To reproduce
IPv6 configuration for IPv6 peers:
Lefts site:
```
set interfaces dummy dum0 address '2001:db8:1111::1/64'
set interfaces ethernet eth1 address '192.0.2.1/24'
set interfaces ethernet eth1 address '2001:db8::1/64'
set vpn ipsec esp-group grp-ESP compression 'disable'
set vpn ipsec esp-group grp-ESP lifetime '28800'
set vpn ipsec esp-group grp-ESP mode 'tunnel'
set vpn ipsec esp-group grp-ESP pfs 'dh-group14'
set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold'
set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30'
set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120'
set vpn ipsec ike-group grp-IKE ikev2-reauth 'no'
set vpn ipsec ike-group grp-IKE key-exchange 'ikev2'
set vpn ipsec ike-group grp-IKE lifetime '86400'
set vpn ipsec ike-group grp-IKE mobike 'disable'
set vpn ipsec ike-group grp-IKE proposal 10 dh-group '14'
set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer 2001:db8::2 authentication id '2001:db8::1'
set vpn ipsec site-to-site peer 2001:db8::2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2001:db8::2 authentication pre-shared-secret 'SSSeeccRetT'
set vpn ipsec site-to-site peer 2001:db8::2 authentication remote-id '2001:db8::2'
set vpn ipsec site-to-site peer 2001:db8::2 connection-type 'initiate'
set vpn ipsec site-to-site peer 2001:db8::2 ike-group 'grp-IKE'
set vpn ipsec site-to-site peer 2001:db8::2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 2001:db8::2 local-address '2001:db8::1'
set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 esp-group 'grp-ESP'
set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 local prefix '2001:db8:1111::/64'
set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 remote prefix '2001:db8:2222::/64
```
Right site:
```
set interfaces bridge br1 member interface dum1
set interfaces dummy dum0 address '2001:db8:2222::1/64'
set interfaces ethernet eth1 address '192.0.2.2/24'
set interfaces ethernet eth1 address '2001:db8::2/64'
set system flow-accounting interface 'eth1'
set vpn ipsec esp-group grp-ESP compression 'disable'
set vpn ipsec esp-group grp-ESP lifetime '28800'
set vpn ipsec esp-group grp-ESP mode 'tunnel'
set vpn ipsec esp-group grp-ESP pfs 'dh-group14'
set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold'
set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30'
set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120'
set vpn ipsec ike-group grp-IKE ikev2-reauth 'no'
set vpn ipsec ike-group grp-IKE key-exchange 'ikev2'
set vpn ipsec ike-group grp-IKE lifetime '86400'
set vpn ipsec ike-group grp-IKE mobike 'disable'
set vpn ipsec ike-group grp-IKE proposal 10 dh-group '14'
set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer 2001:db8::1 authentication id '2001:db8::2'
set vpn ipsec site-to-site peer 2001:db8::1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2001:db8::1 authentication pre-shared-secret 'SSSeeccRetT'
set vpn ipsec site-to-site peer 2001:db8::1 authentication remote-id '2001:db8::1'
set vpn ipsec site-to-site peer 2001:db8::1 connection-type 'none'
set vpn ipsec site-to-site peer 2001:db8::1 ike-group 'grp-IKE'
set vpn ipsec site-to-site peer 2001:db8::1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 2001:db8::1 local-address '2001:db8::2'
set vpn ipsec site-to-site peer 2001:db8::1 tunnel 0 esp-group 'grp-ESP'
set vpn ipsec site-to-site peer 2001:db8::1 tunnel 0 local prefix '2001:db8:2222::/64'
set vpn ipsec site-to-site peer 2001:db8::1 tunnel 0 remote prefix '2001:db8:1111::/64'
```
Show SA
```
vyos@r14:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ------------------------
