1.3.5 - restart vpn - IPsec VPN not configured - even though it is

Similar to Vyos 1.3.1-S1 - Restart VPN Command - No IPSEC Configured - I am also seeing this behaviour. But I already have the “set vpn ipsec ipsec-interfaces interface ‘eth4’” command in my configuration.

Sanitized output of commands requested in other thread
vyos@border1:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

peer-XX.XX.XX.XX-tunnel-vti up 20m50s 120M/2M 90K/48K XX.XX.XX.XX 36 N/A AES_CBC_256/HMAC_SHA2_256_128/ECP_384
vyos@border1:~$
vyos@border1:~$ show vpn ike sa
Peer ID / IP Local ID / IP

XX.XX.XX.XX YY.YY.YY.YY

Description: Tunnel to other end

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
up     IKEv1   aes256   sha256_128 20(ECP_384)    no     3600    86400

vyos@border1:~$ restart vpn
IPsec VPN not configured

Config:
set vpn ipsec esp-group pg-remsite-esp compression ‘disable’
set vpn ipsec esp-group pg-remsite-esp lifetime ‘3600’
set vpn ipsec esp-group pg-remsite-esp mode ‘tunnel’
set vpn ipsec esp-group pg-remsite-esp pfs ‘dh-group20’
set vpn ipsec esp-group pg-remsite-esp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group pg-remsite-esp proposal 1 hash ‘sha256’
set vpn ipsec ike-group pg-remsite-ike close-action ‘none’
set vpn ipsec ike-group pg-remsite-ike ikev2-reauth ‘no’
set vpn ipsec ike-group pg-remsite-ike key-exchange ‘ikev1’
set vpn ipsec ike-group pg-remsite-ike lifetime ‘86400’
set vpn ipsec ike-group pg-remsite-ike mode ‘main’
set vpn ipsec ike-group pg-remsite-ike proposal 1 dh-group ‘20’
set vpn ipsec ike-group pg-remsite-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group pg-remsite-ike proposal 1 hash ‘sha256’
set vpn ipsec ipsec-interfaces interface ‘eth4’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer XX.XX.XX.XX authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer XX.XX.XX.XX authentication pre-shared-secret ‘greatbigsecretgoeshere’
set vpn ipsec site-to-site peer XX.XX.XX.XX connection-type ‘initiate’
set vpn ipsec site-to-site peer XX.XX.XX.XX default-esp-group ‘pg-remsite-esp’
set vpn ipsec site-to-site peer XX.XX.XX.XX description ‘Tunnel to remote end’
set vpn ipsec site-to-site peer XX.XX.XX.XX ike-group ‘pg-remsite-ike’
set vpn ipsec site-to-site peer XX.XX.XX.XX ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer XX.XX.XX.XX local-address ‘YY.YY.YY.YY’
set vpn ipsec site-to-site peer XX.XX.XX.XX vti bind ‘vti0’
set vpn ipsec site-to-site peer XX.XX.XX.XX vti esp-group ‘pg-remsite-esp’

There is the bug report ⚓ T5715 IPSec VPN: restart vpn is not working

Hi, I have 1.3.4 with set vpn ipsec ipsec-interfaces interface ‘eth0’, but restart vpn fails…

set vpn ipsec ike-group IKEv2_DMVPN proposal 3 hash ‘sha256’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec profile DMVPN authentication mode ‘pre-shared-secret’

user@.hub01:~$ show vpn ipsec status
IPSec Process Running PID: 3090

8 Active IPsec Tunnels

IPsec Interfaces :
eth0 (no IP on interface statically configured as local-ip for any VPN peer)
user@.hub01:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

dmvpn up 24m25s 2K/2K 26/30 xxx.xxx.xxx.xxx N/A CHACHA20_POLY1305/ECP_521
user@.hub01:$ restart vpn
IPsec VPN not configured
user@.hub01:$

@jvilafe Did you read the thread you posted in? The post above yours mentions there is a bug open for this problem. The team is aware of it

yes!! I know!!

but the reported bug says that the issue happens only when the config doesn’t have the line for ipsec-interface…

My config has this line but fails, so, I wan’t to add this information to the case to help the troubleshooting process to solve it.

regards

Please accept my apologies, I misunderstood your report. Thank you for sharing the additional information.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.