How to reproduce the issue:
Version: 1.4-rolling-202106271939
Basic Configuration:
Left:
set vpn ipsec esp-group espA proposal 1 encryption 'aes256' set vpn ipsec esp-group espA proposal 1 hash 'sha1' set vpn ipsec ike-group ikeA proposal 1 encryption 'aes256' set vpn ipsec ike-group ikeA proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer 22.22.22.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 22.22.22.2 authentication pre-shared-secret 'vyos' set vpn ipsec site-to-site peer 22.22.22.2 ike-group 'ikeA' set vpn ipsec site-to-site peer 22.22.22.2 local-address '22.22.22.1' set vpn ipsec site-to-site peer 22.22.22.2 vti bind 'vti0' set vpn ipsec site-to-site peer 22.22.22.2 vti esp-group 'espA'
Right:
set vpn ipsec esp-group espA proposal 1 encryption 'aes256' set vpn ipsec esp-group espA proposal 1 hash 'sha1' set vpn ipsec ike-group ikeA proposal 1 encryption 'aes256' set vpn ipsec ike-group ikeA proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer 22.22.22.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 22.22.22.1 authentication pre-shared-secret 'vyos' set vpn ipsec site-to-site peer 22.22.22.1 connection-type 'respond' set vpn ipsec site-to-site peer 22.22.22.1 ike-group 'ikeA' set vpn ipsec site-to-site peer 22.22.22.1 local-address '22.22.22.2' set vpn ipsec site-to-site peer 22.22.22.1 vti bind 'vti0' set vpn ipsec site-to-site peer 22.22.22.1 vti esp-group 'espA'
After I add the key-exchange parameter explicitly, then it shows the ikev1 version.
vyos@vyos# set vpn ipsec ike-group ikeA key-exchange Possible completions: ikev1 Use IKEv1 for Key Exchange [DEFAULT] ikev2 Use IKEv2 for Key Exchange [edit] vyos@vyos# set vpn ipsec ike-group ikeA key-exchange ikev1 [edit] vyos@vyos# compare [edit vpn ipsec ike-group ikeA] +key-exchange ikev1 [edit] vyos@vyos# commit [ vpn ipsec ] loaded ike secret 'ike_22-22-22-2' loaded connection 'peer_22-22-22-2' successfully loaded 1 connections, 0 unloaded [edit] vyos@vyos# run sh vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 22.22.22.2 22.22.22.2 22.22.22.1 22.22.22.1 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Te ----- ------ ------- ---- --------- ----- ------ ---- up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_1024 no 33 0
But after the commit, "show vpn ipsec sa" is showing down.
vyos@vyos# run sh vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------- peer_22-22-22-2_vti down N/A N/A N/A N/A N/A N/A [edit] vyos@vyos# run sh vpn ipsec status IPSec Process Running: 1450 Security Associations (1 up, 0 connecting): peer_22-22-22-2[2]: ESTABLISHED 27 minutes ago, 22.22.22.1[22.22.22.1]...22.22.22.2[22.22.22.2] vyos@vyos# sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.9.1, Linux 5.10.46-amd64-vyos, x86_64): uptime: 32 minutes, since Jun 28 10:49:03 2021 malloc: sbrk 1994752, mmap 0, used 1105824, free 888928 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4 loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-radius eap-tls eap-ttls eap-tnc xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters Listening IP addresses: 22.22.22.1 Connections: peer_22-22-22-2: 22.22.22.1...22.22.22.2 IKEv1 peer_22-22-22-2: local: uses pre-shared key authentication peer_22-22-22-2: remote: uses pre-shared key authentication peer_22-22-22-2_vti: child: 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 TUNNEL Security Associations (1 up, 0 connecting): peer_22-22-22-2[2]: ESTABLISHED 27 minutes ago, 22.22.22.1[22.22.22.1]...22.22.22.2[22.22.22.2] peer_22-22-22-2[2]: IKEv1 SPIs: e248d94d25bb952f_i* 07cfcc3cbff29312_r, rekeying in 3 hours peer_22-22-22-2[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
There is no config in this location, I am not sure if the file has been changed:
vyos@vyos# sudo cat /etc/ipsec.conf # Created by VyOS - manual changes will be overwritten config setup charondebug = "" uniqueids = yes