Ipsec s2s cannot route all traffic to vpn

ver vyos 1.2.8

I have test other brands of equipment and ipsec settings are no problem, but if the two sides used vyos, it will happen that the traffic cannot pass through the vpn.

@server
set vpn ipsec esp-group ESPMAP2021 compression ‘enable’
set vpn ipsec esp-group ESPMAP2021 lifetime ‘10800’
set vpn ipsec esp-group ESPMAP2021 mode ‘tunnel’
set vpn ipsec esp-group ESPMAP2021 pfs ‘enable’
set vpn ipsec esp-group ESPMAP2021 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group ESPMAP2021 proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKEMAP2021 close-action ‘none’
set vpn ipsec ike-group IKEMAP2021 ikev2-reauth ‘no’
set vpn ipsec ike-group IKEMAP2021 key-exchange ‘ikev2’
set vpn ipsec ike-group IKEMAP2021 lifetime ‘36000’
set vpn ipsec ike-group IKEMAP2021 proposal 1 dh-group ‘14’
set vpn ipsec ike-group IKEMAP2021 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group IKEMAP2021 proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer @client authentication id ‘100.100.100.1’
set vpn ipsec site-to-site peer @client authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer @client authentication pre-shared-secret ‘************’
set vpn ipsec site-to-site peer @client connection-type ‘initiate’
set vpn ipsec site-to-site peer @client ike-group ‘IKEMAP2021’
set vpn ipsec site-to-site peer @client ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer @client local-address ‘100.100.100.1’
set vpn ipsec site-to-site peer @client tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer @client tunnel 0 allow-public-networks ‘enable’
set vpn ipsec site-to-site peer @client tunnel 0 esp-group ‘ESPMAP2021’
set vpn ipsec site-to-site peer @client tunnel 0 local prefix ‘0.0.0.0/0’
set vpn ipsec site-to-site peer @client tunnel 0 remote prefix ‘200.200.200.0/30’

@client

set vpn ipsec esp-group ESPMAP2021 compression ‘enable’
set vpn ipsec esp-group ESPMAP2021 lifetime ‘10800’
set vpn ipsec esp-group ESPMAP2021 mode ‘tunnel’
set vpn ipsec esp-group ESPMAP2021 pfs ‘enable’
set vpn ipsec esp-group ESPMAP2021 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group ESPMAP2021 proposal 1 hash ‘sha1’
set vpn ipsec ike-group IKEMAP2021 close-action ‘none’
set vpn ipsec ike-group IKEMAP2021 ikev2-reauth ‘no’
set vpn ipsec ike-group IKEMAP2021 key-exchange ‘ikev2’
set vpn ipsec ike-group IKEMAP2021 lifetime ‘36000’
set vpn ipsec ike-group IKEMAP2021 proposal 1 dh-group ‘14’
set vpn ipsec ike-group IKEMAP2021 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group IKEMAP2021 proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer 100.100.100.1 authentication id ‘@client’
set vpn ipsec site-to-site peer 100.100.100.1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 100.100.100.1 authentication pre-shared-secret ‘************’
set vpn ipsec site-to-site peer 100.100.100.1 connection-type ‘initiate’
set vpn ipsec site-to-site peer 100.100.100.1 ike-group ‘IKEMAP2021’
set vpn ipsec site-to-site peer 100.100.100.1 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 100.100.100.1 local-address ‘192.168.100.241’
set vpn ipsec site-to-site peer 100.100.100.1 tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 100.100.100.1 tunnel 0 allow-public-networks ‘enable’
set vpn ipsec site-to-site peer 100.100.100.1 tunnel 0 esp-group ‘ESPMAP2021’
set vpn ipsec site-to-site peer 100.100.100.1 tunnel 0 local prefix ‘200.200.200.0/30’
set vpn ipsec site-to-site peer 100.100.100.1 tunnel 0 remote prefix ‘0.0.0.0/0’

vyos@vyos:~$ show vpn ipsec sa 
Connection                              State    Up         Bytes In/Out    Remote address    Remote ID    Proposal
--------------------------------------  -------  ---------  --------------  ----------------  -----------  ------------------------------------------------
peer-100.100.100.1-tunnel-0              up       8 minutes  60K/47K         100.100.100.1      N/A          AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
passthrough-peer-100.100.100.1-tunnel-0  down     N/A        N/A             N/A               N/A          N/A
vyos@vyos:~$ 

passthrough-peer-100.100.100.1-tunnel-0 always down ?

