The ipsec site-to-site peer <name> cannot allow ip address, it only need alphanumeric, hyphen and underscores.
This format will break swanctl.conf remote_ts field.
It makes ipsec cannot work normaly.
vyos@vyos# show
peer test {
authentication {
mode pre-shared-secret
pre-shared-secret myipseckey
}
default-esp-group default
ike-group default
local-address <left>
remote-address <right>
tunnel 0 {
protocol gre
}
}
[edit vpn ipsec site-to-site]
vyos@vyos# run restart vpn
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
loaded ike secret 'ike_test'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loading connection 'test' failed: invalid value for: remote_ts, config discarded
loaded 0 of 1 connections, 1 failed to load, 0 unloaded
[edit vpn ipsec site-to-site]- swanctl.conf
vyos@vyos# cat /etc/swanctl/swanctl.conf
### Autogenerated by vpn_ipsec.py ###
connections {
test {
proposals = aes128-sha1-modp2048
version = 1
local_addrs = <left> # dhcp:no
remote_addrs = <right>
dpd_timeout = 120
dpd_delay = 30
rekey_time = 28800s
mobike = yes
keyingtries = 0
local {
auth = psk
}
remote {
id = "<left>"
auth = psk
}
children {
test-tunnel-0 {
esp_proposals = aes256-sha1-modp1024
life_time = 3600s
local_ts = <left>[gre/]
remote_ts = test[gre/]
ipcomp = no
mode = transport
start_action = start
dpd_action =
close_action =
}
}
}
}
pools {
}
secrets {
ike_test {
id-local = <left> # dhcp:no
id-remote_<right> = <right>
secret = "myipseckey"
}
}
[edit vpn ipsec site-to-site]You can notice that remote_ts field is test[gre/] and I restart the vpn service, it will break.
In the past (version: 1.4-rolling-20221005), this field is ip address and ipsec works fine.