IPSec based on x509 certificate continues work if certificates were deleted or changed.
Config:
set interfaces vti vti0 address '10.0.0.1/30' set pki ca peer_192-168-0-3 certificate 'MIIDAzCCAeugAwIBAgIJAP0hwYWXO8yEMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNVBAMMDUlQc2VjIFJvb3QgQ0EwHhcNMjExMTA4MTY1MzAxWhcNMjQxMTA3MTY1MzAxWjAYMRYwFAYDVQQDDA1JUHNlYyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnhm9NHifzg/1KwBe2bvhFv75XIYjASWFBoNJwClIyg4uubZAoBHo63X5xtyjD5yZbSDzvJSzHREknz5mnUqTvA52qRt8KIQcyLXEuiCIgrCjl/xRVI1PIWA8reL+qzobOugCAyMDYKOyJSLUXkJXk3E4ScO8MeehFdnPQFx0jb293mJ4eVk5qXvWff/EDRwwQWvDVz7b4k66WzRj0QmUVqW4p9fuz929uitBMGIT6EXlH4eyaXwEunYOc3zGdbSSF75JpKT9fhYcbDiOzQN6UloIKliHYqBu1/zup/Jq3GrXPULES8ocKievoT6gQTGsrmHOBK65/KRl2wZ6Np6t5QIDAQABo1AwTjAdBgNVHQ4EFgQUtSsZ4ury5EqGBKVHoeAPeX67YfIwHwYDVR0jBBgwFoAUtSsZ4ury5EqGBKVHoeAPeX67YfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAZURAs8HfoEb69VNFCFOYuBt58Z9FH4wRujb5WkPJ+Feqljqghy5ULc3yS52qsBwUT7xVzoLqOUjdZ47QG6FZKA7jxH3VNhq4UtPm5Z3rfAHzhAUUSalMDxUHrW4GEBVM1eEa54lQLf7CgJoXrl33txKScrrcMUDsFo618TMHG9yluhb8ArV6aAVbFyMnUN846zPZyp5+BsBL0ilEmQG3guANvVWmg83GW1lAg5B85JDrGDYYjJh7CDTT8yn98QAH7TdEC53zROr+fhRW3+gUzQrhA64X1Lxvej6IVNmg8Ky8OUI75h0ZghsRzMQlqe0ryoG2yHUxOGYtsIYhgmgswA==' set pki certificate peer_192-168-0-3 certificate 'MIICpDCCAYwCAQEwDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UEAwwNSVBzZWMgUm9vdCBDQTAeFw0yMTExMDgxNjUzMTZaFw0yMjExMDgxNjUzMTZaMBgxFjAUBgNVBAMMDUlQc2VjIFJvdXRlcjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8H6CPjKzz7UuCd8uS6AYC1wKWdeOxcUgYsRxQJIzk17iUMDwia/oxaBelTxYPdeBe9gSCqCXbycXGIgdZRuVQiEz+6BLZQWuhxKenFNZ2Fm0MBHZCNqqqIAEW6rAEFWRpMGmEu8G0KDSBGRQaii7jlr0mNvXBrr+RFmaAsbVxl8xRJmbOO1NWMoCxruwCELFzzJkgHKeZ7SEtcTHZM5jxSphtt32wO/woySJ5UX/3URP5HQY6aNKFw3nJebbpIW2xhwAE6mHscRWeaf6FaeKz1UAXvTEBAnd1d/0pP7IL91x66Q5B5UDZM2D9whUw/9HnvogQT7N/CvftDR3/0eZtAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD762WY+zRg+YAFBPuU2Br9Q5N/EApsnuqzIFb6C6B1WnZOfaM4lJVwU/wANKCOe+TgsAoW+E5Sq0Mct9ab//V/gZeO/5dsYwgnPabLjB7CsOyV583rExOrWW8MymY2edkWVV6NuxHCEi+uJvN1eXdGkCTxDGiLUQYdVO8t/Qpreot0j9sZNRgASKzarUZodxDHRPKNYHd0yElMnMh1v/2cge4ZT+wqWXR3AeKPWviZLKDW3P8sirE3qJWT3AuAxO5DoT8tImqDcDJYZoR99kQfHgdbw4dD+Q1q0VM919+Ra5i9gppucuIn3PjKIoPvhH1WQG3LEmgCB1qZJNnd5H/8=' set pki certificate peer_192-168-0-3 