Issue description
When more than 1 proposal with different dh-groups are configured under IKE group configuration, during phase-2 initiating peer with pfs enabled forcing to use only dh-group configured under the first proposal in IKE (applicable for IKEv1).
Example:
VyOS1 <--IPsec--> VyOS2
Version: VyOS 1.4-rolling-202202230317
VyOS1 configuration:
*IKE* set vpn ipsec ike-group IKE-1 close-action 'none' set vpn ipsec ike-group IKE-1 ikev2-reauth 'no' set vpn ipsec ike-group IKE-1 key-exchange 'ikev1' set vpn ipsec ike-group IKE-1 lifetime '3600' set vpn ipsec ike-group IKE-1 proposal 1 dh-group '5' set vpn ipsec ike-group IKE-1 proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-1 proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-1 proposal 2 dh-group '2' set vpn ipsec ike-group IKE-1 proposal 2 encryption 'aes256' set vpn ipsec ike-group IKE-1 proposal 2 hash 'sha1' *ESP* set vpn ipsec esp-group ESP-1 compression 'disable' set vpn ipsec esp-group ESP-1 lifetime '1800' set vpn ipsec esp-group ESP-1 mode 'tunnel' set vpn ipsec esp-group ESP-1 pfs 'enable' set vpn ipsec esp-group ESP-1 proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-1 proposal 1 hash 'sha1' *Rest of the IPsec config* set vpn ipsec interface 'bond0' set vpn ipsec site-to-site peer 10.1.2.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 10.1.2.2 authentication pre-shared-secret 'MySecretKey' set vpn ipsec site-to-site peer 10.1.2.2 connection-type 'initiate' set vpn ipsec site-to-site peer 10.1.2.2 ike-group 'IKE-1' set vpn ipsec site-to-site peer 10.1.2.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 10.1.2.2 local-address '10.1.1.2' set vpn ipsec site-to-site peer 10.1.2.2 tunnel 0 esp-group 'ESP-1' set vpn ipsec site-to-site peer 10.1.2.2 tunnel 0 local prefix '192.168.1.0/24' set vpn ipsec site-to-site peer 10.1.2.2 tunnel 0 remote prefix '192.168.2.0/24'
VyOS2 configuration:
*IKE* set vpn ipsec ike-group IKE-1 close-action 'none' set vpn ipsec ike-group IKE-1 ikev2-reauth 'no' set vpn ipsec ike-group IKE-1 key-exchange 'ikev1' set vpn ipsec ike-group IKE-1 lifetime '3600' set vpn ipsec ike-group IKE-1 proposal 1 dh-group '2' set vpn ipsec ike-group IKE-1 proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-1 proposal 1 hash 'sha1' *ESP* set vpn ipsec esp-group ESP-1 compression 'disable' set vpn ipsec esp-group ESP-1 lifetime '1800' set vpn ipsec esp-group ESP-1 mode 'tunnel' set vpn ipsec esp-group ESP-1 pfs 'enable' set vpn ipsec esp-group ESP-1 proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-1 proposal 1 hash 'sha1' *Rest of the IPsec config* set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer 10.1.1.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 10.1.1.2 authentication pre-shared-secret 'MySecretKey' set vpn ipsec site-to-site peer 10.1.1.2 connection-type 'initiate' set vpn ipsec site-to-site peer 10.1.1.2 ike-group 'IKE-1' set vpn ipsec site-to-site peer 10.1.1.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 10.1.1.2 local-address '10.1.2.2' set vpn ipsec site-to-site peer 10.1.1.2 tunnel 0 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 10.1.1.2 tunnel 0 allow-public-networks 'disable' set vpn ipsec site-to-site peer 10.1.1.2 tunnel 0 esp-group 'ESP-1' set vpn ipsec site-to-site peer 10.1.1.2 tunnel 0 local prefix '192.168.2.0/24' set vpn ipsec site-to-site peer 10.1.1.2 tunnel 0 remote prefix '192.168.1.0/24'
Diagnostics and logs
VyOS1
vyos@VyOS-1:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 10.1.2.2 10.1.2.2 10.1.1.2 10.1.1.2 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_1024 no 310 0 vyos@VyOS-1:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------ ------- -------- -------------- ---------------- ---------------- ----------- ---------- vyos@VyOS-1:~$ cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_10-1-2-2 { proposals = aes256-sha1-modp1536,aes256-sha1-modp1024 version = 1 local_addrs = 10.1.1.2 # dhcp:no remote_addrs = 10.1.2.2 rekey_time = 3600s mobike = yes keyingtries = 0 local { auth = psk } remote { id = "10.1.2.2" auth = psk } children { peer_10-1-2-2_tunnel_0 { esp_proposals = aes256-sha1-modp1536 life_time = 1800s local_ts = 192.168.1.0/24 remote_ts = 192.168.2.0/24 ipcomp = no mode = tunnel start_action = start } } } } pools { } secrets { ike_10-1-2-2 { id-local = 10.1.1.2 # dhcp:no id-remote = 10.1.2.2 secret = "MySecretKey" } } Feb 28 11:01:26 VyOS-1 charon[1849]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.101-amd64-vyos, x86_64) Feb 28 11:01:27 VyOS-1 sudo[1858]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:27 VyOS-1 sudo[1860]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] PKCS11 module '<name>' lacks library path Feb 28 11:01:27 VyOS-1 sudo[1890]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:27 VyOS-1 sudo[1990]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:27 VyOS-1 sudo[1992]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loaded 0 RADIUS server configurations Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] HA config misses local/remote address Feb 28 11:01:27 VyOS-1 charon[1849]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters Feb 28 11:01:27 VyOS-1 charon[1849]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Feb 28 11:01:27 VyOS-1 charon[1849]: 00[JOB] spawning 16 worker threads Feb 28 11:01:27 VyOS-1 sudo[2013]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:27 VyOS-1 ipsec_starter[1847]: charon (1849) started after 780 ms Feb 28 11:01:27 VyOS-1 charon[1849]: 05[CFG] loaded IKE shared key with id 'ike_10-1-2-2' for: '10.1.1.2', '10.1.2.2' Feb 28 11:01:27 VyOS-1 charon[1849]: 10[CFG] added vici connection: peer_10-1-2-2 Feb 28 11:01:27 VyOS-1 charon[1849]: 10[CFG] initiating 'peer_10-1-2-2_tunnel_0' Feb 28 11:01:27 VyOS-1 charon[1849]: 10[IKE] <peer_10-1-2-2|1> initiating Main Mode IKE_SA peer_10-1-2-2[1] to 10.1.2.2 Feb 28 11:01:27 VyOS-1 charon[1849]: 10[ENC] <peer_10-1-2-2|1> generating ID_PROT request 0 [ SA V V V V V ] Feb 28 11:01:27 VyOS-1 charon[1849]: 10[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (216 bytes) Feb 28 11:01:27 VyOS-1 charon[1849]: 16[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (160 bytes) Feb 28 11:01:27 VyOS-1 charon[1849]: 16[ENC] <peer_10-1-2-2|1> parsed ID_PROT response 0 [ SA V V V V ] Feb 28 11:01:27 VyOS-1 charon[1849]: 16[IKE] <peer_10-1-2-2|1> received XAuth vendor ID Feb 28 11:01:27 VyOS-1 charon[1849]: 16[IKE] <peer_10-1-2-2|1> received DPD vendor ID Feb 28 11:01:27 VyOS-1 charon[1849]: 16[IKE] <peer_10-1-2-2|1> received FRAGMENTATION vendor ID Feb 28 11:01:27 VyOS-1 charon[1849]: 16[IKE] <peer_10-1-2-2|1> received NAT-T (RFC 3947) vendor ID Feb 28 11:01:27 VyOS-1 charon[1849]: 