VPN shows as up
olof@oob-rou001:~$ show vpn ipsec sa | strip-private Connection State Up Bytes In/Out Remote address Remote ID Proposal ------------------------------ ------- ------- -------------- ---------------- ----------- ---------------------------------------------- peer-xxx.xxx.216.216-tunnel-vti up 4 hours 0B/0B xxx.xxx.216.216 N/A AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048_256
Try to ping remote vti interface address.
olof@oob-rou001:~$ ping 10.18.5.17 connect: Invalid argument
I try to inspect packets.
olof@oob-rou001:~$ sudo tcpdump -i vti0 tcpdump: vti0: That device is not up
But notice interface is down
olof@oob-rou001:~$ ip addr show vti0 | strip-private 8: vti0@NONE: <POINTOPOINT,NOARP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ipip xxx.xxx.240.44 peer xxxxx.tld inet xxx.xxx.5.18/30 scope global vti0 valid_lft forever preferred_lft forever
Show vpn verbose shows tunnel is installed - with correct SPI on both sides
olof@oob-rou001:~$ show vpn ipsec sa verbose | strip-private Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.106-amd64-vyos, x86_64): uptime: 7 days, since Aug 17 xxxx:xxxx:32 2020 malloc: sbrk 1871872, mmap 0, used 794512, free 1077360 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters Listening IP addresses: xxx.xxx.240.44 Connections: peer-xxx.xxx.216.216-tunnel-vti: xxx.xxx.240.44...xxx.xxx.216.216 IKEv2, dpddelay=30s peer-xxx.xxx.216.216-tunnel-vti: local: [xxx.xxx.240.44] uses pre-shared key xxxxxx peer-xxx.xxx.216.216-tunnel-vti: remote: [xxx.xxx.216.216] uses pre-shared key xxxxxx peer-xxx.xxx.216.216-tunnel-vti: child: xxx.xxx.0.0/0 === xxx.xxx.0.0/0 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): peer-xxx.xxx.216.216-tunnel-vti[36]: ESTABLISHED 4 hours ago, xxx.xxx.240.44[xxx.xxx.240.44]...xxx.xxx.216.216[xxx.xxx.216.216] peer-xxx.xxx.216.216-tunnel-vti[36]: IKEv2 SPIs: 4a0289911d7d3a6a_i* c6c6684378608039_r, rekeying in 2 hours peer-xxx.xxx.216.216-tunnel-vti[36]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048_256 peer-xxx.xxx.216.216-tunnel-vti{258}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cf332d5e_i c4c5a85d_o peer-xxx.xxx.216.216-tunnel-vti{258}: AES_GCM_16_256/MODP_2048_256, 0 bytes_i, 0 bytes_o, rekeying in 8 minutes peer-xxx.xxx.216.216-tunnel-vti{258}: xxx.xxx.0.0/0 === xxx.xxx.0.0/0
Remote side also reports VPN as up
olof@remotevpn02:~$ show vpn ipsec sa verbose | strip-private | grep 240.44 peer-xxx.xxx.240.44-tunnel-vti: xxx.xxx.216.216...xxx.xxx.240.44 IKEv2, dpddelay=30s peer-xxx.xxx.240.44-tunnel-vti: local: [xxx.xxx.216.216] uses pre-shared key xxxxxx peer-xxx.xxx.240.44-tunnel-vti: remote: [xxx.xxx.240.44] uses pre-shared key xxxxxx peer-xxx.xxx.240.44-tunnel-vti: child: xxx.xxx.0.0/0 === xxx.xxx.0.0/0 TUNNEL, dpdaction=restart peer-xxx.xxx.240.44-tunnel-vti[4060]: ESTABLISHED 4 hours ago, xxx.xxx.216.216[xxx.xxx.216.216]...xxx.xxx.240.44[xxx.xxx.240.44] peer-xxx.xxx.240.44-tunnel-vti[4060]: IKEv2 SPIs: 4a0289911d7d3a6a_i c6c6684378608039_r*, rekeying in 2 hours peer-xxx.xxx.240.44-tunnel-vti[4060]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048_256 peer-xxx.xxx.240.44-tunnel-vti{86783}: INSTALLED, TUNNEL, reqid 2893, ESP SPIs: c4c5a85d_i cf332d5e_o peer-xxx.xxx.240.44-tunnel-vti{86783}: AES_GCM_16_256/MODP_2048_256, 0 bytes_i, 0 bytes_o, rekeying in 11 minutes peer-xxx.xxx.240.44-tunnel-vti{86783}: xxx.xxx.0.0/0 === xxx.xxx.0.0/0
Configuration is identical on remote side.
olof@oob-rou001:~$ show configuration commands | grep ipsec | strip-private set vpn ipsec esp-group ESP-OOB compression 'disable' set vpn ipsec esp-group ESP-OOB lifetime '3600' set vpn ipsec esp-group ESP-OOB mode 'tunnel' set vpn ipsec esp-group ESP-OOB pfs 'dh-group24' set vpn ipsec esp-group ESP-OOB proposal 1 encryption 'aes256gcm128' set vpn ipsec esp-group ESP-OOB proposal 1 hash 'sha256' set vpn ipsec ike-group IKE-OOB dead-peer-detection action 'restart' set vpn ipsec ike-group IKE-OOB dead-peer-detection interval '30' set vpn ipsec ike-group IKE-OOB dead-peer-detection timeout '120' set vpn ipsec ike-group IKE-OOB ikev2-reauth 'no' set vpn ipsec ike-group IKE-OOB key-exchange 'ikev2' set vpn ipsec ike-group IKE-OOB lifetime '28800' set vpn ipsec ike-group IKE-OOB proposal 1 dh-group '24' set vpn ipsec ike-group IKE-OOB proposal 1 encryption 'aes256gcm128' set vpn ipsec ike-group IKE-OOB proposal 1 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec nat-traversal 'enable' set vpn ipsec site-to-site peer xxxxx.tld authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx set vpn ipsec site-to-site peer xxxxx.tld connection-type 'initiate' set vpn ipsec site-to-site peer xxxxx.tld default-esp-group 'ESP-OOB' set vpn ipsec site-to-site peer xxxxx.tld ike-group 'IKE-OOB' set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth 'inherit' set vpn ipsec site-to-site peer xxxxx.tld local-address 'xxx.xxx.240.44' set vpn ipsec site-to-site peer xxxxx.tld vti bind 'vti0' set vpn ipsec site-to-site peer xxxxx.tld vti esp-group 'ESP-OOB'
IKEv2 INFORMATIONAL messages are exchanged every 30 seconds, so DPD is working.
This happens every few weeks.
Only running reset vpn ipsec-peer xxx.xxx.216.216 does not solve this issue.
The solution is to run restart ipsec to restart the whole ipsec process.
This side runs vyos 1.2.5.
Remote side is vyos 1.2.3.