Page MenuHomeVyOS Platform
Create Task
Maniphest T6938

removing disable from a site-to-site ipsec peer never initializes the ipsec tunnel
Not ApplicablePublicBUG
Actions

Description

AWS produces VPN tunnels and a suggested VyOS configuration that is robust and works well:

vpn {
ipsec {

 authentication {
     psk tunnel_1 {
         id xxx.xxx.158.13
         id xxx.xxx.202.129
         id xxx.xxx.170.40
         id xxx.xxx.168.185
         secret xxxxxx
     }
     psk tunnel_2 {
         id xxx.xxx.66.117
         id xxx.xxx.202.129
         id xxx.xxx.170.40
         id xxx.xxx.168.185
         secret xxxxxx
     }
 }
 esp-group AWS {
     lifetime 3600
     mode tunnel
     pfs enable
     proposal 1 {
         encryption aes128
         hash sha1
     }
 }
 ike-group AWS {
     close-action none
     dead-peer-detection {
         action restart
         interval 15
         timeout 30
     }
     lifetime 28800
     proposal 1 {
         dh-group 2
         encryption aes128
         hash sha1
     }
 }
 interface eth0
 options {
     disable-route-autoinstall
 }
 site-to-site {
     peer tunnel_1 {
         authentication {
             mode pre-shared-secret
             remote-id xxx.xxx.158.13
         }
         connection-type initiate
         description "VPC tunnel 1"
         disable
         ike-group AWS
         ikev2-reauth inherit
         local-address xxx.xxx.168.185
         remote-address xxx.xxx.158.13
         vti {
             bind vti0
             esp-group AWS
         }
     }
     peer tunnel_2 {
         authentication {
             mode pre-shared-secret
             remote-id xxx.xxx.66.117
         }
         connection-type initiate
         description "VPC tunnel 2"
         disable
         ike-group AWS
         ikev2-reauth inherit
         local-address xxx.xxx.168.185
         remote-address xxx.xxx.66.117
         vti {
             bind vti1
             esp-group AWS
         }
     }
 }

}
}

However, when testing tunnel failures, I noticed that:

set vpn ipsec site-to-site peer tunnel_1 disable
commit

will take a long time to eventually close the tunnel. Then,

delete vpn ipsec site-to-site peer tunnel_1 disable
commit

never re-initializes the tunnel.

Workaround

as expected, restarting ipsec recreates the tunnels

run reset vpn ipsec site-to-site all
$ show version
Version:          VyOS 1.5-rolling-202409250007
Release train:    current
Release flavor:   generic

Built by:         autobuild@vyos.net
Built on:         Wed 25 Sep 2024 00:07 UTC
Build UUID:       9b8b01ce-f96f-4af7-8116-68c8cd296cb7
Build commit ID:  fa50a5073b6d3f

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal
Secure Boot:      disabled

Hardware vendor:  HP
Hardware model:   HP EliteDesk 800 G5 Desktop Mini
Hardware S/N:     MXL95025NY
Hardware UUID:    800b5dc3-e6c8-ba65-0bcb-dc6bfdfbccb2

Copyright:        VyOS maintainers and contributors

Details

Version
VyOS 1.5-rolling-202409250007
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

doctorpangloss created this task.Dec 4 2024, 8:15 PM
pasik subscribed.Dec 4 2024, 9:38 PM
Viacheslav triaged this task as Normal priority.Dec 5 2024, 1:35 PM
SrividyaA subscribed.Feb 26 2025, 9:26 AM

I was not able to reproduce the issue, please check in the latest rolling release.
After removing the disabled option, the strongswan service is reloaded and the connection established immediately.

Feb 25 10:36:33 systemd[1]: Reloading strongswan.service - strongSwan IPsec IKEv
1/IKEv2 daemon using swanctl...
Feb 25 10:36:33 charon-systemd[3312]: loaded 0 entries for attr plugin configura
tion
Feb 25 10:36:33 charon-systemd[3312]: loaded 0 RADIUS server configurations
Feb 25 10:36:33 charon-systemd[3312]: loaded IKE shared key with id 'ike-peer1'
for: '172.31.16.143'
Feb 25 10:36:33 charon-systemd[3312]: added vici connection: peer3
Feb 25 10:36:33 charon-systemd[3312]: initiating 'peer3-vti'
Feb 25 10:36:33 charon-systemd[3312]: initiating IKE_SA peer3[6] to 172.31.25.15
9
Feb 25 10:36:33 charon-systemd[3312]: generating IKE_SA_INIT request 0 [ SA KE N
o N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
SrividyaA closed this task as Not Applicable.Mar 6 2025, 5:34 AM