16[CFG] <peer_10-1-2-2|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 28 11:01:27 VyOS-1 charon[1849]: 16[ENC] <peer_10-1-2-2|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Feb 28 11:01:27 VyOS-1 charon[1849]: 16[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes) Feb 28 11:01:27 VyOS-1 charon[1849]: 05[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes) Feb 28 11:01:27 VyOS-1 charon[1849]: 05[ENC] <peer_10-1-2-2|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Feb 28 11:01:27 VyOS-1 charon[1849]: 05[ENC] <peer_10-1-2-2|1> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Feb 28 11:01:27 VyOS-1 charon[1849]: 05[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (108 bytes) Feb 28 11:01:27 VyOS-1 charon[1849]: 07[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes) Feb 28 11:01:27 VyOS-1 charon[1849]: 07[ENC] <peer_10-1-2-2|1> parsed ID_PROT response 0 [ ID HASH ] Feb 28 11:01:27 VyOS-1 charon[1849]: 07[IKE] <peer_10-1-2-2|1> IKE_SA peer_10-1-2-2[1] established between 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2] Feb 28 11:01:27 VyOS-1 charon[1849]: 07[IKE] <peer_10-1-2-2|1> scheduling rekeying in 3402s Feb 28 11:01:27 VyOS-1 charon[1849]: 07[IKE] <peer_10-1-2-2|1> maximum IKE_SA lifetime 3762s Feb 28 11:01:27 VyOS-1 charon[1849]: 07[ENC] <peer_10-1-2-2|1> generating QUICK_MODE request 113552097 [ HASH SA No KE ID ID ] Feb 28 11:01:27 VyOS-1 charon[1849]: 07[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (380 bytes) Feb 28 11:01:27 VyOS-1 charon[1849]: 06[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes) Feb 28 11:01:27 VyOS-1 charon[1849]: 06[ENC] <peer_10-1-2-2|1> parsed INFORMATIONAL_V1 request 495653456 [ HASH N(NO_PROP) ] Feb 28 11:01:27 VyOS-1 charon[1849]: 06[IKE] <peer_10-1-2-2|1> received NO_PROPOSAL_CHOSEN error notify Feb 28 11:01:30 VyOS-1 charon[1849]: 08[NET] <2> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (180 bytes) Feb 28 11:01:30 VyOS-1 charon[1849]: 08[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V ] Feb 28 11:01:30 VyOS-1 charon[1849]: 08[IKE] <2> received XAuth vendor ID Feb 28 11:01:30 VyOS-1 charon[1849]: 08[IKE] <2> received DPD vendor ID Feb 28 11:01:30 VyOS-1 charon[1849]: 08[IKE] <2> received FRAGMENTATION vendor ID Feb 28 11:01:30 VyOS-1 charon[1849]: 08[IKE] <2> received NAT-T (RFC 3947) vendor ID Feb 28 11:01:30 VyOS-1 charon[1849]: 08[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Feb 28 11:01:30 VyOS-1 charon[1849]: 08[IKE] <2> 10.1.2.2 is initiating a Main Mode IKE_SA Feb 28 11:01:30 VyOS-1 charon[1849]: 08[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 28 11:01:30 VyOS-1 charon[1849]: 08[ENC] <2> generating ID_PROT response 0 [ SA V V V V ] Feb 28 11:01:30 VyOS-1 charon[1849]: 08[NET] <2> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (160 bytes) Feb 28 11:01:30 VyOS-1 charon[1849]: 09[NET] <2> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes) Feb 28 11:01:30 VyOS-1 charon[1849]: 09[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Feb 28 11:01:30 VyOS-1 charon[1849]: 09[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Feb 28 11:01:30 VyOS-1 charon[1849]: 09[NET] <2> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes) Feb 28 11:01:30 VyOS-1 charon[1849]: 11[NET] <2> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes) Feb 28 11:01:30 VyOS-1 charon[1849]: 11[ENC] <2> parsed ID_PROT request 0 [ ID HASH ] Feb 28 11:01:30 VyOS-1 charon[1849]: 11[CFG] <2> looking for pre-shared key peer configs matching 10.1.1.2...10.1.2.2[10.1.2.2] Feb 28 11:01:30 VyOS-1 charon[1849]: 11[CFG] <2> selected peer config "peer_10-1-2-2" Feb 28 11:01:30 VyOS-1 charon[1849]: 11[IKE] <peer_10-1-2-2|2> IKE_SA peer_10-1-2-2[2] established between 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2] Feb 28 11:01:30 VyOS-1 charon[1849]: 11[IKE] <peer_10-1-2-2|2> scheduling rekeying in 3275s Feb 28 11:01:30 VyOS-1 charon[1849]: 11[IKE] <peer_10-1-2-2|2> maximum IKE_SA lifetime 3635s Feb 28 11:01:30 VyOS-1 charon[1849]: 11[ENC] <peer_10-1-2-2|2> generating ID_PROT response 0 [ ID HASH ] Feb 28 11:01:30 VyOS-1 charon[1849]: 11[NET] <peer_10-1-2-2|2> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes) Feb 28 11:01:30 VyOS-1 charon[1849]: 13[NET] <peer_10-1-2-2|2> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (316 bytes) Feb 28 11:01:30 VyOS-1 charon[1849]: 13[ENC] <peer_10-1-2-2|2> parsed QUICK_MODE request 3521146508 [ HASH SA No KE ID ID ] Feb 28 11:01:30 VyOS-1 charon[1849]: 13[CFG] <peer_10-1-2-2|2> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 28 11:01:30 VyOS-1 charon[1849]: 13[CFG] <peer_10-1-2-2|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ Feb 28 11:01:30 VyOS-1 charon[1849]: 13[IKE] <peer_10-1-2-2|2> no matching proposal found, sending NO_PROPOSAL_CHOSEN Feb 28 11:01:30 VyOS-1 charon[1849]: 13[ENC] <peer_10-1-2-2|2> generating INFORMATIONAL_V1 request 2163880087 [ HASH N(NO_PROP) ] Feb 28 11:01:30 VyOS-1 charon[1849]: 13[NET] <peer_10-1-2-2|2> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes) Feb 28 11:01:41 VyOS-1 charon[1849]: 05[IKE] <peer_10-1-2-2|1> deleting IKE_SA peer_10-1-2-2[1] between 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2] Feb 28 11:01:41 VyOS-1 charon[1849]: 05[IKE] <peer_10-1-2-2|1> sending DELETE for IKE_SA peer_10-1-2-2[1] Feb 28 11:01:41 VyOS-1 charon[1849]: 05[ENC] <peer_10-1-2-2|1> generating INFORMATIONAL_V1 request 3348301110 [ HASH D ] Feb 28 11:01:41 VyOS-1 charon[1849]: 05[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (92 bytes)
Exact logs pointing to the issue:
Feb 28 11:01:27 VyOS-1 charon[1849]: 06[ENC] <peer_10-1-2-2|1> parsed INFORMATIONAL_V1 request 495653456 [ HASH N(NO_PROP) ] Feb 28 11:01:27 VyOS-1 charon[1849]: 06[IKE] <peer_10-1-2-2|1> received NO_PROPOSAL_CHOSEN error notify Feb 28 11:01:30 VyOS-1 charon[1849]: 13[CFG] <peer_10-1-2-2|2> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 28 11:01:30 VyOS-1 charon[1849]: 13[CFG] <peer_10-1-2-2|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ Feb 28 11:01:30 VyOS-1 charon[1849]: 13[IKE] <peer_10-1-2-2|2> no matching proposal found, sending NO_PROPOSAL_CHOSEN
VyOS2
