Ipsec disconnect every 60 seconds

Hello everyone.
I am currently trying out vyos.
However, I have a strange problem.

There is an IPsec tunnel between the vyos router and a Fortigate
However, this is completely rebuilt after 60 seconds for no apparent reason.

There is no error in the logs on either side.

Vpns from other firewall manufacturers also work with the Vyos router and the Fortigate.
These work perfectly.

  • The -IKE and ESP lifetime are the same on both sides.
  • DPD are also the same on both sides. (I have also deactivated DPD completely as a test)
  • The ipsec proposals are also the same.

It can’t be the network either as I am also running the other VPNs and I have also tested a different vm in a different data center.
The error remains the same.

Has anyone ever had this error or can tell me what the problem could be?

Thanks in advance.

As logs don’t reveal a thing, did you enable debugging on fortigate and swanctl on VyOS to get extra info?

Yes, I have also analyzed debug information.
But without any real results

Here are the logs from the fortigate and the vyos

-------------Logs Fortigate-------------

2024-08-11 12:33:15.723505 ike 0:IPsec-VPN01:572: initiator received SA_INIT response
2024-08-11 12:33:15.723529 ike 0:IPsec-VPN01:572: processing notify type NAT_DETECTION_SOURCE_IP
2024-08-11 12:33:15.723616 ike 0:IPsec-VPN01:572: processing NAT-D payload
2024-08-11 12:33:15.723650 ike 0:IPsec-VPN01:572: NAT not detected
2024-08-11 12:33:15.723672 ike 0:IPsec-VPN01:572: process NAT-D
2024-08-11 12:33:15.723693 ike 0:IPsec-VPN01:572: processing notify type NAT_DETECTION_DESTINATION_IP
2024-08-11 12:33:15.723746 ike 0:IPsec-VPN01:572: processing NAT-D payload
2024-08-11 12:33:15.723787 ike 0:IPsec-VPN01:572: NAT detected: ME
2024-08-11 12:33:15.723807 ike 0:IPsec-VPN01:572: process NAT-D
2024-08-11 12:33:15.723825 ike 0:IPsec-VPN01:572: processing notify type FRAGMENTATION_SUPPORTED
2024-08-11 12:33:15.723876 ike 0:IPsec-VPN01:572: processing notify type CHILDLESS_IKEV2_SUPPORTED
2024-08-11 12:33:15.723928 ike 0:IPsec-VPN01:572: processing notify type 16404
2024-08-11 12:33:15.723987 ike 0:IPsec-VPN01:572: incoming proposal:
2024-08-11 12:33:15.724008 ike 0:IPsec-VPN01:572: proposal id = 1:
2024-08-11 12:33:15.724026 ike 0:IPsec-VPN01:572: protocol = IKEv2:
2024-08-11 12:33:15.724045 ike 0:IPsec-VPN01:572: encapsulation = IKEv2/none
2024-08-11 12:33:15.724063 ike 0:IPsec-VPN01:572: type=ENCR, val=AES_CBC (key_len = 256)
2024-08-11 12:33:15.724082 ike 0:IPsec-VPN01:572: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
2024-08-11 12:33:15.724100 ike 0:IPsec-VPN01:572: type=PRF, val=PRF_HMAC_SHA2_512
2024-08-11 12:33:15.724119 ike 0:IPsec-VPN01:572: type=DH_GROUP, val=ECP521.
2024-08-11 12:33:15.724145 ike 0:IPsec-VPN01:572: matched proposal id 1
2024-08-11 12:33:15.724164 ike 0:IPsec-VPN01:572: proposal id = 1:
2024-08-11 12:33:15.724181 ike 0:IPsec-VPN01:572: protocol = IKEv2:
2024-08-11 12:33:15.724198 ike 0:IPsec-VPN01:572: encapsulation = IKEv2/none
2024-08-11 12:33:15.724216 ike 0:IPsec-VPN01:572: type=ENCR, val=AES_CBC (key_len = 256)
2024-08-11 12:33:15.724234 ike 0:IPsec-VPN01:572: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
2024-08-11 12:33:15.724252 ike 0:IPsec-VPN01:572: type=PRF, val=PRF_HMAC_SHA2_512
2024-08-11 12:33:15.724270 ike 0:IPsec-VPN01:572: type=DH_GROUP, val=ECP521.
2024-08-11 12:33:15.724288 ike 0:IPsec-VPN01:572: lifetime=28800
2024-08-11 12:33:15.743421 ike 0:IPsec-VPN01:572: IKE SA 241b2045416ec9c6/254d37d022d7965e SK_ei 32:9485B32CCC28E412706B6EC1705509A259AC27257B9BEB61E15A75E2E286CB52
2024-08-11 12:33:15.743494 ike 0:IPsec-VPN01:572: IKE SA 241b2045416ec9c6/254d37d022d7965e SK_er 32:039631709F8C664EC05964B1D9CFA2184BE87646EAB71DB2A5D72708D2AA41DF
2024-08-11 12:33:15.743534 ike 0:IPsec-VPN01:572: IKE SA 241b2045416ec9c6/254d37d022d7965e SK_ai 64:13D8DA456F16EF1D997BA70101E97B8946205E3767F2C07761E083AF0EFE798670EE1D4D8E60EABDE7411547218D4B13FC222E99A6BB22C5C593589E05CBFACF
2024-08-11 12:33:15.743572 ike 0:IPsec-VPN01:572: IKE SA 241b2045416ec9c6/254d37d022d7965e SK_ar 64:4A29B618B5EF1316BA61EA5C49344D604B67A5BAE8490A58112DA0AC4135032277EB3175440E6E878A29D7EB220B031226335B7FA054F8ADB3BC1BFEDF64258E
2024-08-11 12:33:15.743671 ike 0:IPsec-VPN01:572: initiator preparing AUTH msg
2024-08-11 12:33:15.743776 ike 0:IPsec-VPN01:572: sending INITIAL-CONTACT
2024-08-11 12:33:15.743845 ike 0:IPsec-VPN01:572: enc 290000280200000065347967716C51726C5961764741374F314A75423835553761436349327A79702700000800004000290000480200000016C1A0006D19E854AF29C037CB210A189DF4337435AD1BD7CB9A6E08AC1BFF59B25678936D19501D5F068982436A95BD1C475553DA5B3BFDA31559D978A8134E21000008000040242C00002C00000028010304032EF9CC8B0300000C0100000C800E0100030000080300000E00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF03020103
2024-08-11 12:33:15.743956 ike 0:IPsec-VPN01:572: detected NAT
2024-08-11 12:33:15.743985 ike 0:IPsec-VPN01:572: NAT-T float port 4500
2024-08-11 12:33:15.744020 ike 0:IPsec-VPN01:572: out 241B2045416EC9C6254D37D022D7965E2E202308000000010000013023000114AF686135B83EA4CA19F327BB141A99082C33153916AB49A018F6449297D9EFE3FF7C2CD66E6F28A523B4119D5B4231FA5458849732FF5688AEE2F97AEE67F57842876B05ECCEDB9D0CA4652D37F6725495BC69BFFFFC5C9481745E1F6965885E9EC0B87BF54FD90F044AB8F7C0240AE8CB436FB65B0FA8244CF76A9D1B7FB19CE85DED23BE787EA4AC549A1D5EF85FF59B759407279BF31B3A4CDF9B26FC34EC171E5EB1BA25C05078BC85308AABD5E42ACF16BC73C11FCFCC94F1F14937758E12EFAD4A76E43CCC5A5B985BDF0462F9266C101B690E80B2EBCB3959D6DC0961D773818CDF3415B0089AA0D31FC68BCCBF08F94F766EDD72DB11766A28F4BFB75A3088CC6EF4513468FC0966C9FAB28F
