We shouldn't generate config with empty dpd and close actions for children SAs
set vpn ipsec authentication psk bar id '192.0.2.1' set vpn ipsec authentication psk bar id '192.0.2.3' set vpn ipsec authentication psk bar id '192.0.2.1.local.peer-b' set vpn ipsec authentication psk bar id '192.0.2.2.peer-b' set vpn ipsec authentication psk bar secret 'SecretBar' set vpn ipsec authentication psk baz id 'fsdfdf' set vpn ipsec authentication psk baz secret 'bazdfwefsecrettt' set vpn ipsec esp-group ESP-group-b lifetime '1800' set vpn ipsec esp-group ESP-group-b mode 'tunnel' set vpn ipsec esp-group ESP-group-b pfs 'enable' set vpn ipsec esp-group ESP-group-b proposal 1 encryption 'aes128' set vpn ipsec esp-group ESP-group-b proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-group-b key-exchange 'ikev1' set vpn ipsec ike-group IKE-group-b lifetime '3600' set vpn ipsec ike-group IKE-group-b proposal 1 dh-group '14' set vpn ipsec ike-group IKE-group-b proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-group-b proposal 1 hash 'sha256' set vpn ipsec interface 'eth0' set vpn ipsec site-to-site peer OFFICE-B authentication local-id '192.0.2.2.peer-b' set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '192.0.2.1.local.peer-b' set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond' set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKE-group-b' set vpn ipsec site-to-site peer OFFICE-B local-address '192.0.2.2' set vpn ipsec site-to-site peer OFFICE-B remote-address '192.0.2.1' set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'ESP-group-b' set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '10.0.0.0/21' set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '192.168.0.0/24'
children section Incorrect empty "=" for dpd and close nation
vyos@r2# cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { OFFICE-B { proposals = aes256-sha256-modp2048 version = 1 local_addrs = 192.0.2.2 # dhcp:no remote_addrs = 192.0.2.1 dpd_timeout = 120 dpd_delay = 30 rekey_time = 3600s mobike = yes keyingtries = 1 local { id = "192.0.2.2.peer-b" auth = psk } remote { id = "192.0.2.1.local.peer-b" auth = psk } children { OFFICE-B-tunnel-0 { esp_proposals = aes128-sha1-modp2048 life_time = 1800s local_ts = 10.0.0.0/21 remote_ts = 192.168.0.0/24 ipcomp = no mode = tunnel start_action = trap dpd_action = close_action = } } } }