vyos@VyOS-2:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 10.1.1.2 10.1.1.2 10.1.2.2 10.1.2.2 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_1024 no 605 0 vyos@VyOS-2:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------ ------- -------- -------------- ---------------- ---------------- ----------- ---------- vyos@VyOS-2:~$ cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_10-1-1-2 { proposals = aes256-sha1-modp1024 version = 1 local_addrs = 10.1.2.2 # dhcp:no remote_addrs = 10.1.1.2 rekey_time = 3600s mobike = yes keyingtries = 0 local { auth = psk } remote { id = "10.1.1.2" auth = psk } children { peer_10-1-1-2_tunnel_0 { esp_proposals = aes256-sha1-modp1024 life_time = 1800s local_ts = 192.168.2.0/24 remote_ts = 192.168.1.0/24 ipcomp = no mode = tunnel vyos@VyOS-2:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 10.1.1.2 10.1.1.2 10.1.2.2 10.1.2.2 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_1024 no 605 0 vyos@VyOS-2:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------ ------- -------- -------------- ---------------- ---------------- ----------- ---------- vyos@VyOS-2:~$ cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_10-1-1-2 { proposals = aes256-sha1-modp1024 version = 1 local_addrs = 10.1.2.2 # dhcp:no remote_addrs = 10.1.1.2 rekey_time = 3600s mobike = yes keyingtries = 0 local { auth = psk } remote { id = "10.1.1.2" auth = psk } children { peer_10-1-1-2_tunnel_0 { esp_proposals = aes256-sha1-modp1024 life_time = 1800s local_ts = 192.168.2.0/24 remote_ts = 192.168.1.0/24 ipcomp = no mode = tunnel start_action = start } } } } pools { } secrets { ike_10-1-1-2 { id-local = 10.1.2.2 # dhcp:no id-remote = 10.1.1.2 secret = "MySecretKey" } } Feb 28 11:01:25 VyOS-2 charon[1790]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.101-amd64-vyos, x86_64) Feb 28 11:01:25 VyOS-2 sudo[1799]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:25 VyOS-2 sudo[1801]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:25 VyOS-2 charon[1790]: 00[CFG] PKCS11 module '<name>' lacks library path Feb 28 11:01:25 VyOS-2 sudo[1808]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:26 VyOS-2 sudo[1906]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:26 VyOS-2 sudo[1933]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:26 VyOS-2 sudo[1935]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loaded 0 RADIUS server configurations Feb 28 11:01:26 VyOS-2 sudo[1940]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] HA config misses local/remote address Feb 28 11:01:26 VyOS-2 charon[1790]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters Feb 28 11:01:26 VyOS-2 charon[1790]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Feb 28 11:01:26 VyOS-2 charon[1790]: 00[JOB] spawning 16 worker threads Feb 28 11:01:26 VyOS-2 ipsec_starter[1788]: charon (1790) started after 960 ms Feb 28 11:01:26 VyOS-2 charon[1790]: 08[CFG] loaded IKE shared key with id 'ike_10-1-1-2' for: '10.1.2.2', '10.1.1.2' Feb 28 11:01:26 VyOS-2 charon[1790]: 10[CFG] added vici connection: peer_10-1-1-2 Feb 28 11:01:26 VyOS-2 charon[1790]: 10[CFG] initiating 'peer_10-1-1-2_tunnel_0' Feb 28 11:01:26 VyOS-2 charon[1790]: 10[IKE] <peer_10-1-1-2|1> initiating Main Mode IKE_SA peer_10-1-1-2[1] to 10.1.1.2 Feb 28 11:01:26 VyOS-2 charon[1790]: 10[ENC] <peer_10-1-1-2|1> generating ID_PROT request 0 [ SA V V V V V ] Feb 28 11:01:26 VyOS-2 charon[1790]: 10[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (180 bytes) Feb 28 11:01:28 VyOS-2 charon[1790]: 07[NET] <2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (216 bytes) Feb 28 11:01:28 VyOS-2 charon[1790]: 07[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V ] Feb 28 11:01:28 VyOS-2 charon[1790]: 07[IKE] <2> received XAuth vendor ID Feb 28 11:01:28 VyOS-2 charon[1790]: 07[IKE] <2> received DPD vendor ID Feb 28 11:01:28 VyOS-2 charon[1790]: 07[IKE] <2> received FRAGMENTATION vendor ID Feb 28 11:01:28 VyOS-2 charon[1790]: 07[IKE] <2> received NAT-T (RFC 3947) vendor ID Feb 28 11:01:28 VyOS-2 charon[1790]: 07[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Feb 28 11:01:28 VyOS-2 charon[1790]: 07[IKE] <2> 10.1.1.2 is initiating a Main Mode IKE_SA Feb 28 11:01:28 VyOS-2 charon[1790]: 07[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 28 11:01:28 VyOS-2 charon[1790]: 07[ENC] <2> generating ID_PROT response 0 [ SA V V V V ] Feb 28 11:01:28 VyOS-2 charon[1790]: 07[NET] <2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (160 bytes) Feb 28 11:01:28 VyOS-2 charon[1790]: 08[NET] <2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes) Feb 28 11:01:28 VyOS-2 charon[1790]: 08[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Feb 28 11:01:28 VyOS-2 charon[1790]: 08[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Feb 28 11:01:28 VyOS-2 charon[1790]: 08[NET] <2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes) Feb 28 11:01:28 VyOS-2 charon[1790]: 14[NET] <2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (108 bytes) Feb 28 11:01:28 VyOS-2 charon[1790]: 14[ENC] <2> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Feb 28 11:01:28 VyOS-2 charon[1790]: 14[CFG] <2> looking for pre-shared key peer configs matching 10.1.2.2...10.1.1.2[10.1.1.2] Feb 28 11:01:28 VyOS-2 charon[1790]: 14[CFG] <2> selected peer config "peer_10-1-1-2" Feb 28 11:01:28 VyOS-2 charon[1790]: 14[IKE] <peer_10-1-1-2|2> IKE_SA peer_10-1-1-2[2] established between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2] Feb 28 11:01:28 VyOS-2 charon[1790]: 14[IKE] <peer_10-1-1-2|2> scheduling rekeying in 3442s Feb 28 11:01:28 VyOS-2 charon[1790]: 14[IKE] <peer_10-1-1-2|2> maximum IKE_SA lifetime 3802s Feb 28 11:01:28 VyOS-2 charon[1790]: 14[ENC] <peer_10-1-1-2|2> generating ID_PROT response 0 [ ID HASH ] Feb 28 11:01:28 VyOS-2 charon[1790]: 14[NET] <peer_10-1-1-2|2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes) Feb 28 11:01:28 VyOS-2 charon[1790]: 16[NET] <peer_10-1-1-2|2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (380 bytes) Feb 28 11:01:28 VyOS-2 charon[1790]: 16[ENC] <peer_10-1-1-2|2> parsed QUICK_MODE request 113552097 [ HASH SA No KE ID ID ] Feb 28 11:01:28 VyOS-2 charon[1790]: 16[CFG] <peer_10-1-1-2|2> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ Feb 28 11:01:28 VyOS-2 charon[1790]: 16[CFG] <peer_10-1-1-2|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 28 11:01:28 VyOS-2 charon[1790]: 16[IKE] <peer_10-1-1-2|2> no matching proposal found, sending NO_PROPOSAL_CHOSEN Feb 28 11:01:28 VyOS-2 charon[1790]: 16[ENC] <peer_10-1-1-2|2> generating INFORMATIONAL_V1 request 495653456 [ HASH N(NO_PROP) ] Feb 28 11:01:28 VyOS-2 charon[1790]: 16[NET] <peer_10-1-1-2|2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes) Feb 28 11:01:31 VyOS-2 charon[1790]: 09[IKE] <peer_10-1-1-2|1> sending retransmit 1 of request message ID 0, seq 1 Feb 28 11:01:31 VyOS-2 charon[1790]: 09[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (180 bytes) Feb 28 11:01:31 VyOS-2 charon[1790]: 11[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (160 bytes) Feb 28 11:01:31 VyOS-2 charon[1790]: 11[ENC] <peer_10-1-1-2|1> parsed ID_PROT response 0 [ SA V V V V ] Feb 28 11:01:31 VyOS-2 charon[1790]: 11[IKE] <peer_10-1-1-2|1> received XAuth vendor ID Feb 28 11:01:31 VyOS-2 charon[1790]: 11[IKE] <peer_10-1-1-2|1> received DPD vendor ID Feb 28 11:01:31 VyOS-2 charon[1790]: 