Hi there,
We used to use VYOS since Vyatta 5.2 as remote access/vpn server on few internet channels to allow remote acces to office network. About year ago we have switched to IKEV2 remote access in favor of speed and stability with more or less stable result.
One VYOS build on 2025.04.28-0020-rolling is working good despite many issues fixed recently.
Another VYOS on another channel upgraded more or less reguralry becuse since 2025.04.28-0020-rollingit doesn’t work and generate the same client (windows 11) error 13801 is common when establishing an IKEv2 VPN connection. Typically,the issue is related to a configuration error or a problem with certificate deployment
release by release I’ve tested same configuration and nothing helped me to use this VPN channel.
Recently i’ve found another bunch of fixes related to IKEv2 and upgraded image to VyOS 2025.10.09-0018-rolling. Result was the same - error 13801 on client side.
I have started to check and compare every row of configuration and error logs between two VYOSes. Everything looks similar and healthy but working configuration contains the ca_root/server_cert pair despite the used certbot configuration.
Honestly, i do not fully understand how the initial PKI infrastructure corresponds to IKEv2 configuration but…
After PKI was initiated everything started to work.
As you can see below PKI ca_root/server_cert pair doesn’t mentioned in configuration.
show vpn ipsec | commands | strip-private
set esp-group ESP-RW lifetime ‘3600’
set esp-group ESP-RW pfs ‘disable’
set esp-group ESP-RW proposal 10 encryption ‘aes128gcm64’
set esp-group ESP-RW proposal 10 hash ‘sha256’
set esp-group ESP-RW proposal 20 encryption ‘aes256gcm64’
set esp-group ESP-RW proposal 20 hash ‘sha256’
set esp-group ESP-RW proposal 30 encryption ‘aes256gcm128’
set esp-group ESP-RW proposal 30 hash ‘sha256’
set esp-group ESP-RW proposal 40 encryption ‘aes256’
set esp-group ESP-RW proposal 40 hash ‘sha256’
set ike-group IKE-RW close-action ‘none’
set ike-group IKE-RW dead-peer-detection action ‘restart’
set ike-group IKE-RW dead-peer-detection interval ‘30’
set ike-group IKE-RW dead-peer-detection timeout ‘60’
set ike-group IKE-RW key-exchange ‘ikev2’
set ike-group IKE-RW lifetime ‘7200’
set ike-group IKE-RW proposal 10 dh-group ‘14’
set ike-group IKE-RW proposal 10 encryption ‘aes128gcm128’
set ike-group IKE-RW proposal 10 hash ‘sha256’
set ike-group IKE-RW proposal 20 dh-group ‘14’
set ike-group IKE-RW proposal 20 encryption ‘aes256’
set ike-group IKE-RW proposal 20 hash ‘sha256’
set ike-group IKE-RW proposal 30 dh-group ‘22’
set ike-group IKE-RW proposal 30 encryption ‘aes256’
set ike-group IKE-RW proposal 30 hash ‘sha256’
set interface ‘eth1’
set log level ‘1’
set log subsystem ‘any’
set remote-access connection rw authentication client-mode ‘eap-radius’
set remote-access connection rw authentication local-id ‘repka.xxx.yy’
set remote-access connection rw authentication pre-shared-secret xxxxxx
set remote-access connection rw authentication server-mode ‘x509’
set remote-access connection rw authentication x509 ca-certificate ‘AUTOCHAIN_repka’
set remote-access connection rw authentication x509 certificate ‘repka’
set remote-access connection rw esp-group ‘ESP-RW’
set remote-access connection rw ike-group ‘IKE-RW’
set remote-access connection rw local-address ‘xxx.xxx.59.46’
set remote-access connection rw pool ‘dhcp’
set remote-access dhcp interface ‘eth0’
set remote-access dhcp server ‘xxx.xxx.0.7’
set remote-access radius server xxxxx.tld key xxxxxx
show pki | commands | strip-private
set ca AUTOCHAIN_repka certificate ‘MII…’
set ca ca_root certificate ‘MII…=’
set ca ca_root private key xxxxxx
set certificate repka acme domain-name xxxxxx
set certificate repka acme email ‘xxxx@gmail.com’
set certificate repka acme listen-address ‘xxx.xxx.59.46’
set certificate repka acme rsa-key-size ‘2048’
set certificate repka acme url xxxxxx
set certificate server_cert certificate ‘MIID…==’
set certificate server_cert private key xxxxxx