I have setup ipsec VPNs with multiple tunnels.
For some of the tunnels, the local prefix is pointing not to the local subnet, but to a subnet being NAT translated to another system entirely.
When this is the case, those tunnels are always listed as "down", and Peer ID as n/a. The tunnel is not actually down, and data flows.
In the following example, the first Peer ID should be the same as below, and the Local ID should a subnet in a public IP range, which isn't associated with any network devices, but has a working dst-nat rule.
vyos@VyOS-IPSEC-GPA# run show vpn ipsec sa
Peer ID / IP Local ID / IP
n/a n/a
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----- 2 down 252.0/252.0 aes256 sha256_128 no -900 n/a allPeer ID / IP Local ID / IP
remotepeer 192.168.101.153
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----- 1 up 0.0/0.0 aes256 sha256_128 no 2280 3600 all
On the other side, also a VyOS in this case, shows a similar result:
Peer ID / IP Local ID / IP
n/a n/a
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----- 2 down 252.0/252.0 aes256 sha256_128 no -420 n/a allPeer ID / IP Local ID / IP
remotepeer 192.168.55.75
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----- 1 up 0.0/0.0 aes256 sha256_128 no 2760 3600 all