11[IKE] <peer_10-1-1-2|1> received FRAGMENTATION vendor ID Feb 28 11:01:31 VyOS-2 charon[1790]: 11[IKE] <peer_10-1-1-2|1> received NAT-T (RFC 3947) vendor ID Feb 28 11:01:31 VyOS-2 charon[1790]: 11[CFG] <peer_10-1-1-2|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 28 11:01:31 VyOS-2 charon[1790]: 11[ENC] <peer_10-1-1-2|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Feb 28 11:01:31 VyOS-2 charon[1790]: 11[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes) Feb 28 11:01:31 VyOS-2 charon[1790]: 12[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes) Feb 28 11:01:31 VyOS-2 charon[1790]: 12[ENC] <peer_10-1-1-2|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Feb 28 11:01:31 VyOS-2 charon[1790]: 12[ENC] <peer_10-1-1-2|1> generating ID_PROT request 0 [ ID HASH ] Feb 28 11:01:31 VyOS-2 charon[1790]: 12[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes) Feb 28 11:01:31 VyOS-2 charon[1790]: 05[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes) Feb 28 11:01:31 VyOS-2 charon[1790]: 05[ENC] <peer_10-1-1-2|1> parsed ID_PROT response 0 [ ID HASH ] Feb 28 11:01:31 VyOS-2 charon[1790]: 05[IKE] <peer_10-1-1-2|1> IKE_SA peer_10-1-1-2[1] established between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2] Feb 28 11:01:31 VyOS-2 charon[1790]: 05[IKE] <peer_10-1-1-2|1> scheduling rekeying in 3458s Feb 28 11:01:31 VyOS-2 charon[1790]: 05[IKE] <peer_10-1-1-2|1> maximum IKE_SA lifetime 3818s Feb 28 11:01:31 VyOS-2 charon[1790]: 05[ENC] <peer_10-1-1-2|1> generating QUICK_MODE request 3521146508 [ HASH SA No KE ID ID ] Feb 28 11:01:31 VyOS-2 charon[1790]: 05[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (316 bytes) Feb 28 11:01:31 VyOS-2 charon[1790]: 13[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes) Feb 28 11:01:31 VyOS-2 charon[1790]: 13[ENC] <peer_10-1-1-2|1> parsed INFORMATIONAL_V1 request 2163880087 [ HASH N(NO_PROP) ] Feb 28 11:01:31 VyOS-2 charon[1790]: 13[IKE] <peer_10-1-1-2|1> received NO_PROPOSAL_CHOSEN error notify Feb 28 11:01:41 VyOS-2 charon[1790]: 14[NET] <peer_10-1-1-2|2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (92 bytes) Feb 28 11:01:41 VyOS-2 charon[1790]: 14[ENC] <peer_10-1-1-2|2> parsed INFORMATIONAL_V1 request 3348301110 [ HASH D ] Feb 28 11:01:41 VyOS-2 charon[1790]: 14[IKE] <peer_10-1-1-2|2> received DELETE for IKE_SA peer_10-1-1-2[2] Feb 28 11:01:41 VyOS-2 charon[1790]: 14[IKE] <peer_10-1-1-2|2> deleting IKE_SA peer_10-1-1-2[2] between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2]
Exact logs pointing to the issue:
Feb 28 11:01:28 VyOS-2 charon[1790]: 16[CFG] <peer_10-1-1-2|2> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ Feb 28 11:01:28 VyOS-2 charon[1790]: 16[CFG] <peer_10-1-1-2|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 28 11:01:28 VyOS-2 charon[1790]: 16[IKE] <peer_10-1-1-2|2> no matching proposal found, sending NO_PROPOSAL_CHOSEN Feb 28 11:01:31 VyOS-2 charon[1790]: 13[ENC] <peer_10-1-1-2|1> parsed INFORMATIONAL_V1 request 2163880087 [ HASH N(NO_PROP) ] Feb 28 11:01:31 VyOS-2 charon[1790]: 13[IKE] <peer_10-1-1-2|1> received NO_PROPOSAL_CHOSEN error notify
After changes in VyOS1 swanctl.conf
children { peer_10-1-2-2_tunnel_0 { esp_proposals = aes256-sha1-modp1536,aes256-sha1-modp1024
vyos@VyOS-1:~$ restart vpn Stopping strongSwan IPsec... Starting strongSwan 5.9.1 IPsec [starter]... loaded ike secret 'ike_10-1-2-2' no authorities found, 0 unloaded no pools found, 0 unloaded loaded connection 'peer_10-1-2-2' successfully loaded 1 connections, 0 unloaded vyos@VyOS-1:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 10.1.2.2 10.1.2.2 10.1.1.2 10.1.1.2 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv1 AES_CBC_256 HMAC_SHA1_96 MODP_1024 no 14 0 vyos@VyOS-1:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ---------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------------------- peer_10-1-2-2_tunnel_0 up 15s 0B/0B 0B/0B 10.1.2.2 10.1.2.2 AES_CBC_256/HMAC_SHA1_96/MODP_1024
VyOS1 logs
Feb 28 11:39:40 VyOS-1 ipsec_starter[1826]: charon stopped after 200 ms Feb 28 11:39:42 VyOS-1 charon[2515]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.101-amd64-vyos, x86_64) Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] PKCS11 module '<name>' lacks library path Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loaded 0 RADIUS server configurations Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] HA config misses local/remote address Feb 28 11:39:42 VyOS-1 charon[2515]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters Feb 28 11:39:42 VyOS-1 charon[2515]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Feb 28 11:39:42 VyOS-1 charon[2515]: 00[JOB] spawning 16 worker threads Feb 28 11:39:42 VyOS-1 ipsec_starter[2513]: charon (2515) started after 40 ms Feb 28 11:39:45 VyOS-1 charon[2515]: 13[CFG] loaded IKE shared key with id 'ike_10-1-2-2' for: '10.1.1.2', '10.1.2.2' Feb 28 11:39:45 VyOS-1 charon[2515]: 06[CFG] added vici connection: peer_10-1-2-2 Feb 28 11:39:45 VyOS-1 charon[2515]: 06[CFG] initiating 'peer_10-1-2-2_tunnel_0' Feb 28 11:39:45 VyOS-1 charon[2515]: 06[IKE] <peer_10-1-2-2|1> initiating Main Mode IKE_SA peer_10-1-2-2[1] to 10.1.2.2 Feb 28 11:39:45 VyOS-1 charon[2515]: 06[ENC] <peer_10-1-2-2|1> generating ID_PROT request 0 [ SA V V V V V ] Feb 28 11:39:45 VyOS-1 charon[2515]: 06[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (216 bytes) Feb 28 11:39:45 VyOS-1 charon[2515]: 10[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (160 bytes) Feb 28 11:39:45 VyOS-1 charon[2515]: 10[ENC] <peer_10-1-2-2|1> parsed ID_PROT response 0 [ SA V V V V ] Feb 28 11:39:45 VyOS-1 charon[2515]: 10[IKE] <peer_10-1-2-2|1> received XAuth vendor ID Feb 28 11:39:45 VyOS-1 charon[2515]: 10[IKE] <peer_10-1-2-2|1> received DPD vendor ID Feb 28 11:39:45 VyOS-1 charon[2515]: 10[IKE] <peer_10-1-2-2|1> received FRAGMENTATION vendor ID Feb 28 11:39:45 VyOS-1 charon[2515]: 10[IKE] <peer_10-1-2-2|1> received NAT-T (RFC 3947) vendor ID Feb 28 11:39:45 VyOS-1 charon[2515]: 10[CFG] <peer_10-1-2-2|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 28 11:39:45 VyOS-1 charon[2515]: 10[ENC] <peer_10-1-2-2|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Feb 28 11:39:45 VyOS-1 charon[2515]: 10[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes) Feb 28 11:39:45 VyOS-1 charon[2515]: 11[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes) Feb 28 11:39:45 VyOS-1 charon[2515]: 11[ENC] <peer_10-1-2-2|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Feb 28 11:39:45 VyOS-1 charon[2515]: 11[ENC] <peer_10-1-2-2|1> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Feb 28 11:39:45 VyOS-1 charon[2515]: 11[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (108 bytes) Feb 28 11:39:45 VyOS-1 charon[2515]: 