VPN IPsec pfs 'enabled' don't work with IKEA-groups.
Configurarion
set interfaces ethernet eth0 address '192.168.122.11/24' set interfaces vti vti10 address '10.0.0.1/32' set vpn ipsec esp-group AES256-SHA1 compression 'disable' set vpn ipsec esp-group AES256-SHA1 lifetime '3600' set vpn ipsec esp-group AES256-SHA1 mode 'tunnel' set vpn ipsec esp-group AES256-SHA1 pfs 'enable' set vpn ipsec esp-group AES256-SHA1 proposal 10 encryption 'aes256' set vpn ipsec esp-group AES256-SHA1 proposal 10 hash 'sha1' set vpn ipsec ike-group AES256-SHA1-dh2 close-action 'none' set vpn ipsec ike-group AES256-SHA1-dh2 ikev2-reauth 'no' set vpn ipsec ike-group AES256-SHA1-dh2 key-exchange 'ikev2' set vpn ipsec ike-group AES256-SHA1-dh2 lifetime '86400' set vpn ipsec ike-group AES256-SHA1-dh2 proposal 10 dh-group '2' set vpn ipsec ike-group AES256-SHA1-dh2 proposal 10 encryption 'aes256' set vpn ipsec ike-group AES256-SHA1-dh2 proposal 10 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer 192.168.122.12 authentication id '192.168.122.11' set vpn ipsec site-to-site peer 192.168.122.12 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.168.122.12 authentication pre-shared-secret 'redacted' set vpn ipsec site-to-site peer 192.168.122.12 authentication remote-id '192.168.122.12' set vpn ipsec site-to-site peer 192.168.122.12 connection-type 'initiate' set vpn ipsec site-to-site peer 192.168.122.12 description 'redacted' set vpn ipsec site-to-site peer 192.168.122.12 ike-group 'AES256-SHA1-dh2' set vpn ipsec site-to-site peer 192.168.122.12 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 192.168.122.12 local-address '192.168.122.11' set vpn ipsec site-to-site peer 192.168.122.12 vti bind 'vti10' set vpn ipsec site-to-site peer 192.168.122.12 vti esp-group 'AES256-SHA1'
Logs
vyos@r1:~$ sudo journalctl -f /usr/lib/ipsec/charon -- Logs begin at Mon 2020-07-13 13:57:09 EEST. -- Jul 13 15:41:11 r1 charon[10915]: 09[CFG] rereading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jul 13 15:41:11 r1 charon[10915]: 09[CFG] rereading attribute certificates from '/etc/ipsec.d/acerts' Jul 13 15:41:11 r1 charon[10915]: 09[CFG] rereading crls from '/etc/ipsec.d/crls' Jul 13 15:41:11 r1 charon[10915]: 11[CFG] received stroke: delete connection 'peer-192.168.122.12-tunnel-vti' Jul 13 15:41:11 r1 charon[10915]: 11[CFG] connection 'peer-192.168.122.12-tunnel-vti' not found Jul 13 15:41:11 r1 charon[10915]: 13[CFG] received stroke: add connection 'peer-192.168.122.12-tunnel-vti' Jul 13 15:41:11 r1 charon[10915]: 13[CFG] algorithm 'unknown' not recognized Jul 13 15:41:11 r1 charon[10915]: 13[CFG] skipped invalid proposal string: aes256-sha1-unknown Jul 13 15:41:11 r1 charon[10915]: 15[CFG] received stroke: initiate 'peer-192.168.122.12-tunnel-vti' Jul 13 15:41:11 r1 charon[10915]: 15[CFG] no config named 'peer-192.168.122.12-tunnel-vti'
The workaround, configuration change to
set vpn ipsec esp-group AES256-SHA1 pfs dh-group2