div><div><font face="monospace, monospace"><b> keyingtries=%forever</b></font></div></div><div><br></div><div>Here is the "ipsec status" output from the VyOS side for that link (I left out other links):</div><div><br></div><div><div><b><font face="monospace, monospace">000 "peer-52.63.20.251-tunnel-1": <a href="http://192.168.2.0/24===203.191.19.3:4500[203.191.19.3]...52.63.20.251:4500[52.63.20.251]===172.22.0.0/16">192.168.2.0/24===203.191.19.3:4500[203.191.19.3]...52.63.20.251:4500[52.63.20.251]===172.22.0.0/16</a>; erouted; eroute owner: #265</font></b></div><div><b><font face="monospace, monospace">000 "peer-52.63.20.251-tunnel-1": newest ISAKMP SA: #263; newest IPsec SA: #265;</font></b></div></div><div><b><font face="monospace, monospace">...</font></b></div><div><div><b><font face="monospace, monospace">000 #265: "peer-52.63.20.251-tunnel-1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2420s; newest IPSEC; eroute owner</font></b></div><div><b><font face="monospace, monospace">000 #265: "peer-52.63.20.251-tunnel-1" <a href="mailto:esp.9998c8e5@52.63.20.251">esp.9998c8e5@52.63.20.251</a> (0 bytes) <a href="mailto:esp.cd5a1422@203.191.19.3">esp.cd5a1422@203.191.19.3</a> (0 bytes); tunnel</font></b></div><div><b><font face="monospace, monospace">000 #263: "peer-52.63.20.251-tunnel-1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 84976s; newest ISAKMP</font></b></div><div><b><font face="monospace, monospace">000</font></b></div><div><b><font face="monospace, monospace">Security Associations:</font></b></div><div><b><font face="monospace, monospace"> none</font></b></div></div><div><br></div><div>Can anyone see what am I doing wrong?</div><div><br></div><div>Thanks.</div>
</div></div>