Aug 04 16:07:46 vyos charon[3231]: 13[IKE] <peer-100.100.100.1-tunnel-0|10> initiating IKE_SA peer-100.100.100.1-tunnel-0[10] to 100.100.100.1
Aug 04 16:07:46 vyos charon[3231]: 13[ENC] <peer-100.100.100.1-tunnel-0|10> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 04 16:07:46 vyos charon[3231]: 13[NET] <peer-100.100.100.1-tunnel-0|10> sending packet: from 192.168.100.241[500] to 100.100.100.1[500] (464 bytes)
Aug 04 16:07:46 vyos charon[3231]: 11[NET] <peer-100.100.100.1-tunnel-0|10> received packet: from 100.100.100.1[500] to 192.168.100.241[500] (464 bytes)
Aug 04 16:07:46 vyos charon[3231]: 11[ENC] <peer-100.100.100.1-tunnel-0|10> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 04 16:07:46 vyos charon[3231]: 11[CFG] <peer-100.100.100.1-tunnel-0|10> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Aug 04 16:07:46 vyos charon[3231]: 11[IKE] <peer-100.100.100.1-tunnel-0|10> local host is behind NAT, sending keep alives
Aug 04 16:07:46 vyos charon[3231]: 11[IKE] <peer-100.100.100.1-tunnel-0|10> authentication of 'ship03' (myself) with pre-shared key
Aug 04 16:07:46 vyos charon[3231]: 11[IKE] <peer-100.100.100.1-tunnel-0|10> establishing CHILD_SA peer-100.100.100.1-tunnel-0{19}
Aug 04 16:07:46 vyos charon[3231]: 11[ENC] <peer-100.100.100.1-tunnel-0|10> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 04 16:07:46 vyos charon[3231]: 11[NET] <peer-100.100.100.1-tunnel-0|10> sending packet: from 192.168.100.241[4500] to 100.100.100.1[4500] (268 bytes)
Aug 04 16:07:46 vyos charon[3231]: 12[NET] <peer-100.100.100.1-tunnel-0|10> received packet: from 100.100.100.1[4500] to 192.168.100.241[4500] (220 bytes)
Aug 04 16:07:46 vyos charon[3231]: 12[ENC] <peer-100.100.100.1-tunnel-0|10> parsed IKE_AUTH response 1 [ IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Aug 04 16:07:46 vyos charon[3231]: 12[IKE] <peer-100.100.100.1-tunnel-0|10> authentication of '100.100.100.1' with pre-shared key successful
Aug 04 16:07:46 vyos charon[3231]: 12[IKE] <peer-100.100.100.1-tunnel-0|10> IKE_SA peer-100.100.100.1-tunnel-0[10] established between 192.168.100.241[ship03]...100.100.100.1[100.100.100.1]
Aug 04 16:07:46 vyos charon[3231]: 12[IKE] <peer-100.100.100.1-tunnel-0|10> scheduling rekeying in 35316s
Aug 04 16:07:46 vyos charon[3231]: 12[IKE] <peer-100.100.100.1-tunnel-0|10> maximum IKE_SA lifetime 35856s
Aug 04 16:07:46 vyos charon[3231]: 12[CFG] <peer-100.100.100.1-tunnel-0|10> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Aug 04 16:07:46 vyos charon[3231]: 12[IKE] <peer-100.100.100.1-tunnel-0|10> CHILD_SA peer-100.100.100.1-tunnel-0{19} established with SPIs c4d8441e_i c623a624_o and TS 200.200.200.0/30 === 0.0.0.0/0
Aug 04 16:07:46 vyos charon[3231]: 12[IKE] <peer-100.100.100.1-tunnel-0|10> peer supports MOBIKE

I think you need to declare proper selectors for policy-based VPN or just use “vti” interfaces and use routing-based configuration. In that case (with vti), you can use static or dynamic routing.
Also, I can recommend to use wireguard for vpn.

ok , i use vti or wireguard is ok ,
but i guess local prefix = 0.0.0.0/0 is not supported?

I guess problem lies in client, having remote prefix ‘0.0.0.0/0’
Probably, already tunneled packets (ESP) will re-enter the tunnel, forming a local loop, which hangs up VPN
Go for vti tunnel or IPSEC/GRE combo, which both do allow 0.0.0.0/0

Bug report already exist ⚓ T2851 Invalid passthrough routes installing by strongSwan into table 220

@lawrence.pan I built packages for 1.2.8 with necessary patches.
Follow the phabricator bug report, and let me know if it works for you