• Sales: 1-800-961-2888
  • Support: 1-800-961-4454

Troubleshooting a Vyatta Site-to-site VPN connection


Using a Vyatta Appliance, you can establish a secure site-to-site VPN connection connection between your cloud infrastructure at any Rackspace site and your data center or existing IT infrastructure location. You can find details on how to configure a Site-to-site VPN here.

The purpose of this guide to provide the necessary steps to troubleshoot a Vyatta IPSEC Site to Site VPN.

 

Log onto the Vyatta Appliance using ssh:

ssh vyatta@X.X.X.X

Where X.X.X.X is the IP address of the vyatta's Public interface. You'll see a Welcome to Vyatta message and a prompt to enter your password.

Once you're logged into the appliance, you can enter a "?" or press the Tab key for help.

Enter configuration mode:

vyatta@vyatta: configure
[edit]
vyatta@vyatta#

The # symbol indicates you're in configuration mode.

Check Configuration

First of all check the VPN configuration settings (in configuration mode) to ensure they match what is configured on the remote peer. Verify at the IKE and ESP configuration. 

vyatta@vyatta# show vpn ipsec
 esp-group ESP-1W {
     lifetime 3600
     proposal 1 {
         encryption aes256
         hash sha1
     }
     proposal 2 {
         encryption 3des
         hash md5
     }
 }
 ike-group IKE-1W {
     lifetime 86400
     proposal 1 {
         dh-group 2
         encryption aes256
         hash sha1
     }
 }
 ipsec-interfaces {
     interface eth3
 }
 site-to-site {
     peer 86.150.224.254 {
         authentication {
             mode pre-shared-secret
             pre-shared-secret abc123
         }
         default-esp-group ESP-1W
         ike-group IKE-1W
         local-address 166.78.4.231
         tunnel 1 {
             local {
                 prefix 192.168.3.0/24
             }
             remote {
                 prefix 172.16.0.0/16
             }
         }
     }
 }
[edit]

If the settings match also check the NAT and firewall settings by running the commands “show nat” and “show firewall”.

Confirm PHASE 1 

Exit configuration mode by typing 'exit'

Next check to see (in operational mode) if the Phase 1 has completed by checking the Phase 1 SA`s.

vyatta@vyatta:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
86.150.224.254                          166.78.4.231
State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
-----  -------  ----  -------  -----  ------  ------
up     aes256   sha1  2        no     2012    86400

If no SA is seen or the ‘State’ does not show up then typically either there is a mismatch is Phase 1 settings between the 2 peers or IKE (UDP 500) is being blocked between you and the remote peer.

However it is possible that traffic from the endpoint is not reaching either of the VPN peers and in turn not initiating the Phase 1 process.

To confirm that traffic is reaching the Vyatta appliance from your local endpoint (i.e your cloud server) the Vyatta`s connection table can be viewed. In the example below we can see that the Vyatta appliance is successfully seeing ICMP traffic from the cloud server (192.168.3.3) to the remote endpoint (172.16.120.5). 

vyatta@vyatta:~$ show conntrack table ipv4
TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,
FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,
TW - TIME WAIT, CL - CLOSE, LI - LISTEN

CONN ID    Source                 Destination            Protocol         TIMEOUT
2064070048 86.160.61.92           166.78.4.231           ipsec-esp [50]   599
2059185248 94.236.7.190:24950     166.78.4.231:22        tcp [6] ES       430831
2046153568 192.168.3.3            172.16.120.5           icmp [1]         29
2064070912 86.160.61.92:500       166.78.4.231:500       udp [17]         168
2064070624 0.0.0.0:68             255.255.255.255:67     udp [17]         28
2064069184 94.236.7.190:7333      166.78.4.231:22        tcp [6] ES       299
2046153280 192.168.3.3            10.182.5.36            icmp [1]         9
[edit]

 

Confirm PHASE 2

Next check to see if the Phase 2 has completed by checking the Phase 2 SA`s. Again, If no SA is seen or the ‘State’ does not show up then either there is a mismatch is Phase 2 settings between the 2 peers or ESP (IP protocol 51) is being blocked between you and the remote peer.

Note: To obtain further information the keywords, details and statistics can be appended to the command below. Such as ‘show vpn ipsec sa [details | statistics ]’.

vyatta@vyatta:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
86.150.224.254 166.78.4.231

Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
1 up 0.0/0.0 aes256 sha1 no 2030 3600 all

 

Check VPN Logs

To check the VPN logs the following command can be run. This will provide you with a summary to any issues with the VPN during Phase 1 or Phase 2. 

vyatta@vyatta:~$ show log vpn ipsec

Check VPN Debug Logs 

To see a more detailed view of the VPN logs when troubleshooting the following command can be run. This command can be run with or without the detail option. Such as ‘show vpn debug detail’ 

vyatta@vyatta:~$ show vpn debug [peer  | detail] 

 

VPN Rekey 

Should you need to reset your VPN, i.e Rekey / Clear the established Phase1/Phase2 SA`s then the following command can be run. This action should be performed after any configuration changes to a previously established tunnel.

vyatta@vyatta:~$ reset vpn ipsec-peer






© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER