IPsec some proposal combinations could be invalid, and the service `strongswan` stops.
To reproduce:
```
set interfaces ethernet eth1 address '192.0.2.14/24'
set interfaces tunnel tun100 address '192.168.250.4/24'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 parameters ip key '1'
set interfaces tunnel tun100 source-address '192.0.2.14'
set protocols nhrp tunnel tun100 cisco-authentication 'secret'
set protocols nhrp tunnel tun100 holding-time '30'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group21'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'aes256gmac'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '24'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'aes256gmac'
set vpn ipsec interface 'eth1'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
```
Check strongswan service (nonezero exit code):
```
vyos@r4# sudo systemctl status strongswan
× strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; preset: enabled)
Active: failed (Result: exit-code) since Tue 2024-03-05 13:17:17 EET; 3s ago
Process: 7507 ExecStart=/usr/sbin/charon-systemd (code=exited, status=0/SUCCESS)
Process: 7531 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=22)
Main PID: 7507 (code=exited, status=0/SUCCESS)
Status: "charon-systemd running, strongSwan 5.9.11, Linux 6.6.19-amd64-vyos, x86_64"
CPU: 52ms
Mar 05 13:17:17 r4 swanctl[7531]: loading connection 'dmvpn-NHRPVPN-tun100' failed: invalid value for: proposals, config discarded
Mar 05 13:17:17 r4 swanctl[7531]: loaded 0 of 1 connections, 1 failed to load, 0 unloaded
Mar 05 13:17:17 r4 swanctl[7531]: loaded ike secret 'ike-dmvpn-tun100'
Mar 05 13:17:17 r4 swanctl[7531]: no authorities found, 0 unloaded
Mar 05 13:17:17 r4 swanctl[7531]: no pools found, 0 unloaded
Mar 05 13:17:17 r4 systemd[1]: strongswan.service: Control process exited, code=exited, status=22/n/a
Mar 05 13:17:17 r4 charon-systemd[7507]: SIGTERM received, shutting down
Mar 05 13:17:17 r4 charon[7507]: 00[DMN] SIGTERM received, shutting down
Mar 05 13:17:17 r4 systemd[1]: strongswan.service: Failed with result 'exit-code'.
Mar 05 13:17:17 r4 systemd[1]: Failed to start strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
[edit]
vyos@r4#
```
Generated config:
```
vyos@r4# cat /etc/swanctl/swanctl.conf
### Autogenerated by vpn_ipsec.py ###
connections {
dmvpn-NHRPVPN-tun100 {
proposals = aes256gcm128-aes256gmac-modp2048s256
version = 2
rekey_time = 3600s
keyingtries = 0
dpd_timeout = 120
dpd_delay = 30
local {
auth = psk
}
remote {
auth = psk
}
children {
dmvpn {
esp_proposals = aes256gcm128-aes256gmac-ecp521
rekey_time = 1800s
rand_time = 540s
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
mode = transport
dpd_action = clear
}
}
}
}
pools {
}
secrets {
ike-dmvpn-tun100 {
secret = secret
}
}
```
Based on `show log ipsec` it requires **PRF**
```
Mar 05 13:37:59 charon[9055]: 11[CFG] a PRF algorithm is mandatory in IKE proposals
Mar 05 13:37:59 charon-systemd[9055]: a PRF algorithm is mandatory in IKE proposals
Mar 05 13:37:59 swanctl[9079]: loading connection 'dmvpn-NHRPVPN-tun100' failed: invalid value for: proposals, config discarded
Mar 05 13:37:59 swanctl[9079]: loaded 0 of 1 connections, 1 failed to load, 0 unloaded
Mar 05 13:37:59 swanctl[9079]: loaded ike secret 'ike-dmvpn-tun100'
Mar 05 13:37:59 swanctl[9079]: no authorities found, 0 unloaded
Mar 05 13:37:59 swanctl[9079]: no pools found, 0 unloaded
Mar 05 13:37:59 systemd[1]: strongswan.service: Control process exited, code=exited, status=22/n/a
Mar 05 13:37:59 charon-systemd[9055]: SIGTERM received, shutting down
Mar 05 13:37:59 charon[9055]: 00[DMN] SIGTERM received, shutting down
Mar 05 13:37:59 systemd[1]: strongswan.service: Failed with result 'exit-code'.
Mar 05 13:37:59 systemd[1]: Failed to start strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
```
To fix this case:
```
vyos@r4# set vpn ipsec ike-group IKE-HUB proposal 1 prf prfsha256
[edit]
vyos@r4# commit
[edit]
vyos@r4# sudo systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; preset: enabled)
Active: active (running) since Tue 2024-03-05 13:39:35 EET; 3s ago
```