This is my first time trying to setup IPSec with one site behind NAT.
I've got a USG at home and an ERL at work behind NAT with a 1:1 port mapping to it.
After a couple of weeks of trial and error and many hours of googling I've got IKE to stand up but can't get any further.
The main issue I had was getting NAT-T to work which I managed to fix by issuing the following command on the USG.
set remote-id NATTED_IP_OF_DESTINATION_SIDE
I'm aware the USG config will get overwritten each time I make a change via the UI so I'm trying to do everything via the CLI for now.
Any help is welcome from the experts out there, I'm out of ideas!
Here is the config of the devices:
USG
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group ESP_ERL WAN IP {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group IKE_ERL WAN IP {
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 5
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface pppoe2
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer ERL WAN IP {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
remote-id 10.200.185.1
}
connection-type initiate
ike-group IKE_ERL WAN IP
local-address USG WAN IP
vti {
bind vti64
esp-group ESP_ERL WAN IP
}
ERL
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
proposal 1 {
dh-group 5
encryption aes128
hash sha1
}
}
nat-traversal enable
site-to-site {
peer USG WAN IP {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type respond
description USG2ERL
ike-group FOO0
local-address 10.200.185.1
tunnel 1 {
esp-group FOO0
local {
prefix 172.16.20.0/24
}
remote {
prefix 172.16.2.0/24
Errors from the USG
Oct 12 17:05:05 NMDC-USG-01 pluto[19474]: added connection description "peer-ERL-WAN-IP-tunnel-vti"
Oct 12 17:05:06 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: initiating Main Mode
Oct 12 17:05:07 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: received Vendor ID payload [XAUTH]
Oct 12 17:05:07 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: received Vendor ID payload [Dead Peer Detection]
Oct 12 17:05:07 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: received Vendor ID payload [RFC 3947]
Oct 12 17:05:07 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: enabling possible NAT-traversal with method 3
Oct 12 17:05:08 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: NAT-Traversal: Result using RFC 3947: peer is NATed
Oct 12 17:05:08 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: Peer ID is ID_IPV4_ADDR: '10.200.185.1'
Oct 12 17:05:08 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: ISAKMP SA established
Oct 12 17:05:08 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Oct 12 17:05:08 NMDC-USG-01 pluto[19474]: "peer-ERL-WAN-IP-tunnel-vti" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
admin@NMDC-USG-01:~$ show vpn ipsec sa detail
------------------------------------------------------------------
Peer IP: ERL-WAN-IP
Peer ID: 10.200.185.1
Local IP: USG-WAN-IP
Local ID: USG-WAN-IP
NAT Traversal: yes
NAT Source Port: 4500
NAT Dest Port: 4500
Tunnel vti:
State: down
Inbound SPI: n/a
Outbound SPI: n/a
Encryption: n/a
Hash: n/a
PFS Group: n/a
Local Net: 0.0.0.0/0
Local Protocol: all
Local Port: all
Remote Net: 0.0.0.0/0
Remote Protocol: all
Remote Port: all
Inbound Bytes: 0.0
Outbound Bytes: 0.0
Active Time (s): 0
Lifetime (s): 3600
------------------------------------------------------------------
Currently it is stuck in an endless loop of initating quick mode and ignoring the payload due to no proposal chosen.