Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MladenAntesevic
Collaborator

Both RAVPN and S2S VPN between the same pair of gateways

Jump to solution

I have one unusual scenario where two gateways, lets say GW A and GW B, have established S2S VPN tunnel, but still I  have a requirement from some customers located behind GW A to have RAVPN connectivity to some servers located behind GW B. S2S VPN is running smoothly, but RAVPN could not be established. I tried to exlude HTTPS and IKE services from the S2S VPN community, but without any success. I checked the logs where I see GW B is rejecting the phase 1 from RAVPN saying:

Main Mode Failed to match proposal: Transform: AES-256, SHA1, Pre-shared secret, Group 2 (1024 bit); Reason: Wrong value for: Authentication Method

 

RAVPN is using different proposal than S2S and it seems that GW B cannot differentiate between IKE messages generated by GW A and between IKE generated by side-A customers since they are coming from the same public IP address.

I know this is quite unusual to have such scenario, but I am wondering is there some kind ow workaround have to handle such a situation?

0 Kudos
1 Solution

Accepted Solutions
Markus_Genser
Contributor

Hello,

this is not as uncommon as you might think.

The main reason for the failing of the RA VPN is that the RA GW sees the IKE packet coming from the peer GW, which it knows is in a VPN community, and tries to create a new S2S tunnel.

Therefore it doesn't try to match the IPSec packet with the RA process and that's why the client connection fails.

In the cases I've encountered this, I took another free public IP on (in your case) GW A and created a hide NAT with this public IP Address for the client networks and the destination the RA GW B.

This way, the client RA VPN Traffic arrives on GW B with a different source IP as the S2S communities GW A and the RA VPN will be established.

 

Best regards,

Markus

View solution in original post

7 Replies
Markus_Genser
Contributor

Hello,

this is not as uncommon as you might think.

The main reason for the failing of the RA VPN is that the RA GW sees the IKE packet coming from the peer GW, which it knows is in a VPN community, and tries to create a new S2S tunnel.

Therefore it doesn't try to match the IPSec packet with the RA process and that's why the client connection fails.

In the cases I've encountered this, I took another free public IP on (in your case) GW A and created a hide NAT with this public IP Address for the client networks and the destination the RA GW B.

This way, the client RA VPN Traffic arrives on GW B with a different source IP as the S2S communities GW A and the RA VPN will be established.

 

Best regards,

Markus

the_rock
Champion
Champion

Just curious, what is the actual error on RA side? Does it even create a site or that fails as well?

0 Kudos
MladenAntesevic
Collaborator

S2S VPN tunnel is forming OK, but RAVPN is not forming because RAVPN GW is trying to establish a new S2S tunnel as @Markus_Genser already described in details. I will test his proposal, I believe it is very good idea.

Markus_Genser
Contributor

In a vpn debug on the RA/S2S GW, you can see an entry, that the public IP from the client RA connect belongs to a peer GW for a VPN community and it tries to establish a S2S tunnel.

That pointed me in the past to the conclusion that the RA GW misinterprets the RA connect with the S2S and lead to the workaround with the second hide NAT.

0 Kudos
the_rock
Champion
Champion

Ah ok, I see now what you are saying. One thing I find sort of odd is that I did exactly same config with 2 customers and did not see this issue at all. 

0 Kudos
MladenAntesevic
Collaborator

In my logs I saw that RA GW is actually trying to setup another S2S as @Markus_Genser  explained.  Very nice idea to use hide NAT as a workaround. I will try it today and keep you posted.

0 Kudos
MladenAntesevic
Collaborator

It is working, thanks @Markus_Genser 

0 Kudos