IPSec VPN from vyos to linux

Need help configuring site-to-site IPSec from vyos router to linux host. Below is the vyos config pertaining to the VPN and linux host config. sh vpn ike sa shows up but the output of vpn ipsec sa shows down and no routes populate for the tunnel remote prefix. please help

vpn {
    ipsec {
        esp-group vyos {
            compression disable
            lifetime 3600
            mode tunnel
            pfs dh-group14
            proposal 1 {
                encryption aes256
                hash sha512
            }
        ike-group vyos {
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev2
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes256
                hash sha512
            }
        site-to-site {
            peer [vendorIPname] {
                authentication {
                    id [Public customer IP]
                    mode pre-shared-secret
                    pre-shared-secret 
                }
                connection-type initiate
                default-esp-group vyos
                ike-group vyos
                ikev2-reauth inherit
                local-address [Public customer IP]
                tunnel 1 {
                    local {
                        prefix [customer local subnet]
                    }
                    remote {
                        prefix [vendor local subnet]
                    }
                }
            }
        }
    }

conn [name]
        auto=route
        type=tunnel
        keyexchange=ikev2
        left=%defaultroute
        leftid=[public vendor IP]
        leftsubnet=[vendor local subnet]
        leftauth=psk
        right=[public customer IP]
        rightsubnet=[customer local subnet]
        rightauth=psk
        #  Security parameters
        ike=aes256-sha2_512-modp2048!
        ikelifetime=8h
        esp=aes256-sha2_512-modp2048!
        lifetime=1h
        #  Retry parameters
        keyingtries=%forever
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Mod Edit: Please people, wrap your config in ```

Looks like EOL image

Correct, I’m using vyos helium(1.1.7). are you saying an update fixes the issue?

I think more what he’s saying is that support isn’t provided for such an old, old image. Why not try with the latest rolling or stream image?

This is a production deployment for emergency services in this area. I’ve only recently taken over these devices and am in the process of getting a LTS image but in the meanwhile i need to make this work. There is also another vpn instance that is running on this device that i can not take down at the moment.

If this is for emergency services then I highly recommend you contact VyOS support and get things done properly. Yes, this will cost money, but if lives are at risk here surely that’s an acceptable thing?

Personally I have no experience with a version of VyOS this old. I started using VyOS back with 1.2.4 I think it was.

I understand how frustrating moving into a new position is and finding you have to support a lot of very old, unmaintained platforms is. I’ve been here myself (Thankfully not for anything where lives are at stake)

My suggestion is to try changing auto=route to auto=start (just to force it try to come up regardless) and then just debugging the hell out of it via logs. Strongswan is great but it can be hard to figure out what the problems are without looking deep into the logs.

Do you know how many vulnerability the 1.1.7 version has? It shouldn’t be use anywhere.
Contact us as you probably can get VyOS for good for emergency services or none profit organisations VyOS For Good – VyOS

I’m am in the midst of getting contracts signed by the higher ups. Thank you!

Thank you for your suggestions and contributions with this. I am trying to move forward with getting a newer image.