2024-08-11 12:33:15.744124 ike 0:IPsec-VPN01:572: sent IKE msg (AUTH): :4500->:4500, len=304, vrf=0, id=241b2045416ec9c6/254d37d022d7965e:00000001
2024-08-11 12:33:16.440699 ike 0: comes :4500->:4500,ifindex=60,vrf=0…
2024-08-11 12:33:16.440765 ike 0: IKEv2 exchange=AUTH_RESPONSE id=241b2045416ec9c6/254d37d022d7965e:00000001 len=288
2024-08-11 12:33:16.440789 ike 0: in 241B2045416EC9C6254D37D022D7965E2E20232000000001000001202400010439A746BFB0C974E9D40E2E86ED79209C70A21820C174CF9CE1FE7132DBD619698B46F238313C63CDC66B242837425C05F571B8B0EF7A1A901744A575D1D3FA97D58576DE5992248399B7D2F9838C177D50CFC611DE7785679F1E87187011E0B39787283DB07722FDA5966FB86A2854686678348CB2066D6CE752605427FCA97A85B7FB39013913C9CA6CE503097322B1AACE3F23A34B847788FF7C601B0A7421971D8B81DBBABCA4B74E6AFE1D335493852BFC13DC94DD46F8CB258A90BB0AAE395AF4BE9B032D7C1EA79DB2A8F0D894BCDFA279CD079D6A886512E3D1F420081E51544F03FC3793055577FEC0FBD37DBBB17AFD82B46FB82E1D81DC4FC5D141
2024-08-11 12:33:16.440937 ike 0:IPsec-VPN01:572: dec 241B2045416EC9C6254D37D022D7965E2E20232000000001000000EC24000004270000280200000065347967716C51726C5961764741374F314A75423835553761436349327A79702100004802000000B2A8B6D5093FA5619F364ACC6389CCD4CA8F911B987354A3572C23458E70750EE0BE07163924CD25769489FB2E242626E03814F3A910D81860C379ADAB4F77202C00002C0000002801030403CA8E44D90300000C0100000C800E0100030000080300000E00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF
2024-08-11 12:33:16.440984 ike 0:IPsec-VPN01:572: initiator received AUTH msg
2024-08-11 12:33:16.441006 ike 0:IPsec-VPN01:572: received peer identifier FQDN ‘e4ygqlQrlYavGA7O1JuB85U7aCcI2zyp’
2024-08-11 12:33:16.441093 ike 0:IPsec-VPN01:572: auth verify done
2024-08-11 12:33:16.441113 ike 0:IPsec-VPN01:572: initiator AUTH continuation
2024-08-11 12:33:16.441132 ike 0:IPsec-VPN01:572: authentication succeeded
2024-08-11 12:33:16.441161 ike 0:IPsec-VPN01:572: established IKE SA 241b2045416ec9c6/254d37d022d7965e
2024-08-11 12:33:16.441264 ike 0:IPsec-VPN01:572: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
2024-08-11 12:33:16.441451 ike 0:IPsec-VPN01: set oper up
2024-08-11 12:33:16.441480 ike 0:IPsec-VPN01: schedule auto-negotiate
2024-08-11 12:33:16.441896 ike 0:IPsec-VPN01:572:1949: peer proposal:
2024-08-11 12:33:16.441932 ike 0:IPsec-VPN01:572:1949: TSr_0 0:0.0.0.0-255.255.255.255:0
2024-08-11 12:33:16.441962 ike 0:IPsec-VPN01:572:1949: TSi_0 0:0.0.0.0-255.255.255.255:0
2024-08-11 12:33:16.441990 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: comparing selectors
2024-08-11 12:33:16.442020 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: matched by rfc-rule-2
2024-08-11 12:33:16.442045 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: phase2 matched by subset
2024-08-11 12:33:16.442072 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: accepted proposal:
2024-08-11 12:33:16.442100 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: TSr_0 0:0.0.0.0-255.255.255.255:0
2024-08-11 12:33:16.442129 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: TSi_0 0:0.0.0.0-255.255.255.255:0
2024-08-11 12:33:16.442156 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: autokey
2024-08-11 12:33:16.442183 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: incoming child SA proposal:
2024-08-11 12:33:16.442209 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: proposal id = 1:
2024-08-11 12:33:16.442233 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: protocol = ESP:
2024-08-11 12:33:16.442256 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: encapsulation = TUNNEL
2024-08-11 12:33:16.442282 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: type=ENCR, val=AES_CBC (key_len = 256)
2024-08-11 12:33:16.442307 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: type=INTEGR, val=SHA512
2024-08-11 12:33:16.442331 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: type=ESN, val=NO
2024-08-11 12:33:16.442355 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: PFS is disabled
2024-08-11 12:33:16.442383 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: matched proposal id 1
2024-08-11 12:33:16.442408 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: proposal id = 1:
2024-08-11 12:33:16.442431 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: protocol = ESP:
2024-08-11 12:33:16.442455 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: encapsulation = TUNNEL
2024-08-11 12:33:16.442479 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: type=ENCR, val=AES_CBC (key_len = 256)
2024-08-11 12:33:16.442504 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: type=INTEGR, val=SHA512
2024-08-11 12:33:16.444103 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: type=ESN, val=NO
2024-08-11 12:33:16.444255 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: PFS is disabled
2024-08-11 12:33:16.444387 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: lifetime=28800
2024-08-11 12:33:16.444609 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: replay protection enabled
2024-08-11 12:33:16.444863 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: set sa life soft seconds=28501.
2024-08-11 12:33:16.445112 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: set sa life hard seconds=28800.
2024-08-11 12:33:16.445605 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: IPsec SA selectors #src=1 #dst=1
2024-08-11 12:33:16.445757 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: src 0 7 0:0.0.0.0-255.255.255.255:0
2024-08-11 12:33:16.445896 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: dst 0 7 0:0.0.0.0-255.255.255.255:0
2024-08-11 12:33:16.446029 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: add IPsec SA: SPIs=2ef9cc8b/ca8e44d9
2024-08-11 12:33:16.446170 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: IPsec SA dec spi 2ef9cc8b key 32:A445C9EDD71EE53B905924ADA18D3BE36BCE1F81BB16F0847BE2BB9F5DCF2F0F auth 64:25B6DD5349A1B23D045C8A0222EC4A9028E8119B1E1F45EABA4BD3BB10E4CEDCCF0D556CD1E137A9B49887ED3C5918740FF785E4059C8C539DF66E1D66A95C8A
2024-08-11 12:33:16.446418 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: IPsec SA enc spi ca8e44d9 key 32:AC7736E424FE95111F3D02671E72EFE780CB75E9AAD5C8C29E90CB71DD867044 auth 64:D44C56443388B170DB9D5746922329305063D5F988BDFA0CE78712EB4488B616F9021575CFE86D2439178A2FA8A14BF5B460C10F35DA670344DFC76981E7175B
2024-08-11 12:33:16.447042 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: added IPsec SA: SPIs=2ef9cc8b/ca8e44d9
2024-08-11 12:33:16.447366 ike 0:IPsec-VPN01:572:IPsec-VPN01:1949: sending SNMP tunnel UP trap
2024-08-11 12:33:20.141521 ike shrank heap by 155648 bytes
2024-08-11 12:33:29.691569 ike 0:IPsec-VPN01: deleting
2024-08-11 12:33:29.691787 ike 0:IPsec-VPN01: flushing
2024-08-11 12:33:29.691988 ike 0:IPsec-VPN01: deleting IPsec SA with SPI ca8e44d9
2024-08-11 12:33:29.692117 ike 0:IPsec-VPN01:IPsec-VPN01: deleted IPsec SA with SPI ca8e44d9, SA count: 0
2024-08-11 12:33:29.692144 ike 0:IPsec-VPN01: sending SNMP tunnel DOWN trap for IPsec-VPN01
2024-08-11 12:33:29.692370 ike 0:IPsec-VPN01: flushed
2024-08-11 12:33:29.692513 ike 0:IPsec-VPN01:572:1950: send informational
2024-08-11 12:33:29.692566 ike 0:IPsec-VPN01:572: enc 00000008010000000706050403020107
2024-08-11 12:33:29.692695 ike 0:IPsec-VPN01:572: out 241B2045416EC9C6254D37D022D7965E2E20250800000002000000602A0000441AE4619C36255EC718B797667C1586D19D5E34C8729607AA29CACA812A0B09C648B68FDED28A206270D659F25FAF763E6B81958A9A34DE0A8E1D60F3511E1D0C
2024-08-11 12:33:29.692784 ike 0:IPsec-VPN01:572: sent IKE msg (INFORMATIONAL): :4500->:4500, len=96, vrf=0, id=241b2045416ec9c6/254d37d022d7965e:00000002
2024-08-11 12:33:29.692911 ike 0:IPsec-VPN01: reset NAT-T
2024-08-11 12:33:29.693001 ike 0:IPsec-VPN01: deleted
2024-08-11 12:33:29.693026 ike 0:IPsec-VPN01: schedule auto-negotiate
2024-08-11 12:33:29.693295 ike 0: unknown SPI 2ef9cc8b 60 :4500->
2024-08-11 12:33:29.693326 ike 0:: send HA sync query conn scope=3 mode=4
2024-08-11 12:33:29.701491 ike 0:IPsec-VPN01:IPsec-VPN01: IPsec SA connect 60 → :0
2024-08-11 12:33:29.701559 ike 0:IPsec-VPN01:IPsec-VPN01: config found
2024-08-11 12:33:29.701633 ike 0:IPsec-VPN01: created connection: 0x8dcce70 60 → :500.
2024-08-11 12:33:29.701671 ike 0:IPsec-VPN01: IPsec SA connect 60 → :500 negotiating
2024-08-11 12:33:29.701727 ike 0:IPsec-VPN01: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
2024-08-11 12:33:29.701802 ike 0:IPsec-VPN01:573: create NAT-D hash local /500 remote /500
2024-08-11 12:33:29.701853 ike 0:IPsec-VPN01:573: out B60EE57984CD53C0000000000000000021202208000000000000013C220000300000002C010100040300000C0100000C800E01000300000802000007030000080300000E00000008040000152800008C0015000000F6222CB81EA0F7ECB669D27AF176B256DC83216B70C623CDDAD6327F521353477C429333906836DAE0D823BE3BD46122AA592FA3B0BE40824ECA674D3E47A59C260189CF7B502975FB2DA674D91CD19A2052F74811B60B92722D7ACD4D749444414B1A325834B4FE6F1AD756D84BAA35491E4EB2245DB8B545DFF971C7400E693F77D8290000247A1F14341612CDBE20CAEDA139CF91AB6C95FBBF224315E9F38A36087150CF452900001C0000400420681D1DDD0F254C44A7363471E83462E4B45BB02900001C00004005E2340B3F4B465DD767C70E0D3A407253DC317BAF000000080000402E
2024-08-11 12:33:29.701970 ike 0:IPsec-VPN01:573: sent IKE msg (SA_INIT): :500->:500, len=316, vrf=0, id=b60ee57984cd53c0/0000000000000000
2024-08-11 12:33:30.107167 ike 0: comes :4500->:4500,ifindex=60,vrf=0…
2024-08-11 12:33:30.107245 ike 0: IKEv2 exchange=INFORMATIONAL_RESPONSE id=241b2045416ec9c6/254d37d022d7965e:00000002 len=96
2024-08-11 12:33:30.107273 ike 0: in 241B2045416EC9C6254D37D022D7965E2E20252000000002000000600000004408B7E9005BD9133E74677ED0AC9987CBB4F9A2F8BC09081F5F0893ADEDBAD9644F235828E68AEB4768B209F6AABA01D3B62AE403ACF438E3F8A334DA81AED185
2024-08-11 12:33:30.122321 ike 0: comes :500->:500,ifindex=60,vrf=0…
2024-08-11 12:33:30.122380 ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=b60ee57984cd53c0/962ae942c8bc83ee len=332
2024-08-11 12:33:30.122409 ike 0: in B60EE57984CD53C0962AE942C8BC83EE21202220000000000000014C220000300000002C010100040300000C0100000C800E0100030000080300000E030000080200000700000008040000152800008C001500000011167E022A8928520A37ECB55C5D61D40F165DD40CEC2E7D60DDFDAC57AB3DBA316D2C302BCE5FEFDB2818B8941091D342A42D7BC17CC5EADC380EE2F43F622B5C017B1C2C87D81F7419FFFDAEA9D1DA3E6880649861454FA42E92AEA5FA9DE84B05155E10274F2A04D3FF575A5FFD69F9FE93CC8CC3B6E6E0C078E7CF9A8D359B260929000024A53255F4B65152C4A8D561D0253A15D3166536CFCD7AAA0F8F24EE2844A426302900001C0000400484218EB0F66D95AADA99C7771511CE5F1301EBE82900001C00004005E00813A4AC8ECDDBA5685DC2524A4EE5A07EE0E0290000080000402E29000008000040220000000800004014
2024-08-11 12:33:30.122471 ike 0:IPsec-VPN01:573: initiator received SA_INIT response
2024-08-11 12:33:30.122494 ike 0:IPsec-VPN01:573: processing notify type NAT_DETECTION_SOURCE_IP
2024-08-11 12:33:30.122578 ike 0:IPsec-VPN01:573: processing NAT-D payload
2024-08-11 12:33:30.122606 ike 0:IPsec-VPN01:573: NAT not detected
2024-08-11 12:33:30.122627 ike 0:IPsec-VPN01:573: process NAT-D
2024-08-11 12:33:30.122645 ike 0:IPsec-VPN01:573: processing notify type NAT_DETECTION_DESTINATION_IP
2024-08-11 12:33:30.122694 ike 0:IPsec-VPN01:573: processing NAT-D payload
2024-08-11 12:33:30.122716 ike 0:IPsec-VPN01:573: NAT detected: ME
2024-08-11 12:33:30.122735 ike 0:IPsec-VPN01:573: process NAT-D
2024-08-11 12:33:30.122753 ike 0:IPsec-VPN01:573: processing notify type FRAGMENTATION_SUPPORTED
2024-08-11 12:33:30.122802 ike 0:IPsec-VPN01:573: processing notify type CHILDLESS_IKEV2_SUPPORTED
2024-08-11 12:33:30.122853 ike 0:IPsec-VPN01:573: processing notify type 16404
2024-08-11 12:33:30.122908 ike 0:IPsec-VPN01:573: incoming proposal:
2024-08-11 12:33:30.122928 ike 0:IPsec-VPN01:573: proposal id = 1:
2024-08-11 12:33:30.122946 ike 0:IPsec-VPN01:573: protocol = IKEv2:
2024-08-11 12:33:30.122964 ike 0:IPsec-VPN01:573: encapsulation = IKEv2/none
2024-08-11 12:33:30.122982 ike 0:IPsec-VPN01:573: type=ENCR, val=AES_CBC (key_len = 256)
2024-08-11 12:33:30.123001 ike 0:IPsec-VPN01:573: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
2024-08-11 12:33:30.123018 ike 0:IPsec-VPN01:573: type=PRF, val=PRF_HMAC_SHA2_512
2024-08-11 12:33:30.123036 ike 0:IPsec-VPN01:573: type=DH_GROUP, val=ECP521.
2024-08-11 12:33:30.123062 ike 0:IPsec-VPN01:573: matched proposal id 1
2024-08-11 12:33:30.123080 ike 0:IPsec-VPN01:573: proposal id = 1:
2024-08-11 12:33:30.123097 ike 0:IPsec-VPN01:573: protocol = IKEv2:
2024-08-11 12:33:30.123115 ike 0:IPsec-VPN01:573: encapsulation = IKEv2/none
2024-08-11 12:33:30.123133 ike 0:IPsec-VPN01:573: type=ENCR, val=AES_CBC (key_len = 256)
2024-08-11 12:33:30.123150 ike 0:IPsec-VPN01:573: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
2024-08-11 12:33:30.123167 ike 0:IPsec-VPN01:573: type=PRF, val=PRF_HMAC_SHA2_512
2024-08-11 12:33:30.123184 ike 0:IPsec-VPN01:573: type=DH_GROUP, val=ECP521.
2024-08-11 12:33:30.123201 ike 0:IPsec-VPN01:573: lifetime=28800
2024-08-11 12:33:30.142935 ike 0:IPsec-VPN01:573: IKE SA b60ee57984cd53c0/962ae942c8bc83ee SK_ei 32:18EBCD4929B0D8F617BE61804F17E53DAE8AFE746D68F6E958773E4BB98E1B4C
2024-08-11 12:33:30.143005 ike 0:IPsec-VPN01:573: IKE SA b60ee57984cd53c0/962ae942c8bc83ee SK_er 32:D117D5E06C4EB2B2BA1C86BB1D2830BCB33B79E22412DCAFB1228D24139445B0
2024-08-11 12:33:30.143043 ike 0:IPsec-VPN01:573: IKE SA b60ee57984cd53c0/962ae942c8bc83ee SK_ai 64:EC71D54E5AC77272E4995BE5759B9436FC5E831AB846E43F65239819A16B313723D3219359092AC53664BFD953D7B1B1E65F583162BB9998D67F0A3A4704C4D6
2024-08-11 12:33:30.143080 ike 0:IPsec-VPN01:573: IKE SA b60ee57984cd53c0/962ae942c8bc83ee SK_ar 64:146CB8AA22AC8BD6FC3DA56B7E7E48D72CEDF865FD65B2C14E20F72DB0E89376FD01E444CCA12FA9B40EEA7DC72473342F493E4D4DF263163D6BCE31E9B445F3
2024-08-11 12:33:30.143298 ike 0:IPsec-VPN01:573: initiator preparing AUTH msg
2024-08-11 12:33:30.143397 ike 0:IPsec-VPN01:573: sending INITIAL-CONTACT
2024-08-11 12:33:30.143459 ike 0:IPsec-VPN01:573: enc 290000280200000065347967716C51726C5961764741374F314A75423835553761436349327A797027000008000040002900004802000000890929B238B3AE1D8E68D7CEDCA1403D3D58DA523A54F0C7A27A50D988915C8EB616E971EF989A31F34D08016ED6BA6AF6E5F252AE0AB7CAB7332762BE824D4521000008000040242C00002C00000028010304032EF9CC8C0300000C0100000C800E0100030000080300000E00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF03020103
2024-08-11 12:33:30.143561 ike 0:IPsec-VPN01:573: detected NAT
2024-08-11 12:33:30.143590 ike 0:IPsec-VPN01:573: NAT-T float port 4500
2024-08-11 12:33:30.143623 ike 0:IPsec-VPN01:573: out B60EE57984CD53C0962AE942C8BC83EE2E20230800000001000001302300011483960C098100E4C2FAD23EC8DF21436A7D55FA3D91C195DF646B57DD9CD5D7BDF35C412C5FA277B963FD2A71D98350499F8CFEE899D50E08C80D21CB5AA3735E9FF3D592FA558766A9A490AA2BE5D8F2EF4F606166AA28EF5670D7F256D725956E5DB034965D2C2BF49E3FA6C743262CBA114085BE0DB6D70CD53F9FF5FE9D25ED2F60607DAB7D19EE469514B41B2D5CFC8B19A5B2775237F413CA92749435802A2664C0BC422BF4E861C8C36180FF0338FC050A60FEC9558C3C8882436E0C901090D57FB2D56127455D80F2B25707FD6F5E4BBCC2E78931A6CDA7D02F79343777B3968D3733F6A07D77E40EB6D5A67A539E38D45435434E403E9D507661221226AD095DC5C0B6D718716567A2F2DF75
2024-08-11 12:33:30.143731 ike 0:IPsec-VPN01:573: sent IKE msg (AUTH): :4500->:4500, len=304, vrf=0, id=b60ee57984cd53c0/962ae942c8bc83ee:00000001
2024-08-11 12:33:30.146633 ike shrank heap by 159744 bytes
2024-08-11 12:33:30.721668 ike 0:IPsec-VPN01:IPsec-VPN01: IPsec SA connect 60 → :0
2024-08-11 12:33:30.721727 ike 0:IPsec-VPN01:IPsec-VPN01: using existing connection
2024-08-11 12:33:30.721751 ike 0:IPsec-VPN01:IPsec-VPN01: traffic triggered, serial=1 1:172.16.0.1:2048->1:8.8.8.8:0
2024-08-11 12:33:30.721772 ike 0:IPsec-VPN01:IPsec-VPN01: config found
2024-08-11 12:33:30.721790 ike 0:IPsec-VPN01: request is on the queue
2024-08-11 12:33:30.918205 ike 0: comes :4500->:4500,ifindex=60,vrf=0…
2024-08-11 12:33:30.918276 ike 0: IKEv2 exchange=AUTH_RESPONSE id=b60ee57984cd53c0/962ae942c8bc83ee:00000001 len=288
2024-08-11 12:33:30.918301 ike 0: in B60EE57984CD53C0962AE942C8BC83EE2E2023200000000100000120240001045AA7205B8B4EDDC434AAC1772C70C9F21E982E255391981C4299792ABF42A6AC8B2E3395B069E678E7CC4A7D9E903FCA44E7362B5C4AB540C8F7C5B0F00161B1A96BC228A7E8C4133C99D710035214819C0A9B16EEA562C41A563266D440EC5CD36BF9BF780E86E5D8675542282CD4C04394D04AAE73A152FA904677F4227383410626FF6911DF1D48C7D37B7626B0210D0BBC47058A462EEA0D337E4B19CEF82A92856ECC3671394633B12641ED0E16684F1C436DC61B1E3B9498542F40D750AEE0B5A694EF3A9C471166FBED49716E1780BED4D5ADBDB3C1C27C3D4CF2AAFBC19798B47AC504C6B10580D2D3442F55994D73D34FF45CD2BE664C808D19FCF0
2024-08-11 12:33:30.918433 ike 0:IPsec-VPN01:573: dec B60EE57984CD53C0962AE942C8BC83EE2E20232000000001000000EC24000004270000280200000065347967716C51726C5961764741374F314A75423835553761436349327A797021000048020000002D909FAE8F9EE0ABE4423C75C1F4DF1078E40DE8B2620E998CDCBE8204BEB41DD5C0A2E2DBA82562FDB7C50D43926509F416DE7BCC880D1379F78823E9A5E7062C00002C0000002801030403C01E7D6A0300000C0100000C800E0100030000080300000E00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF
2024-08-11 12:33:30.918482 ike 0:IPsec-VPN01:573: initiator received AUTH msg
2024-08-11 12:33:30.918505 ike 0:IPsec-VPN01:573: received peer identifier FQDN ‘e4ygqlQrlYavGA7O1JuB85U7aCcI2zyp’
2024-08-11 12:33:30.918595 ike 0:IPsec-VPN01:573: auth verify done
2024-08-11 12:33:30.918617 ike 0:IPsec-VPN01:573: initiator AUTH continuation
2024-08-11 12:33:30.918635 ike 0:IPsec-VPN01:573: authentication succeeded
2024-08-11 12:33:30.918664 ike 0:IPsec-VPN01:573: established IKE SA b60ee57984cd53c0/962ae942c8bc83ee
2024-08-11 12:33:30.918780 ike 0:IPsec-VPN01:573: check peer route: if_addr4_rcvd=0, if_addr6_rcvd=0, mode_cfg=0
2024-08-11 12:33:30.918947 ike 0:IPsec-VPN01: set oper up
2024-08-11 12:33:30.918968 ike 0:IPsec-VPN01: schedule auto-negotiate
2024-08-11 12:33:30.919170 ike 0:IPsec-VPN01:573:1951: peer proposal:
2024-08-11 12:33:30.919197 ike 0:IPsec-VPN01:573:1951: TSr_0 0:0.0.0.0-255.255.255.255:0
2024-08-11 12:33:30.919223 ike 0:IPsec-VPN01:573:1951: TSi_0 0:0.0.0.0-255.255.255.255:0
2024-08-11 12:33:30.919243 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: comparing selectors
2024-08-11 12:33:30.919266 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: matched by rfc-rule-2
2024-08-11 12:33:30.919285 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: phase2 matched by subset
2024-08-11 12:33:30.919306 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: accepted proposal:
2024-08-11 12:33:30.919327 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: TSr_0 0:0.0.0.0-255.255.255.255:0
2024-08-11 12:33:30.919349 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: TSi_0 0:0.0.0.0-255.255.255.255:0
2024-08-11 12:33:30.919369 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: autokey
2024-08-11 12:33:30.919391 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: incoming child SA proposal:
2024-08-11 12:33:30.919411 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: proposal id = 1:
2024-08-11 12:33:30.919430 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: protocol = ESP:
2024-08-11 12:33:30.919448 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: encapsulation = TUNNEL
2024-08-11 12:33:30.919468 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: type=ENCR, val=AES_CBC (key_len = 256)
2024-08-11 12:33:30.919488 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: type=INTEGR, val=SHA512
2024-08-11 12:33:30.919506 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: type=ESN, val=NO
2024-08-11 12:33:30.919539 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: PFS is disabled
2024-08-11 12:33:30.919580 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: matched proposal id 1
2024-08-11 12:33:30.919600 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: proposal id = 1:
2024-08-11 12:33:30.919618 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: protocol = ESP:
2024-08-11 12:33:30.919636 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: encapsulation = TUNNEL
2024-08-11 12:33:30.919655 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: type=ENCR, val=AES_CBC (key_len = 256)
2024-08-11 12:33:30.919674 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: type=INTEGR, val=SHA512
2024-08-11 12:33:30.919693 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: type=ESN, val=NO
2024-08-11 12:33:30.919712 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: PFS is disabled
2024-08-11 12:33:30.919729 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: lifetime=28800
2024-08-11 12:33:30.919809 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: replay protection enabled
2024-08-11 12:33:30.919834 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: set sa life soft seconds=28500.
2024-08-11 12:33:30.919854 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: set sa life hard seconds=28800.
2024-08-11 12:33:30.919911 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: IPsec SA selectors #src=1 #dst=1
2024-08-11 12:33:30.919954 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: src 0 7 0:0.0.0.0-255.255.255.255:0
2024-08-11 12:33:30.919979 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: dst 0 7 0:0.0.0.0-255.255.255.255:0
2024-08-11 12:33:30.919999 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: add IPsec SA: SPIs=2ef9cc8c/c01e7d6a
2024-08-11 12:33:30.920020 ike 0:IPsec-VPN01:573:IPsec-VPN01:1951: IPsec SA dec spi 2ef9cc8c key 32:20F725F30604DDD5F6E84F40AB6BB6B9B990976C254E8EF021CF07829F8D3BED auth 64:BAAA1CD4FA06730C6EE685997DEB1AB516592528DF19DE9E5EE392769D4AA9C1B9FC2CC3AEA546D4DDC3032CF8D1FA0EA2012C273262CFCFE2E593BE676B2BCD

------------Logs Vyos------------

Aug 11 11:41:33 charon[2739]: 08[IKE] <14> is initiating an IKE_SA
Aug 11 11:41:33 charon-systemd[2739]: is initiating an IKE_SA
Aug 11 11:41:33 charon[2739]: 08[CFG] <14> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
Aug 11 11:41:33 charon-systemd[2739]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
Aug 11 11:41:33 charon[2739]: 08[IKE] <14> remote host is behind NAT
Aug 11 11:41:33 charon-systemd[2739]: remote host is behind NAT
Aug 11 11:41:33 charon[2739]: 08[ENC] <14> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Aug 11 11:41:33 charon-systemd[2739]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Aug 11 11:41:33 charon[2739]: 08[NET] <14> sending packet: from [500] to [500] (332 bytes)
Aug 11 11:41:33 charon-systemd[2739]: sending packet: from [500] to [500] (332 bytes)
Aug 11 11:41:33 charon[2739]: 06[NET] <14> received packet: from [4500] to [4500] (336 bytes)
Aug 11 11:41:33 charon-systemd[2739]: received packet: from [4500] to [4500] (336 bytes)
Aug 11 11:41:33 charon[2739]: 06[ENC] <14> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Aug 11 11:41:33 charon[2739]: 06[CFG] <14> looking for peer configs matching [%any]…[Local/PeerID]
Aug 11 11:41:33 charon-systemd[2739]: parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Aug 11 11:41:33 charon-systemd[2739]: looking for peer configs matching [%any]…[Local/PeerID]
Aug 11 11:41:34 charon[2739]: 06[CFG] <IPsec01|14> selected peer config ‘IPsec01’
Aug 11 11:41:34 charon[2739]: 06[IKE] <IPsec01|14> authentication of ‘Local/PeerID’ with pre-shared key successful
Aug 11 11:41:34 charon-systemd[2739]: selected peer config ‘IPsec01’
Aug 11 11:41:34 charon[2739]: 06[IKE] <IPsec01|14> authentication of ‘Local/PeerID’ (myself) with pre-shared key
Aug 11 11:41:34 charon-systemd[2739]: authentication of ‘Local/PeerID’ with pre-shared key successful
Aug 11 11:41:34 charon[2739]: 06[IKE] <IPsec01|14> IKE_SA IPsec01[14] established between [Local/PeerID]…[Local/PeerID]
Aug 11 11:41:34 charon-systemd[2739]: authentication of ‘Local/PeerID’ (myself) with pre-shared key
Aug 11 11:41:34 charon[2739]: 06[IKE] <IPsec01|14> scheduling rekeying in 27721s
Aug 11 11:41:34 charon-systemd[2739]: IKE_SA IPsec01[14] established between [Local/PeerID]…[Local/PeerID]
Aug 11 11:41:34 charon[2739]: 06[IKE] <IPsec01|14> maximum IKE_SA lifetime 30601s
Aug 11 11:41:34 charon-systemd[2739]: scheduling rekeying in 27721s
Aug 11 11:41:34 charon[2739]: 06[CFG] <IPsec01|14> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Aug 11 11:41:34 charon-systemd[2739]: maximum IKE_SA lifetime 30601s
Aug 11 11:41:34 charon[2739]: 06[IKE] <IPsec01|14> CHILD_SA IPsec01-vti{10} established with SPIs cb21c7e4_i f7550330_o and TS 0.0.0.0/0 === 0.0.0.0/0
Aug 11 11:41:34 charon-systemd[2739]: selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Aug 11 11:41:34 charon-systemd[2739]: CHILD_SA IPsec01-vti{10} established with SPIs cb21c7e4_i f7550330_o and TS 0.0.0.0/0 === 0.0.0.0/0
Aug 11 11:41:34 vti-up-down[3288]: Interface vti0 up-client IPsec01-vti
Aug 11 11:41:34 sudo[3307]: root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/dmidecode -t 4
Aug 11 11:41:34 sudo[3307]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
Aug 11 11:41:34 sudo[3307]: pam_unix(sudo:session): session closed for user root
Aug 11 11:41:34 vti-up-down[3288]: Interface vti0 is admin up …
Aug 11 11:41:34 charon[2739]: 06[ENC] <IPsec01|14> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Aug 11 11:41:34 charon-systemd[2739]: generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Aug 11 11:41:34 charon[2739]: 06[NET] <IPsec01|14> sending packet: from [4500] to [4500] (288 bytes)
Aug 11 11:41:34 charon-systemd[2739]: parsed INFORMATIONAL request 226
Aug 11 11:41:34 charon-systemd[2739]: sending packet: from [4500] to [4500] (288 bytes)

@Schmaex1996 Check if


set vpn ipsec options disable-route-autoinstall

is configured

Thanks you for your answer
Yes

set vpn ipsec options disable-route-autoinstall

is set

@Schmaex1996
There are not enough logs from VyOS.
sudo journalctl -l | grep charon
Check if one side is the responder and the other is the initiator.
ESP lifetime should be less than IKE lifetime.
You can find examples here:
https://docs.vyos.io/en/sagitta/configuration/vpn/site2site_ipsec.html

