I'm trying to configure Vyos VPN from AWS VPC to Cisco VPN.
I'm using prepared AWS AIM images - tried vyos 1.1.7 and vyos 1.2.
My Vyos instance is in a public segment of VPC:
vyos@ip-10-0-2-238:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 10.0.2.238/24 u/u
lo 127.0.0.1/8 u/u
::1/128
It also has external IP.
My configuration is:
interfaces {
ethernet eth0 {
address dhcp
}
loopback lo {
}
}
....
interfaces {
ethernet eth0 {
address dhcp
}
loopback lo {
}
}
vpn {
ipsec {
esp-group test-esp {
compression disable
lifetime 7200
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group test-ike {
ikev2-reauth no
key-exchange ikev2
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer IP_OF_REMOTE_CISCO {
authentication {
id MY_REMOTE_IP
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group test-ike
ikev2-reauth inherit
local-address LOCAL_IP_OF_VYOS_INSTANCE
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group test-esp
local {
prefix MY_MASK_OF_PRIVATE_SUBNET
}
remote {
prefix LOCAL_SUBNET_BEHIND_VPN
}
}
}
VPN connection remains in status "CONNECTING":
peer-X.X.X.X-tunnel-1[1]: CONNECTING, Y.Y.Y.Y[%any]...X.X.X.X[%any]
peer-X.X.X.X-tunnel-1[1]: IKEv2 SPIs: 6911b8b8bf6ad261_i* 0000000000000000_r
peer-X.X.X.X-tunnel-1[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
What I'm doing wrong?
