The ipsec site-to-site peer <name> cannot allow ip address, it only need alphanumeric, hyphen and underscores.
This format will break swanctl.conf remote_ts field.
It makes ipsec cannot work normaly.
vyos@vyos# show peer test { authentication { mode pre-shared-secret pre-shared-secret myipseckey } default-esp-group default ike-group default local-address <left> remote-address <right> tunnel 0 { protocol gre } } [edit vpn ipsec site-to-site] vyos@vyos# run restart vpn Stopping strongSwan IPsec... Starting strongSwan 5.9.1 IPsec [starter]... loaded ike secret 'ike_test' no authorities found, 0 unloaded no pools found, 0 unloaded loading connection 'test' failed: invalid value for: remote_ts, config discarded loaded 0 of 1 connections, 1 failed to load, 0 unloaded [edit vpn ipsec site-to-site]
- swanctl.conf
vyos@vyos# cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { test { proposals = aes128-sha1-modp2048 version = 1 local_addrs = <left> # dhcp:no remote_addrs = <right> dpd_timeout = 120 dpd_delay = 30 rekey_time = 28800s mobike = yes keyingtries = 0 local { auth = psk } remote { id = "<left>" auth = psk } children { test-tunnel-0 { esp_proposals = aes256-sha1-modp1024 life_time = 3600s local_ts = <left>[gre/] remote_ts = test[gre/] ipcomp = no mode = transport start_action = start dpd_action = close_action = } } } } pools { } secrets { ike_test { id-local = <left> # dhcp:no id-remote_<right> = <right> secret = "myipseckey" } } [edit vpn ipsec site-to-site]
You can notice that remote_ts field is test[gre/] and I restart the vpn service, it will break.
In the past (version: 1.4-rolling-20221005), this field is ip address and ipsec works fine.