IPsec Getting Down

devashish · November 23, 2023, 5:31am

Dear Team

We have 3 Different location and we are connected all 3 Different via Ipsec tunnel.

We have created IPsec through BGP and also run VRRP for gateway failover and after every 10 to 15 days my tunnel getting down.

Below are the IPs configured on my interface and iam using vyos 1.2.0 version

Interface IP Address S/L Description

eth0 172.17.40.161/16 u/u BLUE Management Network
eth1 192.168.161.1/24 u/u RED Public Network
eth1v161 43.224.129.92/24 u/u
eth2 10.10.1.2/24 u/u GREEN Lan Network
eth2v161 10.10.1.1/24 u/u
lo 127.0.0.1/8 u/u
::1/128
vti10 192.168.11.1/30 u/u
vti20 192.168.10.1/30 u/u
vtun0 10.34.1.1/24 u/u
vtun1 10.34.2.1/24 u/u

Vti10 is used for one location and vti20 is used for other location connectivity and every time when tunnel goes down this interfaces showing disable

below are my Ipsec Configuration :-

set vpn ipsec esp-group i2k2_2_ESP compression ‘disable’
set vpn ipsec esp-group i2k2_2_ESP lifetime ‘3600’
set vpn ipsec esp-group i2k2_2_ESP mode ‘tunnel’
set vpn ipsec esp-group i2k2_2_ESP pfs ‘enable’
set vpn ipsec esp-group i2k2_2_ESP proposal 1 encryption ‘aes256’
set vpn ipsec esp-group i2k2_2_ESP proposal 1 hash ‘sha1’
set vpn ipsec esp-group i2k2_3_ESP compression ‘disable’
set vpn ipsec esp-group i2k2_3_ESP lifetime ‘3600’
set vpn ipsec esp-group i2k2_3_ESP mode ‘tunnel’
set vpn ipsec esp-group i2k2_3_ESP pfs ‘enable’
set vpn ipsec esp-group i2k2_3_ESP proposal 1 encryption ‘aes256’
set vpn ipsec esp-group i2k2_3_ESP proposal 1 hash ‘sha1’
set vpn ipsec ike-group i2k2_2_IKE dead-peer-detection action ‘restart’
set vpn ipsec ike-group i2k2_2_IKE dead-peer-detection interval ‘30’
set vpn ipsec ike-group i2k2_2_IKE dead-peer-detection timeout ‘40’
set vpn ipsec ike-group i2k2_2_IKE ikev2-reauth ‘no’
set vpn ipsec ike-group i2k2_2_IKE key-exchange ‘ikev1’
set vpn ipsec ike-group i2k2_2_IKE lifetime ‘28800’
set vpn ipsec ike-group i2k2_2_IKE proposal 1 dh-group ‘2’
set vpn ipsec ike-group i2k2_2_IKE proposal 1 encryption ‘aes256’
set vpn ipsec ike-group i2k2_2_IKE proposal 1 hash ‘sha1’
set vpn ipsec ike-group i2k2_3_IKE dead-peer-detection action ‘restart’
set vpn ipsec ike-group i2k2_3_IKE dead-peer-detection interval ‘30’
set vpn ipsec ike-group i2k2_3_IKE dead-peer-detection timeout ‘40’
set vpn ipsec ike-group i2k2_3_IKE ikev2-reauth ‘no’
set vpn ipsec ike-group i2k2_3_IKE key-exchange ‘ikev1’
set vpn ipsec ike-group i2k2_3_IKE lifetime ‘28800’
set vpn ipsec ike-group i2k2_3_IKE proposal 1 dh-group ‘2’
set vpn ipsec ike-group i2k2_3_IKE proposal 1 encryption ‘aes256’
set vpn ipsec ike-group i2k2_3_IKE proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth1v161’
set vpn ipsec site-to-site peer 103.239.129.10 authentication id ‘43.224.129.92’
set vpn ipsec site-to-site peer 103.239.129.10 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 103.239.129.10 authentication pre-shared-secret ‘C@t@i2k2’
set vpn ipsec site-to-site peer 103.239.129.10 connection-type ‘initiate’
set vpn ipsec site-to-site peer 103.239.129.10 default-esp-group ‘i2k2_3_ESP’
set vpn ipsec site-to-site peer 103.239.129.10 ike-group ‘i2k2_3_IKE’
set vpn ipsec site-to-site peer 103.239.129.10 ikev2-reauth ‘yes’
set vpn ipsec site-to-site peer 103.239.129.10 local-address ‘43.224.129.92’
set vpn ipsec site-to-site peer 103.239.129.10 vti bind ‘vti20’
set vpn ipsec site-to-site peer 103.239.129.10 vti esp-group ‘i2k2_3_ESP’
set vpn ipsec site-to-site peer 203.95.225.10 authentication id ‘43.224.129.92’
set vpn ipsec site-to-site peer 203.95.225.10 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 203.95.225.10 authentication pre-shared-secret ‘C@t@i2k2’
set vpn ipsec site-to-site peer 203.95.225.10 connection-type ‘initiate’
set vpn ipsec site-to-site peer 203.95.225.10 default-esp-group ‘i2k2_2_ESP’
set vpn ipsec site-to-site peer 203.95.225.10 ike-group ‘i2k2_2_IKE’
set vpn ipsec site-to-site peer 203.95.225.10 ikev2-reauth ‘yes’
set vpn ipsec site-to-site peer 203.95.225.10 local-address ‘43.224.129.92’
set vpn ipsec site-to-site peer 203.95.225.10 vti bind ‘vti10’
set vpn ipsec site-to-site peer 203.95.225.10 vti esp-group ‘i2k2_2_ESP’

When I run " restart vpn " command , the tunnel become UP and working fine but why every time i need to run this command , its haqtique for me everytime.

