Troubleshooting a Vyatta Site-to-site VPN connection

Using a Vyatta Appliance, you can establish a secure site-to-site VPN connection connection between your cloud infrastructure at any Rackspace site and your data center or existing IT infrastructure location. You can find details on how to configure a Site-to-site VPN here.

The purpose of this guide to provide the necessary steps to troubleshoot a Vyatta IPSEC Site to Site VPN.


Log onto the Vyatta Appliance using ssh:

ssh vyatta@X.X.X.X

Where X.X.X.X is the IP address of the vyatta's Public interface. You'll see a Welcome to Vyatta message and a prompt to enter your Vyatta password.

Once you're logged into the appliance, you can enter a "?" or press the Tab key for help.

Enter configuration mode:

vyatta@vyatta: configure

The # symbol indicates you're in configuration mode.

Check Configuration

First of all check the VPN configuration settings (in configuration mode) to ensure they match what is configured on the remote peer. Verify at the IKE and ESP configuration. 

vyatta@vyatta# show vpn ipsec
 esp-group ESP-1W {
     lifetime 3600
     proposal 1 {
         encryption aes256
         hash sha1
     proposal 2 {
         encryption 3des
         hash md5
 ike-group IKE-1W {
     lifetime 86400
     proposal 1 {
         dh-group 2
         encryption aes256
         hash sha1
 ipsec-interfaces {
     interface eth3
 site-to-site {
     peer {
         authentication {
             mode pre-shared-secret
             pre-shared-secret abc123
         default-esp-group ESP-1W
         ike-group IKE-1W
         tunnel 1 {
             local {
             remote {

If the settings match also check the NAT and firewall settings by running the commands “show nat” and “show firewall”.

Confirm PHASE 1 

Exit configuration mode by typing 'exit'

Next check to see (in operational mode) if the Phase 1 has completed by checking the Phase 1 SA`s.

vyatta@vyatta:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------                
State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
-----  -------  ----  -------  -----  ------  ------
up     aes256   sha1  2        no     2012    86400

If no SA is seen or the ‘State’ does not show up then typically either there is a mismatch is Phase 1 settings between the 2 peers or IKE (UDP 500) is being blocked between you and the remote peer.

However it is possible that traffic from the endpoint is not reaching either of the VPN peers and in turn not initiating the Phase 1 process.

To confirm that traffic is reaching the Vyatta appliance from your local endpoint (i.e your cloud server) the Vyatta`s connection table can be viewed. In the example below we can see that the Vyatta appliance is successfully seeing ICMP traffic from the cloud server ( to the remote endpoint ( 

vyatta@vyatta:~$ show conntrack table ipv4
               FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,
               TW - TIME WAIT, CL - CLOSE, LI - LISTEN

CONN ID    Source                 Destination            Protocol         TIMEOUT
2064070048            ipsec-esp [50]   599
2059185248        tcp [6] ES       430831
2046153568             icmp [1]         29
2064070912       udp [17]         168
2064070624        udp [17]         28
2064069184        tcp [6] ES       299
2046153280              icmp [1]         9


Confirm PHASE 2

Next check to see if the Phase 2 has completed by checking the Phase 2 SA`s. Again, If no SA is seen or the ‘State’ does not show up then either there is a mismatch is Phase 2 settings between the 2 peers or ESP (IP protocol 51) is being blocked between you and the remote peer.

Note: To obtain further information the keywords, details and statistics can be appended to the command below. Such as ‘show vpn ipsec sa [details | statistics ]’.

vyatta@vyatta:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------                

   Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
   ------  -----  -------------  -------  ----  -----  ------  ------  -----
   1       up     0.0/0.0        aes256   sha1  no     2030    3600    all


Check VPN Logs

To check the VPN logs the following command can be run. This will provide you with a summary to any issues with the VPN during Phase 1 or Phase 2. 

vyatta@vyatta:~$ show log vpn ipsec

Check VPN Debug Logs 

To see a more detailed view of the VPN logs when troubleshooting the following command can be run. This command can be run with or without the detail option. Such as ‘show vpn debug detail’ 

vyatta@vyatta:~$ show vpn debug [peer  | detail] 


VPN Rekey 

Should you need to reset your VPN, i.e Rekey / Clear the established Phase1/Phase2 SA`s then the following command can be run. This action should be performed after any configuration changes to a previously established tunnel.

vyatta@vyatta:~$ reset vpn ipsec-peer



© 2015 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License

See license specifics and DISCLAIMER