IPsec some proposal combinations could be invalid, and the service strongswan stops.
To reproduce:
set interfaces ethernet eth1 address '192.0.2.14/24' set interfaces tunnel tun100 address '192.168.250.4/24' set interfaces tunnel tun100 encapsulation 'gre' set interfaces tunnel tun100 parameters ip key '1' set interfaces tunnel tun100 source-address '192.0.2.14' set protocols nhrp tunnel tun100 cisco-authentication 'secret' set protocols nhrp tunnel tun100 holding-time '30' set protocols nhrp tunnel tun100 multicast 'dynamic' set protocols nhrp tunnel tun100 redirect set protocols nhrp tunnel tun100 shortcut set vpn ipsec esp-group ESP-HUB lifetime '1800' set vpn ipsec esp-group ESP-HUB mode 'transport' set vpn ipsec esp-group ESP-HUB pfs 'dh-group21' set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256gcm128' set vpn ipsec esp-group ESP-HUB proposal 1 hash 'aes256gmac' set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2' set vpn ipsec ike-group IKE-HUB lifetime '3600' set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '24' set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256gcm128' set vpn ipsec ike-group IKE-HUB proposal 1 hash 'aes256gmac' set vpn ipsec interface 'eth1' set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret' set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret' set vpn ipsec profile NHRPVPN bind tunnel 'tun100' set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB' set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
Check strongswan service (nonezero exit code):
vyos@r4# sudo systemctl status strongswan × strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; preset: enabled) Active: failed (Result: exit-code) since Tue 2024-03-05 13:17:17 EET; 3s ago Process: 7507 ExecStart=/usr/sbin/charon-systemd (code=exited, status=0/SUCCESS) Process: 7531 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=22) Main PID: 7507 (code=exited, status=0/SUCCESS) Status: "charon-systemd running, strongSwan 5.9.11, Linux 6.6.19-amd64-vyos, x86_64" CPU: 52ms Mar 05 13:17:17 r4 swanctl[7531]: loading connection 'dmvpn-NHRPVPN-tun100' failed: invalid value for: proposals, config discarded Mar 05 13:17:17 r4 swanctl[7531]: loaded 0 of 1 connections, 1 failed to load, 0 unloaded Mar 05 13:17:17 r4 swanctl[7531]: loaded ike secret 'ike-dmvpn-tun100' Mar 05 13:17:17 r4 swanctl[7531]: no authorities found, 0 unloaded Mar 05 13:17:17 r4 swanctl[7531]: no pools found, 0 unloaded Mar 05 13:17:17 r4 systemd[1]: strongswan.service: Control process exited, code=exited, status=22/n/a Mar 05 13:17:17 r4 charon-systemd[7507]: SIGTERM received, shutting down Mar 05 13:17:17 r4 charon[7507]: 00[DMN] SIGTERM received, shutting down Mar 05 13:17:17 r4 systemd[1]: strongswan.service: Failed with result 'exit-code'. Mar 05 13:17:17 r4 systemd[1]: Failed to start strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl. [edit] vyos@r4#
Generated config:
vyos@r4# cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { dmvpn-NHRPVPN-tun100 { proposals = aes256gcm128-aes256gmac-modp2048s256 version = 2 rekey_time = 3600s keyingtries = 0 dpd_timeout = 120 dpd_delay = 30 local { auth = psk } remote { auth = psk } children { dmvpn { esp_proposals = aes256gcm128-aes256gmac-ecp521 rekey_time = 1800s rand_time = 540s local_ts = dynamic[gre] remote_ts = dynamic[gre] mode = transport dpd_action = clear } } } } pools { } secrets { ike-dmvpn-tun100 { secret = secret } }
Based on show log ipsec it requires PRF
Mar 05 13:37:59 charon[9055]: 11[CFG] a PRF algorithm is mandatory in IKE proposals Mar 05 13:37:59 charon-systemd[9055]: a PRF algorithm is mandatory in IKE proposals Mar 05 13:37:59 swanctl[9079]: loading connection 'dmvpn-NHRPVPN-tun100' failed: invalid value for: proposals, config discarded Mar 05 13:37:59 swanctl[9079]: loaded 0 of 1 connections, 1 failed to load, 0 unloaded Mar 05 13:37:59 swanctl[9079]: loaded ike secret 'ike-dmvpn-tun100' Mar 05 13:37:59 swanctl[9079]: no authorities found, 0 unloaded Mar 05 13:37:59 swanctl[9079]: no pools found, 0 unloaded Mar 05 13:37:59 systemd[1]: strongswan.service: Control process exited, code=exited, status=22/n/a Mar 05 13:37:59 charon-systemd[9055]: SIGTERM received, shutting down Mar 05 13:37:59 charon[9055]: 00[DMN] SIGTERM received, shutting down Mar 05 13:37:59 systemd[1]: strongswan.service: Failed with result 'exit-code'. Mar 05 13:37:59 systemd[1]: Failed to start strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
To fix this case:
vyos@r4# set vpn ipsec ike-group IKE-HUB proposal 1 prf prfsha256 [edit] vyos@r4# commit [edit] vyos@r4# sudo systemctl status strongswan ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; preset: enabled) Active: active (running) since Tue 2024-03-05 13:39:35 EET; 3s ago