Yes the ESP lifetim is less then IKE Liftetime

Here is the log

ug 15 10:01:17 vyos charon[2431]: 06[ENC] <fgt-vpn|1071> parsed INFORMATIONAL request 2 [ D ]
Aug 15 10:01:17 vyos charon-systemd[2431]: parsed INFORMATIONAL request 2 [ D ]
Aug 15 10:01:17 vyos charon[2431]: 06[IKE] <fgt-vpn|1071> received DELETE for IKE_SA fgt-vpn[1071]
Aug 15 10:01:17 vyos charon-systemd[2431]: received DELETE for IKE_SA fgt-vpn[1071]
Aug 15 10:01:17 vyos charon[2431]: 06[IKE] <fgt-vpn|1071> deleting IKE_SA fgt-vpn[1071] between vyos-ip[local/peer-id]…fgt-ip[local/peer-id]
Aug 15 10:01:17 vyos charon-systemd[2431]: deleting IKE_SA fgt-vpn[1071] between vyos-ip[local/peer-id]…fgt-ip[local/peer-id]
Aug 15 10:01:17 vyos charon[2431]: 06[IKE] <fgt-vpn|1071> IKE_SA deleted
Aug 15 10:01:17 vyos charon-systemd[2431]: IKE_SA deleted
Aug 15 10:01:17 vyos charon[2431]: 08[NET] <1100> received packet: from fgt-ip[500] to vyos-ip[500] (316 bytes)
Aug 15 10:01:17 vyos charon-systemd[2431]: received packet: from fgt-ip[500] to vyos-ip[500] (316 bytes)
Aug 15 10:01:17 vyos charon[2431]: 09[KNL] interface vti0 deactivated
Aug 15 10:01:17 vyos charon-systemd[2431]: interface vti0 deactivated
Aug 15 10:01:17 vyos charon[2431]: 07[KNL] fe80::f906:d1ff:fe83:5750 disappeared from vti0
Aug 15 10:01:17 vyos charon-systemd[2431]: fe80::f906:d1ff:fe83:5750 disappeared from vti0
Aug 15 10:01:17 vyos charon[2431]: 06[ENC] <fgt-vpn|1071> generating INFORMATIONAL response 2
Aug 15 10:01:17 vyos charon-systemd[2431]: generating INFORMATIONAL response 2
Aug 15 10:01:17 vyos charon[2431]: 08[ENC] <1100> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 15 10:01:17 vyos charon-systemd[2431]: parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 15 10:01:17 vyos charon[2431]: 06[NET] <fgt-vpn|1071> sending packet: from vyos-ip[4500] to fgt-ip[4500] (96 bytes)
Aug 15 10:01:17 vyos charon-systemd[2431]: sending packet: from vyos-ip[4500] to fgt-ip[4500] (96 bytes)
Aug 15 10:01:17 vyos charon[2431]: 08[IKE] <1100> fgt-ip is initiating an IKE_SA
Aug 15 10:01:17 vyos charon[2431]: 08[CFG] <1100> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
Aug 15 10:01:17 vyos charon-systemd[2431]: fgt-ip is initiating an IKE_SA
Aug 15 10:01:17 vyos charon-systemd[2431]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
Aug 15 10:01:17 vyos charon[2431]: 08[IKE] <1100> remote host is behind NAT
Aug 15 10:01:17 vyos charon-systemd[2431]: remote host is behind NAT
Aug 15 10:01:17 vyos charon-systemd[2431]: generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Aug 15 10:01:17 vyos charon[2431]: 08[ENC] <1100> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Aug 15 10:01:17 vyos charon-systemd[2431]: sending packet: from vyos-ip[500] to fgt-ip[500] (332 bytes)
Aug 15 10:01:17 vyos charon[2431]: 08[NET] <1100> sending packet: from vyos-ip[500] to fgt-ip[500] (332 bytes)
Aug 15 10:01:17 vyos charon[2431]: 09[NET] using forecast interface eth0
Aug 15 10:01:17 vyos charon-systemd[2431]: using forecast interface eth0
Aug 15 10:01:17 vyos charon[2431]: 09[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Aug 15 10:01:17 vyos charon-systemd[2431]: joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Aug 15 10:01:17 vyos charon[2431]: 14[NET] <1100> received packet: from fgt-ip[4500] to vyos-ip[4500] (320 bytes)
Aug 15 10:01:17 vyos charon-systemd[2431]: received packet: from fgt-ip[4500] to vyos-ip[4500] (320 bytes)
Aug 15 10:01:17 vyos charon[2431]: 14[ENC] <1100> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr N((61567)) ]
Aug 15 10:01:17 vyos charon[2431]: 14[CFG] <1100> looking for peer configs matching vyos-ip[%any]…fgt-ip[local/peer-id]
Aug 15 10:01:17 vyos charon-systemd[2431]: parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr N((61567)) ]
Aug 15 10:01:17 vyos charon-systemd[2431]: looking for peer configs matching vyos-ip[%any]…fgt-ip[local/peer-id]
Aug 15 10:01:17 vyos charon[2431]: 14[CFG] <fgt-vpn|1100> selected peer config ‘fgt-vpn’
Aug 15 10:01:17 vyos charon[2431]: 14[IKE] <fgt-vpn|1100> authentication of ‘local/peer-id’ with pre-shared key successful
Aug 15 10:01:17 vyos charon-systemd[2431]: selected peer config ‘fgt-vpn’
Aug 15 10:01:17 vyos charon[2431]: 14[IKE] <fgt-vpn|1100> authentication of ‘local/peer-id’ (myself) with pre-shared key
Aug 15 10:01:17 vyos charon-systemd[2431]: authentication of ‘local/peer-id’ with pre-shared key successful
Aug 15 10:01:17 vyos charon[2431]: 14[IKE] <fgt-vpn|1100> IKE_SA fgt-vpn[1100] established between vyos-ip[local/peer-id]…fgt-ip[local/peer-id]
Aug 15 10:01:17 vyos charon-systemd[2431]: authentication of ‘local/peer-id’ (myself) with pre-shared key
Aug 15 10:01:17 vyos charon[2431]: 14[IKE] <fgt-vpn|1100> scheduling rekeying in 28413s
Aug 15 10:01:17 vyos charon-systemd[2431]: IKE_SA fgt-vpn[1100] established between vyos-ip[local/peer-id]…fgt-ip[local/peer-id]
Aug 15 10:01:17 vyos charon[2431]: 14[IKE] <fgt-vpn|1100> maximum IKE_SA lifetime 31293s
Aug 15 10:01:17 vyos charon-systemd[2431]: scheduling rekeying in 28413s
Aug 15 10:01:17 vyos charon[2431]: 14[CFG] <fgt-vpn|1100> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Aug 15 10:01:17 vyos charon-systemd[2431]: maximum IKE_SA lifetime 31293s
Aug 15 10:01:17 vyos charon[2431]: 14[IKE] <fgt-vpn|1100> CHILD_SA fgt-vpn-vti{156} established with SPIs c2fb9251_i 1141c4a9_o and TS 0.0.0.0/0 === 0.0.0.0/0
Aug 15 10:01:17 vyos charon-systemd[2431]: selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Aug 15 10:01:17 vyos charon-systemd[2431]: CHILD_SA fgt-vpn-vti{156} established with SPIs c2fb9251_i 1141c4a9_o and TS 0.0.0.0/0 === 0.0.0.0/0
Aug 15 10:01:18 vyos charon[2431]: 08[KNL] fe80::f906:d1ff:fe83:5750 appeared on vti0
Aug 15 10:01:18 vyos charon-systemd[2431]: fe80::f906:d1ff:fe83:5750 appeared on vti0
Aug 15 10:01:18 vyos charon[2431]: 12[KNL] flags changed for fe80::f906:d1ff:fe83:5750 on vti0
Aug 15 10:01:18 vyos charon-systemd[2431]: flags changed for fe80::f906:d1ff:fe83:5750 on vti0
Aug 15 10:01:18 vyos charon[2431]: 16[KNL] interface vti0 activated
Aug 15 10:01:18 vyos charon-systemd[2431]: interface vti0 activated
Aug 15 10:01:18 vyos charon[2431]: 14[ENC] <fgt-vpn|1100> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Aug 15 10:01:18 vyos charon-systemd[2431]: generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Aug 15 10:01:18 vyos charon[2431]: 14[NET] <fgt-vpn|1100> sending packet: from vyos-ip[4500] to fgt-ip[4500] (288 bytes)
Aug 15 10:01:18 vyos charon-systemd[2431]: sending packet: from vyos-ip[4500] to fgt-ip[4500] (288 bytes)
Aug 15 10:01:18 vyos charon[2431]: 13[NET] using forecast interface eth0
Aug 15 10:01:18 vyos charon[2431]: 13[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Aug 15 10:01:18 vyos charon-systemd[2431]: using forecast interface eth0
Aug 15 10:01:18 vyos charon-systemd[2431]: joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250