14[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes) Feb 28 11:39:45 VyOS-1 charon[2515]: 14[ENC] <peer_10-1-2-2|1> parsed ID_PROT response 0 [ ID HASH ] Feb 28 11:39:45 VyOS-1 charon[2515]: 14[IKE] <peer_10-1-2-2|1> IKE_SA peer_10-1-2-2[1] established between 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2] Feb 28 11:39:45 VyOS-1 charon[2515]: 14[IKE] <peer_10-1-2-2|1> scheduling rekeying in 3503s Feb 28 11:39:45 VyOS-1 charon[2515]: 14[IKE] <peer_10-1-2-2|1> maximum IKE_SA lifetime 3863s Feb 28 11:39:45 VyOS-1 charon[2515]: 14[ENC] <peer_10-1-2-2|1> generating QUICK_MODE request 1625867768 [ HASH SA No KE ID ID ] Feb 28 11:39:45 VyOS-1 charon[2515]: 14[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (316 bytes) Feb 28 11:39:45 VyOS-1 charon[2515]: 15[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (316 bytes) Feb 28 11:39:45 VyOS-1 charon[2515]: 15[ENC] <peer_10-1-2-2|1> parsed QUICK_MODE response 1625867768 [ HASH SA No KE ID ID ] Feb 28 11:39:45 VyOS-1 charon[2515]: 15[CFG] <peer_10-1-2-2|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 28 11:39:45 VyOS-1 charon[2515]: 15[IKE] <peer_10-1-2-2|1> CHILD_SA peer_10-1-2-2_tunnel_0{1} established with SPIs c3ebf07d_i c8a42da1_o and TS 192.168.1.0/24 === 192.168.2.0/24 Feb 28 11:39:45 VyOS-1 charon[2515]: 15[ENC] <peer_10-1-2-2|1> generating QUICK_MODE request 1625867768 [ HASH ] Feb 28 11:39:45 VyOS-1 charon[2515]: 15[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (60 bytes)
VyOS2 logs
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.101-amd64-vyos, x86_64) Feb 28 11:36:10 VyOS-2 sudo[1781]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:36:10 VyOS-2 sudo[1783]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] PKCS11 module '<name>' lacks library path Feb 28 11:36:10 VyOS-2 sudo[1831]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:36:10 VyOS-2 sudo[1914]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:36:10 VyOS-2 sudo[1917]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loaded 0 RADIUS server configurations Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] HA config misses local/remote address Feb 28 11:36:10 VyOS-2 charon[1772]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters Feb 28 11:36:10 VyOS-2 charon[1772]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Feb 28 11:36:10 VyOS-2 charon[1772]: 00[JOB] spawning 16 worker threads Feb 28 11:36:10 VyOS-2 ipsec_starter[1770]: charon (1772) started after 700 ms Feb 28 11:36:10 VyOS-2 sudo[1937]: root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici Feb 28 11:36:10 VyOS-2 charon[1772]: 05[CFG] loaded IKE shared key with id 'ike_10-1-1-2' for: '10.1.2.2', '10.1.1.2' Feb 28 11:36:10 VyOS-2 charon[1772]: 10[CFG] added vici connection: peer_10-1-1-2 Feb 28 11:36:10 VyOS-2 charon[1772]: 10[CFG] initiating 'peer_10-1-1-2_tunnel_0' Feb 28 11:36:10 VyOS-2 charon[1772]: 10[IKE] <peer_10-1-1-2|1> initiating Main Mode IKE_SA peer_10-1-1-2[1] to 10.1.1.2 Feb 28 11:36:10 VyOS-2 charon[1772]: 10[ENC] <peer_10-1-1-2|1> generating ID_PROT request 0 [ SA V V V V V ] Feb 28 11:36:10 VyOS-2 charon[1772]: 10[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (180 bytes) Feb 28 11:36:10 VyOS-2 charon[1772]: 16[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (160 bytes) Feb 28 11:36:10 VyOS-2 charon[1772]: 16[ENC] <peer_10-1-1-2|1> parsed ID_PROT response 0 [ SA V V V V ] Feb 28 11:36:10 VyOS-2 charon[1772]: 16[IKE] <peer_10-1-1-2|1> received XAuth vendor ID Feb 28 11:36:10 VyOS-2 charon[1772]: 16[IKE] <peer_10-1-1-2|1> received DPD vendor ID Feb 28 11:36:10 VyOS-2 charon[1772]: 16[IKE] <peer_10-1-1-2|1> received FRAGMENTATION vendor ID Feb 28 11:36:10 VyOS-2 charon[1772]: 16[IKE] <peer_10-1-1-2|1> received NAT-T (RFC 3947) vendor ID Feb 28 11:36:10 VyOS-2 charon[1772]: 16[CFG] <peer_10-1-1-2|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 28 11:36:10 VyOS-2 charon[1772]: 16[ENC] <peer_10-1-1-2|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Feb 28 11:36:10 VyOS-2 charon[1772]: 16[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes) Feb 28 11:36:10 VyOS-2 charon[1772]: 05[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes) Feb 28 11:36:10 VyOS-2 charon[1772]: 05[ENC] <peer_10-1-1-2|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Feb 28 11:36:10 VyOS-2 charon[1772]: 05[ENC] <peer_10-1-1-2|1> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Feb 28 11:36:10 VyOS-2 charon[1772]: 05[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (108 bytes) Feb 28 11:36:10 VyOS-2 charon[1772]: 06[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes) Feb 28 11:36:10 VyOS-2 charon[1772]: 06[ENC] <peer_10-1-1-2|1> parsed ID_PROT response 0 [ ID HASH ] Feb 28 11:36:10 VyOS-2 charon[1772]: 06[IKE] <peer_10-1-1-2|1> IKE_SA peer_10-1-1-2[1] established between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2] Feb 28 11:36:10 VyOS-2 charon[1772]: 06[IKE] <peer_10-1-1-2|1> scheduling rekeying in 3257s Feb 28 11:36:10 VyOS-2 charon[1772]: 06[IKE] <peer_10-1-1-2|1> maximum IKE_SA lifetime 3617s Feb 28 11:36:10 VyOS-2 charon[1772]: 06[ENC] <peer_10-1-1-2|1> generating QUICK_MODE request 1487711632 [ HASH SA No KE ID ID ] Feb 28 11:36:10 VyOS-2 charon[1772]: 06[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (316 bytes) Feb 28 11:36:10 VyOS-2 charon[1772]: 07[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes) Feb 28 11:36:10 VyOS-2 charon[1772]: 07[ENC] <peer_10-1-1-2|1> parsed INFORMATIONAL_V1 request 3716764092 [ HASH N(NO_PROP) ] Feb 28 11:36:10 VyOS-2 charon[1772]: 07[IKE] <peer_10-1-1-2|1> received NO_PROPOSAL_CHOSEN error notify Feb 28 11:36:14 VyOS-2 charon[1772]: 08[NET] <2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (216 bytes) Feb 28 11:36:14 VyOS-2 charon[1772]: 08[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V ] Feb 28 11:36:14 VyOS-2 charon[1772]: 08[IKE] <2> received XAuth vendor ID Feb 28 11:36:14 VyOS-2 charon[1772]: 08[IKE] <2> received DPD vendor ID Feb 28 11:36:14 VyOS-2 charon[1772]: 08[IKE] <2> received FRAGMENTATION vendor ID Feb 28 11:36:14 VyOS-2 charon[1772]: 08[IKE] <2> received NAT-T (RFC 3947) vendor ID Feb 28 11:36:14 VyOS-2 charon[1772]: 08[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Feb 28 11:36:14 VyOS-2 charon[1772]: 08[IKE] <2> 10.1.1.2 is initiating a Main Mode IKE_SA Feb 28 11:36:14 VyOS-2 charon[1772]: 08[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 28 11:36:14 VyOS-2 charon[1772]: 08[ENC] <2> generating ID_PROT response 0 [ SA V V V V ] Feb 28 11:36:14 VyOS-2 charon[1772]: 08[NET] <2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (160 bytes) Feb 28 11:36:14 VyOS-2 charon[1772]: 09[NET] <2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes) Feb 28 11:36:14 VyOS-2 charon[1772]: 09[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Feb 28 11:36:14 VyOS-2 charon[1772]: 09[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Feb 28 11:36:14 VyOS-2 charon[1772]: 09[NET] <2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes) Feb 28 11:36:14 VyOS-2 charon[1772]: 11[NET] <2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes) Feb 28 11:36:14 VyOS-2 charon[1772]: 11[ENC] <2> parsed ID_PROT request 0 [ ID HASH ] Feb 28 11:36:14 VyOS-2 charon[1772]: 11[CFG] <2> looking for pre-shared key peer configs matching 10.1.2.2...10.1.1.2[10.1.1.2] Feb 28 11:36:14 VyOS-2 charon[1772]: 11[CFG] <2> selected peer config "peer_10-1-1-2" Feb 28 11:36:14 VyOS-2 charon[1772]: 11[IKE] <peer_10-1-1-2|2> IKE_SA peer_10-1-1-2[2] established between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2] Feb 28 11:36:14 VyOS-2 charon[1772]: 11[IKE] <peer_10-1-1-2|2> scheduling rekeying in 3407s Feb 28 11:36:14 VyOS-2 charon[1772]: 11[IKE] <peer_10-1-1-2|2> maximum IKE_SA lifetime 3767s Feb 28 11:36:14 VyOS-2 charon[1772]: 11[ENC] <peer_10-1-1-2|2> generating ID_PROT response 0 [ ID HASH ] Feb 28 11:36:14 VyOS-2 charon[1772]: 11[NET] <peer_10-1-1-2|2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes) Feb 28 11:36:14 VyOS-2 charon[1772]: 13[NET] <peer_10-1-1-2|2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (380 bytes) Feb 28 11:36:14 VyOS-2 charon[1772]: 13[ENC] <peer_10-1-1-2|2> parsed QUICK_MODE request 50843779 [ HASH SA No KE ID ID ] Feb 28 11:36:14 VyOS-2 charon[1772]: 13[CFG] <peer_10-1-1-2|2> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ Feb 28 11:36:14 VyOS-2 charon[1772]: 13[CFG] <peer_10-1-1-2|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 28 11:36:14 VyOS-2 charon[1772]: 13[IKE] <peer_10-1-1-2|2> no matching proposal found, sending NO_PROPOSAL_CHOSEN Feb 28 11:36:14 VyOS-2 charon[1772]: 13[ENC] <peer_10-1-1-2|2> generating INFORMATIONAL_V1 request 2690722960 [ HASH N(NO_PROP) ] Feb 28 11:36:14 VyOS-2 charon[1772]: 13[NET] <peer_10-1-1-2|2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes) Feb 28 11:36:24 VyOS-2 charon[1772]: 05[IKE] <peer_10-1-1-2|1> deleting IKE_SA peer_10-1-1-2[1] between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2] Feb 28 11:36:24 VyOS-2 charon[1772]: 05[IKE] <peer_10-1-1-2|1> sending DELETE for IKE_SA peer_10-1-1-2[1] Feb 28 11:36:24 VyOS-2 charon[1772]: 05[ENC] <peer_10-1-1-2|1> generating INFORMATIONAL_V1 request 3460382921 [ HASH D ] Feb 28 11:36:24 VyOS-2 charon[1772]: 05[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (92 bytes) Feb 28 11:39:40 VyOS-2 charon[1772]: 07[NET] <peer_10-1-1-2|2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (92 bytes) Feb 28 11:39:40 VyOS-2 charon[1772]: 07[ENC] <peer_10-1-1-2|2> parsed INFORMATIONAL_V1 request 2295507587 [ HASH D ] Feb 28 11:39:40 VyOS-2 charon[1772]: 07[IKE] <peer_10-1-1-2|2> received DELETE for IKE_SA peer_10-1-1-2[2] Feb 28 11:39:40 VyOS-2 charon[1772]: 07[IKE] <peer_10-1-1-2|2> deleting IKE_SA peer_10-1-1-2[2] between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2] Feb 28 11:39:45 VyOS-2 charon[1772]: 08[NET] <3> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (216 bytes) Feb 28 11:39:45 VyOS-2 charon[1772]: 08[ENC] <3> parsed ID_PROT request 0 [ SA V V V V V ] Feb 28 11:39:45 VyOS-2 charon[1772]: 08[IKE] <3> received XAuth vendor ID Feb 28 11:39:45 VyOS-2 charon[1772]: 08[IKE] <3> received DPD vendor ID Feb 28 11:39:45 VyOS-2 charon[1772]: 08[IKE] <3> received FRAGMENTATION vendor ID Feb 28 11:39:45 VyOS-2 charon[1772]: 08[IKE] <3> received NAT-T (RFC 3947) vendor ID Feb 28 11:39:45 VyOS-2 charon[1772]: 08[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Feb 28 11:39:45 VyOS-2 charon[1772]: 08[IKE] <3> 10.1.1.2 is initiating a Main Mode IKE_SA Feb 28 11:39:45 VyOS-2 charon[1772]: 08[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 28 11:39:45 VyOS-2 charon[1772]: 08[ENC] <3> generating ID_PROT response 0 [ SA V V V V ] Feb 28 11:39:45 VyOS-2 charon[1772]: 08[NET] <3> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (160 bytes) Feb 28 11:39:45 VyOS-2 charon[1772]: 09[NET] <3> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes) Feb 28 11:39:45 VyOS-2 charon[1772]: 09[ENC] <3> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Feb 28 11:39:45 VyOS-2 charon[1772]: 09[ENC] <3> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Feb 28 11:39:45 VyOS-2 charon[1772]: 09[NET] <3> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes) Feb 28 11:39:45 VyOS-2 charon[1772]: 11[NET] <3> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (108 bytes) Feb 28 11:39:45 VyOS-2 charon[1772]: 11[ENC] <3> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Feb 28 11:39:45 VyOS-2 charon[1772]: 11[CFG] <3> looking for pre-shared key peer configs matching 10.1.2.2...10.1.1.2[10.1.1.2] Feb 28 11:39:45 VyOS-2 charon[1772]: 11[CFG] <3> selected peer config "peer_10-1-1-2" Feb 28 11:39:45 VyOS-2 charon[1772]: 11[IKE] <peer_10-1-1-2|3> IKE_SA peer_10-1-1-2[3] established between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2] Feb 28 11:39:45 VyOS-2 charon[1772]: 11[IKE] <peer_10-1-1-2|3> scheduling rekeying in 3421s Feb 28 11:39:45 VyOS-2 charon[1772]: 11[IKE] <peer_10-1-1-2|3> maximum IKE_SA lifetime 3781s Feb 28 11:39:45 VyOS-2 charon[1772]: 11[ENC] <peer_10-1-1-2|3> generating ID_PROT response 0 [ ID HASH ] Feb 28 11:39:45 VyOS-2 charon[1772]: 11[NET] <peer_10-1-1-2|3> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes) Feb 28 11:39:45 VyOS-2 charon[1772]: 13[NET] <peer_10-1-1-2|3> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (316 bytes) Feb 28 11:39:45 VyOS-2 charon[1772]: 13[ENC] <peer_10-1-1-2|3> parsed QUICK_MODE request 1625867768 [ HASH SA No KE ID ID ] Feb 28 11:39:45 VyOS-2 charon[1772]: 13[CFG] <peer_10-1-1-2|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Feb 28 11:39:45 VyOS-2 charon[1772]: 13[ENC] <peer_10-1-1-2|3> generating QUICK_MODE response 1625867768 [ HASH SA No KE ID ID ] Feb 28 11:39:45 VyOS-2 charon[1772]: 13[NET] <peer_10-1-1-2|3> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (316 bytes) Feb 28 11:39:45 VyOS-2 charon[1772]: 14[NET] <peer_10-1-1-2|3> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (60 bytes) Feb 28 11:39:45 VyOS-2 charon[1772]: 14[ENC] <peer_10-1-1-2|3> parsed QUICK_MODE request 1625867768 [ HASH ] Feb 28 11:39:45 VyOS-2 charon[1772]: 14[IKE] <peer_10-1-1-2|3> CHILD_SA peer_10-1-1-2_tunnel_0{2} established with SPIs c8a42da1_i c3ebf07d_o and TS 192.168.2.0/24 === 192.168.1.0/24
Changing IKEv1 to IKEv2
VyOS1
