IPSec requires traffic from both sides to initiate

Hi,
I’m trying to get an IPSec VPN working between a Vyos firewall and a Cisco firewall.
I’m the admin for the Vyos but the Cisco is manged by our client.
We’ve managed to get the VPN up but I’m having issues:

• Traffic will only be initiated from the remote side. Right now, the VPN comes up but until I’ve initiated some traffic from the local side, I’m not receiving any traffic from theirs. The instant I ping something on the remote side, their traffic comes in.
• It randomly stop working after a while. There are no more messages in the charon logs and I have to restart the ipsec daemon to get it working again
• All the documentation I’ve read mentions that I should see the strongswan routes in the routing table 220, but when running “ip route list table 220” I get “Error: ipv4: FIB table does not exist.”
• The Vyos firewall is initiating traffic on port 4500/UDP, even though NAT Transversal is not enabled. It seems that it would be mobike that’s initiating it, but I can’t find how to disable it.
  “set vpn ipsec ike-group IKE-CLIENT-CA mobike disable” does not seem to exist

This is the output of “show version”:

Version: VyOS 1.4-rolling-202305160317
Release train: current

Built by: [email protected]
Built on: Tue 16 May 2023 03:17 UTC
Build UUID: 14236e83-a2ce-41f6-bf52-50e806196e89
Build commit ID: 8519c780c96200

Architecture: x86_64
Boot via: installed image
System type: Xen HVM guest

Hardware vendor: Xen
Hardware model: HVM domU
Hardware S/N: c54e3ec9-2531-95d2-02b3-0b3c8f3a09b1
Hardware UUID: c54e3ec9-2531-95d2-02b3-0b3c8f3a09b1

Copyright: VyOS maintainers and contributors

This is the configuration I’m using:

set firewall group network-group CLIENT_IPSEC network ‘10.190.70.0/24’
set firewall group network-group CLIENT_IPSEC network ‘10.190.59.0/24’
set firewall group network-group CLIENT_IPSEC network ‘10.190.57.0/24’
set firewall group network-group CLIENT_IPSEC network ‘10.190.49.0/24’
set firewall name FROM-INTERNET rule 32 action ‘accept’
set firewall name FROM-INTERNET rule 32 destination
set firewall name FROM-INTERNET rule 32 source group network-group ‘CLIENT_IPSEC’
set nat source rule 90 destination group network-group ‘CLIENT_IPSEC’
set nat source rule 90 exclude
set nat source rule 90 outbound-interface ‘eth0’
set nat source rule 90 source address ‘10.40.22.10’
set vpn ipsec authentication psk CLIENT id ‘remote’
set vpn ipsec authentication psk CLIENT id ‘local’
set vpn ipsec authentication psk CLIENT secret ‘redacted’
set vpn ipsec esp-group ESP-CLIENT-CA lifetime ‘7200’
set vpn ipsec esp-group ESP-CLIENT-CA mode ‘tunnel’
set vpn ipsec esp-group ESP-CLIENT-CA pfs ‘dh-group14’
set vpn ipsec esp-group ESP-CLIENT-CA proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-CLIENT-CA proposal 1 hash ‘sha256’
set vpn ipsec ike-group IKE-CLIENT-CA close-action ‘restart’
set vpn ipsec ike-group IKE-CLIENT-CA dead-peer-detection action ‘restart’
set vpn ipsec ike-group IKE-CLIENT-CA dead-peer-detection interval ‘30’
set vpn ipsec ike-group IKE-CLIENT-CA key-exchange ‘ikev2’
set vpn ipsec ike-group IKE-CLIENT-CA lifetime ‘86400’
set vpn ipsec ike-group IKE-CLIENT-CA proposal 1 dh-group ‘14’
set vpn ipsec ike-group IKE-CLIENT-CA proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-CLIENT-CA proposal 1 hash ‘sha512’
set vpn ipsec interface ‘eth0’
set vpn ipsec options
set vpn ipsec site-to-site peer CLIENT authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer CLIENT connection-type ‘initiate’
set vpn ipsec site-to-site peer CLIENT default-esp-group ‘ESP-CLIENT-CA’
set vpn ipsec site-to-site peer CLIENT ike-group ‘IKE-CLIENT-CA’
set vpn ipsec site-to-site peer CLIENT local-address ‘local’
set vpn ipsec site-to-site peer CLIENT remote-address ‘remote’
set vpn ipsec site-to-site peer CLIENT tunnel 1 esp-group ‘ESP-CLIENT-CA’
set vpn ipsec site-to-site peer CLIENT tunnel 1 local prefix ‘10.40.22.10/32’
set vpn ipsec site-to-site peer CLIENT tunnel 1 remote prefix ‘10.190.70.0/24’
set vpn ipsec site-to-site peer CLIENT tunnel 2 esp-group ‘ESP-CLIENT-CA’
set vpn ipsec site-to-site peer CLIENT tunnel 2 local prefix ‘10.40.22.10/32’
set vpn ipsec site-to-site peer CLIENT tunnel 2 remote prefix ‘10.190.59.0/24’
set vpn ipsec site-to-site peer CLIENT tunnel 3 esp-group ‘ESP-CLIENT-CA’
set vpn ipsec site-to-site peer CLIENT tunnel 3 local prefix ‘10.40.22.10/32’
set vpn ipsec site-to-site peer CLIENT tunnel 3 remote prefix ‘10.190.57.0/24’
set vpn ipsec site-to-site peer CLIENT tunnel 4 esp-group ‘ESP-CLIENT-CA’
set vpn ipsec site-to-site peer CLIENT tunnel 4 local prefix ‘10.40.22.10/32’
set vpn ipsec site-to-site peer CLIENT tunnel 4 remote prefix ‘10.190.49.0/24’

Out of the blue it sounds like you have one or both sides in passive mode, both should if possible be in active mode to actively setup the tunnel.

However the closest one I can find related to this in VyOS is:

https://docs.vyos.io/en/latest/configuration/vpn/site2site_ipsec.html?highlight=connection-type

connection-type - how to handle this connection process. Possible variants:

initiate - does initial connection to remote peer immediately after configuring and after boot. In this mode the connection will not be restarted in case of disconnection, therefore should be used only together with DPD or another session tracking methods;

respond - does not try to initiate a connection to a remote peer. In this mode, the IPSec session will be established only after initiation from a remote peer. Could be useful when there is no direct connectivity to the peer due to firewall or NAT in the middle of the local and remote side.

none - loads the connection only, which then can be manually initiated or used as a responder configuration.

Thanks for the reply, I checked and my configuration does include “connection-type initiate” so I believe it is active.
But the phase 1 and phase 2 both come up, it’s just that there is no traffic coming through:

image1160×99 4.65 KB

The other weird thing is this:

image980×255 32.4 KB

It looks like I’m receiving ESP traffic but am unable to reply.

I ended up having to enable “force-encapsulation” even though there is not nat between the two firewalls.

In IKEv2 mobike setting is enable by default, to disable it use this command:

set vpn ipsec ike-group ike1 disable-mobike

Seems like on side doesn’t allow ESP in.
Only after sending ESP packets, established rule allows ESP back in.