peer_2001-db8--2_tunnel_0 down 2s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 2s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 2s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 2s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 2s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 2s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 3s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 3s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 3s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 3s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 3s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 3s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 4s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 4s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 4s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 5s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 5s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 5s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 5s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 down 6s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 up 1s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 up 1s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
peer_2001-db8--2_tunnel_0 up 1s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048
vyos@r14:~$
```
SA phase 2 reking and deleting every second
```
Jul 21 13:19:41 r14 charon[7908]: 05[IKE] <peer_2001-db8--2|1> sending DELETE for ESP CHILD_SA with SPI cff66eee
Jul 21 13:19:41 r14 charon[7908]: 05[ENC] <peer_2001-db8--2|1> generating INFORMATIONAL request 693 [ D ]
Jul 21 13:19:41 r14 charon[7908]: 05[NET] <peer_2001-db8--2|1> sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (69 bytes)
Jul 21 13:19:41 r14 charon[7908]: 08[NET] <peer_2001-db8--2|1> received packet: from 2001:db8::2[500] to 2001:db8::1[500] (69 bytes)
Jul 21 13:19:41 r14 charon[7908]: 08[ENC] <peer_2001-db8--2|1> parsed INFORMATIONAL request 717 [ D ]
Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> received DELETE for ESP CHILD_SA with SPI c3e0cd0d
Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> closing CHILD_SA peer_2001-db8--2_tunnel_0{702} with SPIs c91d96a0_i (0 bytes) c3e0cd0d_o (0 bytes) and TS 2001:db8:1111::/64 === 2001:db8:2222::/64
Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> sending DELETE for ESP CHILD_SA with SPI c91d96a0
Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> CHILD_SA closed
Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> outbound CHILD_SA peer_2001-db8--2_tunnel_0{708} established with SPIs cedff8b5_i c9f2a668_o and TS 2001:db8:1111::/64 === 2001:db8:2222::/64
Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> detected CHILD_REKEY collision with CHILD_DELETE
Jul 21 13:19:41 r14 charon[7908]: 08[ENC] <peer_2001-db8--2|1> generating INFORMATIONAL response 717 [ D ]
Jul 21 13:19:41 r14 charon[7908]: 08[NET] <peer_2001-db8--2|1> sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (69 bytes)
Jul 21 13:19:41 r14 charon[7908]: 08[NET] <peer_2001-db8--2|1> received packet: from 2001:db8::2[500] to 2001:db8::1[500] (69 bytes)
Jul 21 13:19:41 r14 charon[7908]: 08[ENC] <peer_2001-db8--2|1> parsed INFORMATIONAL response 693 [ D ]
Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> received DELETE for ESP CHILD_SA with SPI c356fe91
Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> CHILD_SA closed
Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> establishing CHILD_SA peer_2001-db8--2_tunnel_0{709} reqid 1
Jul 21 13:19:41 r14 charon[7908]: 08[ENC] <peer_2001-db8--2|1> generating CREATE_CHILD_SA request 694 [ N(REKEY_SA) SA No KE TSi TSr ]
Jul 21 13:19:41 r14 charon[7908]: 08[NET] <peer_2001-db8--2|1> sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (509 bytes)
Jul 21 13:19:41 r14 charon[7908]: 07[NET] <peer_2001-db8--2|1> received packet: from 2001:db8::2[500] to 2001:db8::1[500] (509 bytes)
Jul 21 13:19:41 r14 charon[7908]: 07[ENC] <peer_2001-db8--2|1> parsed CREATE_CHILD_SA request 718 [ N(REKEY_SA) SA No KE TSi TSr ]
Jul 21 13:19:41 r14 charon[7908]: 07[CFG] <peer_2001-db8--2|1> selected proposal: ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ
Jul 21 13:19:41 r14 charon[7908]: 07[IKE] <peer_2001-db8--2|1> inbound CHILD_SA peer_2001-db8--2_tunnel_0{710} established with SPIs c5f6d139_i c6f292e9_o and TS 2001:db8:1111::/64 === 2001:db8:2222::/64
Jul 21 13:19:41 r14 charon[7908]: 07[IKE] <peer_2001-db8--2|1> detected CHILD_REKEY collision with CHILD_REKEY
Jul 21 13:19:41 r14 charon[7908]: 07[ENC] <peer_2001-db8--2|1> generating CREATE_CHILD_SA response 718 [ SA No KE TSi TSr ]
Jul 21 13:19:41 r14 charon[7908]: 07[NET] <peer_2001-db8--2|1> sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (497 bytes)