vyos@VyOS-1# set vpn ipsec ike-group IKE-1 key-exchange ikev2 [edit] vyos@VyOS-1# commit ; save ; exit [ vpn ipsec ] loaded ike secret 'ike_10-1-2-2' loaded connection 'peer_10-1-2-2' successfully loaded 1 connections, 0 unloaded Saving configuration to '/config/config.boot'... Done exit vyos@VyOS-1:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 10.1.2.2 10.1.2.2 10.1.1.2 10.1.1.2 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_1024 no 7 0 vyos@VyOS-1:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ---------------------- ------- -------- -------------- ---------------- ---------------- ----------- ------------------------ peer_10-1-2-2_tunnel_0 up 9s 0B/0B 0B/0B 10.1.2.2 10.1.2.2 AES_CBC_256/HMAC_SHA1_96 vyos@VyOS-1:~$ cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_10-1-2-2 { proposals = aes256-sha1-modp1536,aes256-sha1-modp1024 version = 2 local_addrs = 10.1.1.2 # dhcp:no remote_addrs = 10.1.2.2 rekey_time = 3600s mobike = yes keyingtries = 0 local { auth = psk } remote { id = "10.1.2.2" auth = psk } children { peer_10-1-2-2_tunnel_0 { esp_proposals = aes256-sha1-modp1536 life_time = 1800s local_ts = 192.168.1.0/24 remote_ts = 192.168.2.0/24 ipcomp = no mode = tunnel start_action = start } } } } pools { } secrets { ike_10-1-2-2 { id-local = 10.1.1.2 # dhcp:no id-remote = 10.1.2.2 secret = "MySecretKey" } } Feb 28 11:45:53 VyOS-1 vyos-configd[542]: Received message: {"type": "init"} Feb 28 11:45:54 VyOS-1 vyos-configd[542]: config session pid is 2813 Feb 28 11:45:54 VyOS-1 vyos-configd[542]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/vpn_ipsec.py"} Feb 28 11:45:54 VyOS-1 vyos-configd[542]: Sending response 8 Feb 28 11:45:54 VyOS-1 charon: 00[DMN] SIGINT received, shutting down Feb 28 11:45:54 VyOS-1 charon: 00[IKE] <peer_10-1-2-2|1> closing CHILD_SA peer_10-1-2-2_tunnel_0{1} with SPIs c3ebf07d_i (0 bytes) c8a42da1_o (0 bytes) and TS 192.168.1.0/24 === 192.168.2.0/24 Feb 28 11:45:54 VyOS-1 charon: 00[IKE] <peer_10-1-2-2|1> sending DELETE for ESP CHILD_SA with SPI c3ebf07d Feb 28 11:45:54 VyOS-1 charon: 00[ENC] <peer_10-1-2-2|1> generating INFORMATIONAL_V1 request 762882248 [ HASH D ] Feb 28 11:45:54 VyOS-1 charon: 00[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes) Feb 28 11:45:54 VyOS-1 charon: 00[IKE] <peer_10-1-2-2|1> deleting IKE_SA peer_10-1-2-2[1] between 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2] Feb 28 11:45:54 VyOS-1 charon: 00[IKE] <peer_10-1-2-2|1> sending DELETE for IKE_SA peer_10-1-2-2[1] Feb 28 11:45:54 VyOS-1 charon: 00[ENC] <peer_10-1-2-2|1> generating INFORMATIONAL_V1 request 2578792687 [ HASH D ] Feb 28 11:45:54 VyOS-1 charon: 00[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (92 bytes) Feb 28 11:45:54 VyOS-1 ipsec_starter[2513]: charon stopped after 200 ms Feb 28 11:45:54 VyOS-1 ipsec_starter[2513]: ipsec starter stopped Feb 28 11:45:57 VyOS-1 ipsec_starter[2934]: Starting strongSwan 5.9.1 IPsec [starter]... Feb 28 11:45:57 VyOS-1 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.101-amd64-vyos, x86_64) Feb 28 11:45:57 VyOS-1 charon: 00[CFG] PKCS11 module '<name>' lacks library path Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loaded 0 RADIUS server configurations Feb 28 11:45:57 VyOS-1 charon: 00[CFG] HA config misses local/remote address Feb 28 11:45:57 VyOS-1 charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters Feb 28 11:45:57 VyOS-1 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 Feb 28 11:45:57 VyOS-1 charon: 00[JOB] spawning 16 worker threads Feb 28 11:45:57 VyOS-1 ipsec_starter[2947]: charon (2948) started after 160 ms -2' for: '10.1.1.2', '10.1.2.2' Feb 28 11:45:57 VyOS-1 charon: 10[CFG] added vici connection: peer_10-1-2-2 Feb 28 11:45:57 VyOS-1 charon: 10[CFG] initiating 'peer_10-1-2-2_tunnel_0' Feb 28 11:45:57 VyOS-1 charon: 10[IKE] <peer_10-1-2-2|1> initiating IKE_SA peer_10-1-2-2[1] to 10.1.2.2 Feb 28 11:45:57 VyOS-1 charon: 10[ENC] <peer_10-1-2-2|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Feb 28 11:45:57 VyOS-1 charon: 10[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (444 bytes) Feb 28 11:45:57 VyOS-1 charon: 16[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (36 bytes) Feb 28 11:45:57 VyOS-1 charon: 16[ENC] <peer_10-1-2-2|1> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] Feb 28 11:45:57 VyOS-1 charon: 16[IKE] <peer_10-1-2-2|1> received NO_PROPOSAL_CHOSEN notify error Feb 28 11:45:57 VyOS-1 systemd[2131]: opt-vyatta-config-tmp-new_config_2813.mount: Succeeded. Feb 28 11:45:57 VyOS-1 systemd[1]: opt-vyatta-config-tmp-new_config_2813.mount: Succeeded. Feb 28 11:45:58 VyOS-1 commit: Successful change to active configuration by user vyos on /dev/ttyS0 t: Succeeded. Feb 28 11:45:58 VyOS-1 systemd[1]: opt-vyatta-config-tmp-new_config_2813.mount: Succeeded. Feb 28 11:46:11 VyOS-1 charon: 06[NET] <2> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (336 bytes) Feb 28 11:46:11 VyOS-1 charon: 06[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Feb 28 11:46:11 VyOS-1 charon: 06[IKE] <2> 10.1.2.2 is initiating an IKE_SA Feb 28 11:46:11 VyOS-1 charon: 06[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 28 11:46:11 VyOS-1 charon: 06[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] Feb 28 11:46:11 VyOS-1 charon: 06[NET] <2> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (344 bytes) Feb 28 11:46:11 VyOS-1 charon: 07[NET] <2> received packet: from 10.1.2.2[4500] to 10.1.1.2[4500] (268 bytes) Feb 28 11:46:11 VyOS-1 charon: 07[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Feb 28 11:46:11 VyOS-1 charon: 07[CFG] <2> looking for peer configs matching 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2] eer_10-1-2-2' Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> authentication of '10.1.2.2' with pre-shared key successful Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> peer supports MOBIKE Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> authentication of '10.1.1.2' (myself) with pre-shared key Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> IKE_SA peer_10-1-2-2[2] established between 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2] Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> scheduling rekeying in 3577s Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> maximum IKE_SA lifetime 3937s Feb 28 11:46:11 VyOS-1 charon: 07[CFG] <peer_10-1-2-2|2> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> CHILD_SA peer_10-1-2-2_tunnel_0{1} established with SPIs c391282f_i c8e1a207_o and TS 192.168.1.0/24 === 192.168.2.0/24 Feb 28 11:46:11 VyOS-1 charon: 07[ENC] <peer_10-1-2-2|2> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Feb 28 11:46:11 VyOS-1 charon: 07[NET] <peer_10-1-2-2|2> sending packet: from 10.1.1.2[4500] to 10.1.2.2[4500] (220 bytes)
VyOS2