Please suggest what else i need to configure so that this issue will be resolved

fernando · November 23, 2023, 12:33pm

on VTI interfaces , is important to add this command :

set vpn ipsec options disable-route-autoinstall

please , reset the vpns peers after applied the command.

blex · November 23, 2023, 9:16pm

You can also crank up IPsec loging and see into the logs.of you find a hint what’s happening when the tunnel stuck down.

devashish · November 24, 2023, 5:47am

Thanks for replying , but iam using 1.2.0 version and i checked alot online that logging for Ipsec is possible from version 1.3 version

Please let us know if its possible on 1.2.0 and share the commands for this

a.srividya · November 27, 2023, 3:32am

You can write a script to restart the service and schedule to run in timely manner. The best recommendation is to upgrade to the latest version as it has lots of development related to ipsec.

devashish · November 27, 2023, 6:49am

is 1.4 release version is available or i need to wait more .

If available please share the download link for that or if not available please let us know which latest version should i use

a.srividya · November 27, 2023, 7:17am

1.4 will be released by end of the year, as you are in an older version you can upgrade to the current stable release 1.3.4 and we also have nightly builds available at this site: VyOS Community

devashish · November 27, 2023, 11:57am

as checked on vyos community ,there is no download link for 1.3.4 version. can you please share the exact download link for that.

a.srividya · November 27, 2023, 4:39pm

If you have a subscription and not able to see the files, please raise a ticket.

devashish · November 30, 2023, 10:45am

Hello all

Iam using 1.3.4 version on vyos and i want a real time logs for Ipsec

Please share the command to enable and to check the real time logs.

a.srividya · November 30, 2023, 11:37am

You can use these command to check ipsec logs:

$ journalctl -b /usr/lib/ipsec/charon → will show the current boot logs

and also you can also tail the logs change the option:

$ journalctl -f | grep charon

devashish · December 1, 2023, 5:10am

Dear Srividya

The below tail command is not working as it showing nothing . Please let us know, how we can check the real time logs of IPsec.

journalctl -f | grep charon

devashish · January 10, 2024, 1:40pm

again my tunnel was down , i don’t understand why its happenings again and again.

when i run " restart vpn " command then my tunnel back to UP .

why this happening ???

Is my tunnel getting choked or something i missed or need to configure.

Please let us know how i checked the logs why this happening and reslove this issue.

Viacheslav · January 10, 2024, 3:27pm

Try wireguard; I never had issues with them.

devashish · January 11, 2024, 9:55am

Is this feature available on vyos 1.2.0 version ???

Viacheslav · January 11, 2024, 10:32am

Check the documentation for wireguard

devashish · January 11, 2024, 12:07pm

Dear Viacheslav

I am using the Wiregaurd like in below scenario. Please check is the command is correct or something i missed . if yes please let us know the next step

Mumbai :-

WAN(eth1) = 103.239.138.224
LAN(eth2) = 10.30.0.1/16

~$ generate wireguard keypair
~$ show wireguard pubkey
7DSykDUtPgMFCiJkPyNMJXPaNrlmU4DzG2ELyZKOExY=

set interfaces wireguard wg01 address ‘10.1.0.2/30’
set interfaces wireguard wg01 description ‘VPN-to-wg02’
set interfaces wireguard wg01 peer to-wg02 allowed-ips ‘10.21.0.0/16’
set interfaces wireguard wg01 peer to-wg02 endpoint ‘203.95.216.251:51820’
set interfaces wireguard wg01 peer to-wg02 pubkey ‘aelplyepiCbQmQzMWe+QLkXiHZVYUIKHuR9P/xGRcS0=’
set interfaces wireguard wg01 port ‘51820’
set protocols static route 10.21.0.0/16 interface wg01

set firewall name FIREWALL_OUT rule 20 action accept
set firewall name FIREWALL_OUT rule 20 description WireGuard_IN
set firewall name FIREWALL_OUT rule 20 destination port 51820
set firewall name FIREWALL_OUT rule 20 log enable
set firewall name FIREWALL_OUT rule 20 protocol udp
set firewall name FIREWALL_OUT rule 20 source

set interfaces ethernet eth1 firewall local name ‘FIREWALL_OUT’

Banglore :-

WAN(eth1) = 203.95.216.251
LAN(eth2) = 10.21.0.1/16

~$ generate wireguard keypair
~$ show wireguard pubkey
aelplyepiCbQmQzMWe+QLkXiHZVYUIKHuR9P/xGRcS0=

set interfaces wireguard wg01 address ‘10.1.0.1/30’
set interfaces wireguard wg01 description ‘VPN-to-wg01’
set interfaces wireguard wg01 peer to-wg02 allowed-ips ‘10.30.0.0/16’
set interfaces wireguard wg01 peer to-wg02 endpoint ‘103.239.138.224:51820’
set interfaces wireguard wg01 peer to-wg02 pubkey ‘7DSykDUtPgMFCiJkPyNMJXPaNrlmU4DzG2ELyZKOExY=’
set interfaces wireguard wg01 port ‘51820’
set protocols static route 10.30.0.0/16 interface wg01

set firewall name FIREWALL_OUT rule 20 action accept
set firewall name FIREWALL_OUT rule 20 description WireGuard_IN
set firewall name FIREWALL_OUT rule 20 destination port 51820
set firewall name FIREWALL_OUT rule 20 log enable
set firewall name FIREWALL_OUT rule 20 protocol udp
set firewall name FIREWALL_OUT rule 20 source

set interfaces ethernet eth1 firewall local name ‘FIREWALL_OUT’

16again · January 17, 2024, 6:30pm

Wireguard is only a work around, IPSEC should function too, for instance when peering with other vendors