And here is my config on booth sites

-----------Fortigate------------

config vpn ipsec phase1-interface
edit “Router01”
set type static
set interface “WAN”
set ip-version 4
set ike-version 2
set local-gw 0.0.0.0
set keylife 28800
set authmethod psk
unset authmethod-remote
set peertype any
set net-device disable
set passive-mode disable
set exchange-interface-ip disable
set aggregate-member disable
set mode-cfg disable
set proposal aes256-sha512
set localid “-habe ich entfernt-”
set localid-type auto
set auto-negotiate enable
set negotiate-timeout 30
set fragmentation disable
set ip-fragmentation post-encapsulation
set dpd disable
set forticlient-enforcement disable
set comments ‘’
set npu-offload enable
set dhgrp 21
set suite-b disable
set eap disable
set ppk disable
set wizard-type custom
set reauth disable
set idle-timeout disable
set ha-sync-esp-seqno enable
set fgsp-sync disable
set inbound-dscp-copy disable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set encapsulation none
set nattraversal enable
set childless-ike disable
set azure-ad-autoconnect disable
set rekey enable
set fec-egress enable
set fec-send-timeout 5
set fec-base 10
set fec-codec rs
set fec-redundant 1
set fec-ingress enable
set fec-receive-timeout 50
set fec-health-check ‘’
set fec-mapping-profile ‘’
set network-overlay disable
set dev-id-notification disable
set link-cost 0
set exchange-fgt-device-id disable
set ems-sn-check disable
set remote-gw vyos-IP
set monitor ‘’
set add-gw-route disable
set psksecret ENC xxxxxxxxxxxxxx
set keepalive 10
next
end

config vpn ipsec phase2-interface
edit “Router01”
set phase1name “Router01”
set proposal aes256-sha512
set pfs enable
set ipv4-df disable
set dhgrp 21
set replay enable
set auto-negotiate enable
set inbound-dscp-copy phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation tunnel-mode
set comments ‘’
set initiator-ts-narrow disable
set diffserv disable
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 14400
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end

config system interface
edit “Router01”
set vdom “root”
set vrf 0
set distance 5
set priority 1
set dhcp-relay-interface-select-method auto
set dhcp-relay-service disable
set ip 172.16.0.1 255.255.255.255
set allowaccess ping
set arpforward enable
set broadcast-forward disable
set bfd global
set icmp-send-redirect enable
set icmp-accept-redirect enable
set reachable-time 30000
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type tunnel
set netflow-sampler disable
set sflow-sampler disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ‘’
set ingress-shaping-profile ‘’
set weight 0
set external disable
set remote-ip 172.16.0.0 255.255.255.255
set description ‘’
set alias ‘’
set l2tp-client disable
set security-mode none
set ike-saml-server ‘’
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set measured-upstream-bandwidth 0
set measured-downstream-bandwidth 0
set bandwidth-measure-time 0
set monitor-bandwidth enable
set role undefined
set snmp-index 36
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
set ip-managed-by-fortiipam disable
set switch-controller-igmp-snooping-proxy disable
set switch-controller-igmp-snooping-fast-leave disable
set eap-supplicant disable
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set icmp6-send-redirect enable
set ra-send-mtu enable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set dhcp-relay-request-all-server disable
set dns-server-override enable
set dns-server-protocol cleartext
set auth-type auto
set wccp disable
set interface “WAN”
set mtu-override disable
next
end

------Vyos--------

config
set vpn ipsec options disable-route-autoinstall
set interfaces vti vti0 address 172.16.0.0/32
set protocols static route 172.16.0.1/32 interface vti0
show interfaces vti

set vpn ipsec interface ‘eth0’
set vpn ipsec ike-group fgt-vpn proposal 1 encryption aes256
set vpn ipsec ike-group fgt-vpn proposal 1 hash sha512
set vpn ipsec ike-group fgt-vpn proposal 1 dh-group 21
set vpn ipsec ike-group fgt-vpn lifetime 28800
set vpn ipsec ike-group fgt-vpn key-exchange ikev2
set vpn ipsec ike-group fgt-vpn close-action ‘none’
set vpn ipsec ike-group fgt-vpn dead-peer-detection action ‘trap’
set vpn ipsec ike-group fgt-vpn dead-peer-detection interval 10
set vpn ipsec ike-group fgt-vpn dead-peer-detection timeout 6

set vpn ipsec esp-group fgt-vpn proposal 1 encryption aes256
set vpn ipsec esp-group fgt-vpn proposal 1 hash sha512
set vpn ipsec esp-group fgt-vpn lifetime 14400
set vpn ipsec esp-group fgt-vpn mode ‘tunnel’
set vpn ipsec esp-group fgt-vpn pfs ‘enable’
set vpn ipsec esp-group fgt-vpn pfs dh-group21

set vpn ipsec site-to-site peer fgt-vpn authentication mode pre-shared-secret
set vpn ipsec site-to-site peer fgt-vpn default-esp-group fgt-vpn
set vpn ipsec site-to-site peer fgt-vpn ike-group fgt-vpn
set vpn ipsec site-to-site peer fgt-vpn local-address ip-vyos
set vpn ipsec site-to-site peer fgt-vpn remote-address ip-fgt

set vpn ipsec authentication psk fgt-vpn secret xxxxxxxx
set vpn ipsec site-to-site peer fgt-vpn authentication local-id xxxxxx
set vpn ipsec site-to-site peer fgt-vpn authentication remote-id xxxxxxxxx
set vpn ipsec authentication psk fgt-vpn id xxxxxxx

set vpn ipsec site-to-site peer fgt-vpn vti bind vti0
set vpn ipsec site-to-site peer fgt-vpn vti esp-group fgt-vpn

@Schmaex1996 The deleting messages come from the Fortigate side.
I think you should look deeper into the Fortigate debugs.

Hello
The problem has been found.
There are connection problems to 2 peers

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.