vyos@VyOS-2# set vpn ipsec ike-group IKE-1 key-exchange ikev2 [edit] vyos@VyOS-2# commit ; save ; exit [ vpn ipsec ] loaded ike secret 'ike_10-1-1-2' loaded connection 'peer_10-1-1-2' successfully loaded 1 connections, 0 unloaded Saving configuration to '/config/config.boot'... Done exit vyos@VyOS-2:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 10.1.1.2 10.1.1.2 10.1.2.2 10.1.2.2 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_1024 no 1020 0 vyos@VyOS-2:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ---------------------- ------- -------- -------------- ---------------- ---------------- ----------- ------------------------ peer_10-1-1-2_tunnel_0 up 17m3s 0B/0B 0B/0B 10.1.1.2 10.1.1.2 AES_CBC_256/HMAC_SHA1_96 vyos@VyOS-2:~$ cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_10-1-1-2 { proposals = aes256-sha1-modp1024 version = 2 local_addrs = 10.1.2.2 # dhcp:no remote_addrs = 10.1.1.2 rekey_time = 3600s mobike = yes keyingtries = 0 local { auth = psk } remote { id = "10.1.1.2" auth = psk } children { peer_10-1-1-2_tunnel_0 { esp_proposals = aes256-sha1-modp1024 life_time = 1800s local_ts = 192.168.2.0/24 remote_ts = 192.168.1.0/24 ipcomp = no mode = tunnel start_action = start } } } } pools { } secrets { ike_10-1-1-2 { id-local = 10.1.2.2 # dhcp:no id-remote = 10.1.1.2 secret = "MySecretKey" } } Feb 28 11:46:07 VyOS-2 vyos-configd[542]: Received message: {"type": "init"} Feb 28 11:46:07 VyOS-2 vyos-configd[542]: config session pid is 2282 Feb 28 11:46:07 VyOS-2 vyos-configd[542]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/vpn_ipsec.py"} Feb 28 11:46:07 VyOS-2 vyos-configd[542]: Sending response 8 Feb 28 11:46:09 VyOS-2 charon: 00[DMN] SIGINT received, shutting down Feb 28 11:46:09 VyOS-2 ipsec_starter[1770]: charon stopped after 200 ms Feb 28 11:46:09 VyOS-2 ipsec_starter[1770]: ipsec starter stopped Feb 28 11:46:11 VyOS-2 ipsec_starter[2384]: Starting strongSwan 5.9.1 IPsec [starter]... Feb 28 11:46:11 VyOS-2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.101-amd64-vyos, x86_64) Feb 28 11:46:11 VyOS-2 charon: 00[CFG] PKCS11 module '<name>' lacks library path Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loaded 0 RADIUS server configurations Feb 28 11:46:11 VyOS-2 charon: 00[CFG] HA config misses local/remote address Feb 28 11:46:11 VyOS-2 charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters Feb 28 11:46:11 VyOS-2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 Feb 28 11:46:11 VyOS-2 charon: 00[JOB] spawning 16 worker threads Feb 28 11:46:11 VyOS-2 ipsec_starter[2397]: charon (2399) started after 60 ms Feb 28 11:46:11 VyOS-2 charon: 05[CFG] loaded IKE shared key with id 'ike_10-1-1-2' for: '10.1.2.2', '10.1.1.2' Feb 28 11:46:11 VyOS-2 charon: 10[CFG] added vici connection: peer_10-1-1-2 Feb 28 11:46:11 VyOS-2 charon: 10[CFG] initiating 'peer_10-1-1-2_tunnel_0' Feb 28 11:46:11 VyOS-2 charon: 10[IKE] <peer_10-1-1-2|1> initiating IKE_SA peer_10-1-1-2[1] to 10.1.1.2 UP) ] Feb 28 11:46:11 VyOS-2 charon: 10[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (336 bytes) Feb 28 11:46:11 VyOS-2 charon: 16[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (344 bytes) Feb 28 11:46:11 VyOS-2 charon: 16[ENC] <peer_10-1-1-2|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] Feb 28 11:46:11 VyOS-2 charon: 16[CFG] <peer_10-1-1-2|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Feb 28 11:46:11 VyOS-2 charon: 16[CFG] <peer_10-1-1-2|1> no IDi configured, fall back on IP address Feb 28 11:46:11 VyOS-2 charon: 16[IKE] <peer_10-1-1-2|1> authentication of '10.1.2.2' (myself) with pre-shared key Feb 28 11:46:11 VyOS-2 charon: 16[IKE] <peer_10-1-1-2|1> establishing CHILD_SA peer_10-1-1-2_tunnel_0{1} Feb 28 11:46:11 VyOS-2 charon: 16[ENC] <peer_10-1-1-2|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Feb 28 11:46:11 VyOS-2 charon: 16[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[4500] to 10.1.1.2[4500] (268 bytes) Feb 28 11:46:11 VyOS-2 charon: 05[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[4500] to 10.1.2.2[4500] (220 bytes) Feb 28 11:46:11 VyOS-2 charon: 05[ENC] <peer_10-1-1-2|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Feb 28 11:46:11 VyOS-2 charon: 05[IKE] <peer_10-1-1-2|1> authentication of '10.1.1.2' with pre-shared key successful Feb 28 11:46:11 VyOS-2 charon: 05[IKE] <peer_10-1-1-2|1> IKE_SA peer_10-1-1-2[1] established between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2] Feb 28 11:46:11 VyOS-2 charon: 05[IKE] <peer_10-1-1-2|1> scheduling rekeying in 3562s Feb 28 11:46:11 VyOS-2 charon: 05[IKE] <peer_10-1-1-2|1> maximum IKE_SA lifetime 3922s Feb 28 11:46:11 VyOS-2 charon: 05[CFG] <peer_10-1-1-2|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Feb 28 11:46:11 VyOS-2 charon: 05[IKE] <peer_10-1-1-2|1> CHILD_SA peer_10-1-1-2_tunnel_0{1} established with SPIs c8e1a207_i c391282f_o and TS 192.168.2.0/24 === 192.168.1.0/24 Feb 28 11:46:11 VyOS-2 charon: 05[IKE] <peer_10-1-1-2|1> peer supports MOBIKE Feb 28 11:46:11 VyOS-2 systemd[2124]: opt-vyatta-config-tmp-new_config_2282.mount: Succeeded. Feb 28 11:46:11 VyOS-2 systemd[1]: opt-vyatta-config-tmp-new_config_2282.mount: Succeeded. Feb 28 11:46:12 VyOS-2 commit: Successful change to active configuration by user vyos on /dev/ttyS0 t: Succeeded. Feb 28 11:46:13 VyOS-2 systemd[1]: opt-vyatta-config-tmp-new_config_2282.mount: Succeeded.
Summary
When IKEv1 is used and more than one proposal is configured, while pfs is enabled on the initiator side dh-group can’t be negotiated between peers leading to phase-2 stuck in a down state while phase-1 is up and running. The issue is resolved either manually editing swanctl.conf file or changing IKE to version 2.
Here we assume a possible change to the ESP group configuration part in VyOS – what if we’ll move pfs mode from the group config to the proposal configuration tree? Example:
vpn { ipsec { esp-group ESP-1 { compression disable lifetime 1800 mode tunnel --- pfs enable proposal 1 { encryption aes256 hash sha1 +++ pfs enable } }
Or maybe we need to add all configured dh-groups under the ESP within the swanctl.conf like this:
vyos@VyOS-1:~$ cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_10-1-2-2 { proposals = aes256-sha1-modp1536,aes256-sha1-modp1024 version = 2 local_addrs = 10.1.1.2 # dhcp:no remote_addrs = 10.1.2.2 rekey_time = 3600s mobike = yes keyingtries = 0 local { auth = psk } remote { id = "10.1.2.2" auth = psk } children { peer_10-1-2-2_tunnel_0 { --- esp_proposals = aes256-sha1-modp1536 +++ esp_proposals = aes256-sha1-modp1536, aes256-sha1-modp1024 life_time = 1800s local_ts = 192.168.1.0/24 remote_ts = 192.168.2.0/24 ipcomp = no mode = tunnel start_action = start } } } } pools { } secrets { ike_10-1-2-2 { id-local = 10.1.1.2 # dhcp:no id-remote = 10.1.2.2 secret = "MySecretKey"
Anyway, it seems strange that the same configuration has different behaviour with IKEv1 and IKEv2.