private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8H6CPjKzz7UuCd8uS6AYC1wKWdeOxcUgYsRxQJIzk17iUMDwia/oxaBelTxYPdeBe9gSCqCXbycXGIgdZRuVQiEz+6BLZQWuhxKenFNZ2Fm0MBHZCNqqqIAEW6rAEFWRpMGmEu8G0KDSBGRQaii7jlr0mNvXBrr+RFmaAsbVxl8xRJmbOO1NWMoCxruwCELFzzJkgHKeZ7SEtcTHZM5jxSphtt32wO/woySJ5UX/3URP5HQY6aNKFw3nJebbpIW2xhwAE6mHscRWeaf6FaeKz1UAXvTEBAnd1d/0pP7IL91x66Q5B5UDZM2D9whUw/9HnvogQT7N/CvftDR3/0eZtAgMBAAECggEAOQcxajLP/0YRHOTp3ofdwqChVTE5rAHWRD30gksCNyE6ABo7MIghGTcf6+n0mw01zjOwHFeS2nTpMm4AYkz+mRIonSGHDTsqwKhX1muXs8aKmhkELIBb7iSzj9nnL+W4Qbb+VdGBH/cMK5KJqJ35Jt78SghhKayqv/XVbu/wPBWuFM84s/uEIi+F4j6reqQx2QPf3lIxUO66Q/fJQqq2x4fYctrgFsoaug/DCNQbX03UGg6RMn/FHSoVEfiK7YaWxhvbOjpaCKTqKzZqKt+e2oYl0KyfBim+KwBuOhNqSEMWS/Kz9ZtjoVfu2uxav1MRWx6uI32hSjgwO5T2o8CE9QKBgQDl8KaYrwRQXqYZs9DTZqpvEOTViwGU1hZCtmZi7ZF2FT0H6sbQPf0tRPMSThmnqULBZvj+B+Q0vW5WKtyYBDzYOB9x52ndywsdZU2nQoOF72dyhNlvs8O4r1ik+DMaajQzNJ7B/Cx9IgHLqRHqLFpl6VhIZeHxT+SryBk3YDgZrwKBgQDRcbyEFABjPWSwDnhXZR3CFLFZZt8BQHGB8x4sKxh/lPRfjLqmB0dbjEwiLOeDUYhRq5ttc8WGy5pe9R7RAxpqm4E7Y1XCDyPUbMzyfdQvJmyww4By7wpzaKeiLLllzpzYSZ1fiE98QUhJDKQ9eX75njHDDxT0A9xDaSrD6b40owKBgQCWiNL4WHQRjbVeVEtdavQfXEcDykpRv0q5iCJFl9RIIyVefoSEJmEOdvpPPJQtIHGUni5aWJ49LNsETHE4kGWpBC0J6/9x9ZCkQQLygmgKki3+WhzjtSNoUFtPPTJvk6Hy9/sLcmVJ0q6sP1Z8IWdZGsfyNckSq0RAdfKUP0ja/wKBgQCO76YOJXBWSfHLTTTHwBRc/a5DKzeKLSbJ3td6oTao60kTZIGFCXajfc3/jNG7BwuXYRxDyDzHz2/c2kBbuFhw5Qt/Mj22oIp9UHtWCpWiUADhaarhxU1GkefFf+xPFIBqA2NJbUeBrzPb1qrH4YDMbi/bxRExrujFgKJU7dKHLQKBgHFMjoHVd5gvkNtc34Ss6jH+FnrwoCOGLO/BjuaHVMKPI5VBLSYx8kpsOfr87xz6FZ+Ycg+78XwDarU4OdFxLAaModhj7MFYUtBRarrVHxT/cdFBR5TXysdpy1MXX7IuJdpVeDmA/VNAj1gbBIVku2vi/HaVOfrcHX2nJBU8Ik7p' set vpn ipsec esp-group MyESPGroup compression 'disable' set vpn ipsec esp-group MyESPGroup lifetime '3600' set vpn ipsec esp-group MyESPGroup mode 'tunnel' set vpn ipsec esp-group MyESPGroup pfs 'enable' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256' set vpn ipsec ike-group MyIKEGroup close-action 'none' set vpn ipsec ike-group MyIKEGroup ikev2-reauth 'no' set vpn ipsec ike-group MyIKEGroup key-exchange 'ikev1' set vpn ipsec ike-group MyIKEGroup lifetime '28800' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256' set vpn ipsec interface 'eth0' set vpn ipsec options disable-route-autoinstall set vpn ipsec site-to-site peer 192.168.0.3 authentication id 'CN=IPsec Router2' set vpn ipsec site-to-site peer 192.168.0.3 authentication mode 'x509' set vpn ipsec site-to-site peer 192.168.0.3 authentication remote-id 'CN=IPsec Router3' set vpn ipsec site-to-site peer 192.168.0.3 authentication x509 ca-certificate 'peer_192-168-0-3' set vpn ipsec site-to-site