Jul 21 13:19:41 r14 charon[7908]: 16[NET] <peer_2001-db8--2|1> received packet: from 2001:db8::2[500] to 2001:db8::1[500] (497 bytes)
Jul 21 13:19:41 r14 charon[7908]: 16[ENC] <peer_2001-db8--2|1> parsed CREATE_CHILD_SA response 694 [ SA No KE TSi TSr ]
Jul 21 13:19:41 r14 charon[7908]: 16[CFG] <peer_2001-db8--2|1> selected proposal: ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ
Jul 21 13:19:41 r14 charon[7908]: 16[IKE] <peer_2001-db8--2|1> inbound CHILD_SA peer_2001-db8--2_tunnel_0{709} established with SPIs c6a3d7ba_i cd7b9fd1_o and TS 2001:db8:1111::/64 === 2001:db8:2222::/64
Jul 21 13:19:41 r14 charon[7908]: 16[IKE] <peer_2001-db8--2|1> CHILD_SA rekey collision won, deleting old child peer_2001-db8--2_tunnel_0{703}
Jul 21 13:19:41 r14 charon[7908]: 16[IKE] <peer_2001-db8--2|1> outbound CHILD_SA peer_2001-db8--2_tunnel_0{709} established with SPIs c6a3d7ba_i cd7b9fd1_o and TS 2001:db8:1111::/64 === 2001:db8:2222::/64
Jul 21 13:19:41 r14 charon[7908]: 16[IKE] <peer_2001-db8--2|1> closing CHILD_SA peer_2001-db8--2_tunnel_0{703} with SPIs ca1e824c_i (0 bytes) cf8c8ff0_o (0 bytes) and TS 2001:db8:1111::/64 === 2001:db8:2222::/64
Jul 21 13:19:41 r14 charon[7908]: 16[IKE] <peer_2001-db8--2|1> sending DELETE for ESP CHILD_SA with SPI ca1e824c
Jul 21 13:19:41 r14 charon[7908]: 16[ENC] <peer_2001-db8--2|1> generating INFORMATIONAL request 695 [ D ]
Jul 21 13:19:41 r14 charon[7908]: 16[NET] <peer_2001-db8--2|1> sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (69 bytes)
Jul 21 13:19:41 r14 charon[7908]: 12[NET] <peer_2001-db8--2|1> received packet: from 2001:db8::2[500] to 2001:db8::1[500] (69 bytes)
Jul 21 13:19:41 r14 charon[7908]: 12[ENC] <peer_2001-db8--2|1> parsed INFORMATIONAL request 719 [ D ]
Jul 21 13:19:41 r14 charon[7908]: 12[IKE] <peer_2001-db8--2|1> received DELETE for ESP CHILD_SA with SPI c6f292e9
Jul 21 13:19:41 r14 charon[7908]: 12[IKE] <peer_2001-db8--2|1> closing CHILD_SA peer_2001-db8--2_tunnel_0{710} with SPIs c5f6d139_i (0 bytes) c6f292e9_o (0 bytes) and TS 2001:db8:1111::/64 === 2001:db8:2222::/64
Jul 21 13:19:41 r14 charon[7908]: 12[IKE] <peer_2001-db8--2|1> sending DELETE for ESP CHILD_SA with SPI c5f6d139
Jul 21 13:19:41 r14 charon[7908]: 12[IKE] <peer_2001-db8--2|1> CHILD_SA closed
Jul 21 13:19:41 r14 charon[7908]: 12[ENC] <peer_2001-db8--2|1> generating INFORMATIONAL response 719 [ D ]
Jul 21 13:19:41 r14 charon[7908]: 12[NET] <peer_2001-db8--2|1> sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (69 bytes)
Jul 21 13:19:41 r14 charon[7908]: 13[NET] <peer_2001-db8--2|1> received packet: from 2001:db8::2[500] to 2001:db8::1[500] (69 bytes)
Jul 21 13:19:41 r14 charon[7908]: 13[ENC] <peer_2001-db8--2|1> parsed INFORMATIONAL response 695 [ D ]
Jul 21 13:19:41 r14 charon[7908]: 13[IKE] <peer_2001-db8--2|1> received DELETE for ESP CHILD_SA with SPI cf8c8ff0
Jul 21 13:19:41 r14 charon[7908]: 13[IKE] <peer_2001-db8--2|1> CHILD_SA closed
```
[[ https://github.com/strongswan/strongswan/blob/44ab5533b00cff1efacbb638bea0460f8c8b4027/src/libcharon/sa/ikev2/tasks/child_rekey.c#L79-L89 | Collisions ]] [[ https://github.com/strongswan/strongswan/blob/44ab5533b00cff1efacbb638bea0460f8c8b4027/src/libcharon/sa/ikev2/tasks/child_rekey.c#L304-L377 | Rekey collision ]]:
```
detected CHILD_REKEY collision with CHILD_DELETE
```
Swanctl.conf:
```
vyos@r14:~$ sudo cat /etc/swanctl/swanctl.conf
### Autogenerated by vpn_ipsec.py ###
connections {
peer_2001-db8--2 {
proposals = aes256gcm128-sha256-modp2048
version = 2
local_addrs = 2001:db8::1 # dhcp:no
remote_addrs = 2001:db8::2
dpd_timeout = 120
dpd_delay = 30
rekey_time = 86400s
mobike = no
keyingtries = 0
local {
id = "2001:db8::1"
auth = psk
}
remote {
id = "2001:db8::2"
auth = psk
}
children {
peer_2001-db8--2_tunnel_0 {
esp_proposals = aes256gcm128-sha256-modp2048
life_time = 28800s
local_ts = 2001:db8:1111::/64
remote_ts = 2001:db8:2222::/64
ipcomp = no
mode = tunnel
start_action = start
dpd_action = trap
close_action =
}
}
}
}
pools {
}
secrets {
ike_2001-db8--2 {
id-local = 2001:db8::1 # dhcp:no
id-remote = 2001:db8::2
id-localid = 2001:db8::1
id-remoteid = 2001:db8::2
secret = "SSSeeccRetT"
}
}
```