Page MenuHomeVyOS Platform

IPsec establishing IKE_SA failed, giving up after 5 retransmits
Closed, InvalidPublic

Description

How to increase the number of attempts more than 5?

I encountered a problem with IPsec, that it does not stay in the UP state for a long time, after a while it goes into the down state and has to be rebooted via restart ipsec
In the logs on side 1

charon-systemd[84075]: retransmit 5 of request with message ID 1
charon-systemd[84075]: sending packet: from IPLOCAL[4500] to IPREMOTE[4500] (604 bytes)
charon[84075]: 09[KNL] creating delete job for CHILD_SA ESP/0xc21e5ccf/IPLOCAL
charon[84075]: 12[JOB] CHILD_SA ESP/0xc21e5ccf/IPLOCAL not found for delete
charon-systemd[84075]: creating delete job for CHILD_SA ESP/0xc21e5ccf/IPLOCAL
charon-systemd[84075]: CHILD_SA ESP/0xc21e5ccf/IPLOCAL not found for delete
charon[84075]: 15[IKE] <RIGHT|2> giving up after 5 retransmits
charon[84075]: 15[IKE] <RIGHT|2> establishing IKE_SA failed, peer not responding
charon-systemd[84075]: giving up after 5 retransmits
charon-systemd[84075]: establishing IKE_SA failed, peer not responding

In the logs from side 2

charon-systemd[83372]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
charon[83372]: 08[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
charon-systemd[83372]: sending packet: from IPLOCAL[500] to IPREMOTE[500] (344 bytes)
charon[83372]: 08[NET] <3> sending packet: from IPLOCAL[500] to IPREMOTE[500] (344 bytes)
charon[83372]: 11[JOB] <3> deleting half open IKE_SA with IPREMOTE after timeout
charon-systemd[83372]: deleting half open IKE_SA with IPREMOTE after timeout

I have an idea about the solution, maybe it's because of problems on the channel. But I tried to find how to apply the setting by increasing max_retries by specifying 0, that is, make attempts to connect an infinite number of times or set a larger value, but I did not find how to do this, like setting the interval of attempts retransmit_interval every 5 seconds
max_retries = 10
retransmit_interval = 5s

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

When trying to make a non-working peer via the command reset vpn ipsec site-to-site peer RIGHT
Gives an error

WARNING: Peer's RIGHT SAs are not initiated. Nothing to terminate

That is, you can only restart it through the command
restart ipsec

syncer edited projects, added Invalid; removed VyOS 1.5 Circinus.
syncer changed the subtype of this task from "Feature Request" to "Task".
syncer subscribed.

For support requests, use forum.vyos.io