peer 192.168.0.3 authentication x509 certificate 'peer_192-168-0-3' set vpn ipsec site-to-site peer 192.168.0.3 connection-type 'initiate' set vpn ipsec site-to-site peer 192.168.0.3 ike-group 'MyIKEGroup' set vpn ipsec site-to-site peer 192.168.0.3 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 192.168.0.3 local-address '192.168.0.2' set vpn ipsec site-to-site peer 192.168.0.3 vti bind 'vti0' set vpn ipsec site-to-site peer 192.168.0.3 vti esp-group 'MyESPGroup'
Check that IPSec in UP state and delete certificates:
vyos@r2# run show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal -------------------- ------- -------- -------------- ---------------- ---------------- ---------------- --------------------------------------- peer_192-168-0-3_vti up 5m5s 0B/0B 0/0 192.168.0.3 CN=IPsec Router3 AES_CBC_128/HMAC_SHA2_256_128/MODP_1024 [edit] vyos@r2# [edit] vyos@r2# delete pki [edit] vyos@r2# commit [edit] vyos@r2#
Reset peer, and it establish connection again:
vyos@r2# run reset vpn ipsec-peer 192.168.0.3 closing CHILD_SA peer_192-168-0-3_vti{1} with SPIs c9318e6f_i (0 bytes) ca20f83e_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0 sending DELETE for ESP CHILD_SA with SPI c9318e6f generating INFORMATIONAL_V1 request 2193869679 [ HASH D ] sending packet: from 192.168.0.2[500] to 192.168.0.3[500] (92 bytes) CHILD_SA {1} closed successfully generating QUICK_MODE request 108106976 [ HASH SA No KE ID ID ] sending packet: from 192.168.0.2[500] to 192.168.0.3[500] (332 bytes) received packet: from 192.168.0.3[500] to 192.168.0.2[500] (332 bytes) parsed QUICK_MODE response 108106976 [ HASH SA No KE ID ID ] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ CHILD_SA peer_192-168-0-3_vti{2} established with SPIs cfcb2387_i c0f5e296_o and TS 0.0.0.0/0 === 0.0.0.0/0 connection 'peer_192-168-0-3_vti' established successfully Peer reset result: success [edit] vyos@r2# vyos@r2# run show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal -------------------- ------- -------- -------------- ---------------- ---------------- ---------------- --------------------------------------- peer_192-168-0-3_vti up 6s 0B/0B 0/0 192.168.0.3 CN=IPsec Router3 AES_CBC_128/HMAC_SHA2_256_128/MODP_1024 [edit] vyos@r2#
If I delete all certificates completely I don't expect that they will be used anywhere in the router.
Also if I change pki CA to new, it will still use the original (old) certificate for ipsec for the same reason.