IPSEC vpn site-to-site tunnels down after reboot

mzuc · April 21, 2020, 1:03pm

Hi all,
I managed to configure a VyOS VM hosted on OpenStack to connect to my AWS test VPC using vti routed IPSEC tunnels.

Point is that whenever I reboot the VyOS instance, all tunnels are in state “down” even if the strongswan daemon started correctly. A simple restart vpn does the trick and everything goes back up.

Is this somehow wanted by design?
If so, what should I change in order to let the tunnels start as soon as VyOS has finished booting?

Thanks in advance

Jeff · April 21, 2020, 1:08pm

Can you give the result of “show log vpn ipsec”, parsing the log for event after reboot?

Also are you using IKEv2?

mzuc · April 21, 2020, 1:22pm

Apr 21 13:18:29 vyos-1-test charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.106-amd64-vyos, x86_64)
Apr 21 13:18:29 vyos-1-test ipsec_starter[1755]: starter is already running (/var/run/starter.charon.pid exists) – no fork done
Apr 21 13:18:29 vyos-1-test charon: 00[CFG] PKCS11 module ‘’ lacks library path
Apr 21 13:18:29 vyos-1-test charon: 00[CFG] loading ca certificates from ‘/etc/ipsec.d/cacerts’
Apr 21 13:18:29 vyos-1-test charon: 00[CFG] loading aa certificates from ‘/etc/ipsec.d/aacerts’
Apr 21 13:18:29 vyos-1-test charon: 00[CFG] loading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
Apr 21 13:18:29 vyos-1-test charon: 00[CFG] loading attribute certificates from ‘/etc/ipsec.d/acerts’
Apr 21 13:18:29 vyos-1-test charon: 00[CFG] loading crls from ‘/etc/ipsec.d/crls’
Apr 21 13:18:29 vyos-1-test charon: 00[CFG] loading secrets from ‘/etc/ipsec.secrets’
Apr 21 13:18:29 vyos-1-test charon: 00[CFG] loaded IKE secret for 193.22.137.224 34.248.154.183
Apr 21 13:18:29 vyos-1-test charon: 00[CFG] loaded IKE secret for 193.22.137.224 52.213.158.99
Apr 21 13:18:29 vyos-1-test charon: 00[CFG] loaded 0 RADIUS server configurations
Apr 21 13:18:29 vyos-1-test charon: 00[CFG] HA config misses local/remote address
Apr 21 13:18:29 vyos-1-test charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Apr 21 13:18:29 vyos-1-test charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Apr 21 13:18:29 vyos-1-test charon: 00[JOB] spawning 16 worker threads
Apr 21 13:18:29 vyos-1-test ipsec_starter[1749]: charon (1750) started after 540 ms
Apr 21 13:18:29 vyos-1-test charon: 16[CFG] received stroke: add connection ‘peer-34.248.154.183-tunnel-vti’
Apr 21 13:18:29 vyos-1-test charon: 16[CFG] added configuration ‘peer-34.248.154.183-tunnel-vti’
Apr 21 13:18:29 vyos-1-test charon: 10[CFG] received stroke: initiate ‘peer-34.248.154.183-tunnel-vti’
Apr 21 13:18:29 vyos-1-test charon: 10[IKE] initiating Main Mode IKE_SA peer-34.248.154.183-tunnel-vti[1] to 34.248.154.183
Apr 21 13:18:29 vyos-1-test charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Apr 21 13:18:29 vyos-1-test charon: 10[NET] sending packet: from 193.22.137.224[500] to 34.248.154.183[500] (180 bytes)
Apr 21 13:18:29 vyos-1-test charon: 09[CFG] received stroke: add connection ‘peer-52.213.158.99-tunnel-vti’
Apr 21 13:18:29 vyos-1-test charon: 09[CFG] added configuration ‘peer-52.213.158.99-tunnel-vti’
Apr 21 13:18:29 vyos-1-test charon: 14[CFG] received stroke: initiate ‘peer-52.213.158.99-tunnel-vti’
Apr 21 13:18:29 vyos-1-test charon: 14[IKE] initiating Main Mode IKE_SA peer-52.213.158.99-tunnel-vti[2] to 52.213.158.99
Apr 21 13:18:29 vyos-1-test charon: 14[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Apr 21 13:18:29 vyos-1-test charon: 14[NET] sending packet: from 193.22.137.224[500] to 52.213.158.99[500] (180 bytes)
Apr 21 13:18:29 vyos-1-test charon: 08[NET] received packet: from 34.248.154.183[500] to 193.22.137.224[500] (124 bytes)
Apr 21 13:18:29 vyos-1-test charon: 07[NET] received packet: from 52.213.158.99[500] to 193.22.137.224[500] (124 bytes)
Apr 21 13:18:29 vyos-1-test charon: 08[ENC] parsed ID_PROT response 0 [ SA V V ]
Apr 21 13:18:29 vyos-1-test charon: 07[ENC] parsed ID_PROT response 0 [ SA V V ]
Apr 21 13:18:29 vyos-1-test charon: 07[IKE] received DPD vendor ID
Apr 21 13:18:29 vyos-1-test charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Apr 21 13:18:29 vyos-1-test charon: 08[IKE] received DPD vendor ID
Apr 21 13:18:29 vyos-1-test charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
Apr 21 13:18:29 vyos-1-test charon: 08[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 21 13:18:29 vyos-1-test charon: 07[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 21 13:18:29 vyos-1-test charon: 08[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 21 13:18:29 vyos-1-test charon: 08[NET] sending packet: from 193.22.137.224[500] to 34.248.154.183[500] (244 bytes)
Apr 21 13:18:29 vyos-1-test charon: 07[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 21 13:18:29 vyos-1-test charon: 07[NET] sending packet: from 193.22.137.224[500] to 52.213.158.99[500] (244 bytes)
Apr 21 13:18:29 vyos-1-test charon: 13[NET] received packet: from 34.248.154.183[500] to 193.22.137.224[500] (228 bytes)
Apr 21 13:18:29 vyos-1-test charon: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 21 13:18:29 vyos-1-test charon: 05[NET] received packet: from 52.213.158.99[500] to 193.22.137.224[500] (228 bytes)
Apr 21 13:18:29 vyos-1-test charon: 05[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 21 13:18:29 vyos-1-test charon: 05[IKE] remote host is behind NAT
Apr 21 13:18:29 vyos-1-test charon: 05[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Apr 21 13:18:29 vyos-1-test charon: 05[NET] sending packet: from 193.22.137.224[4500] to 52.213.158.99[4500] (108 bytes)
Apr 21 13:18:29 vyos-1-test charon: 13[IKE] remote host is behind NAT
Apr 21 13:18:29 vyos-1-test charon: 13[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Apr 21 13:18:29 vyos-1-test charon: 13[NET] sending packet: from 193.22.137.224[4500] to 34.248.154.183[4500] (108 bytes)
Apr 21 13:18:29 vyos-1-test charon: 06[NET] received packet: from 52.213.158.99[4500] to 193.22.137.224[4500] (76 bytes)
Apr 21 13:18:29 vyos-1-test charon: 06[ENC] parsed ID_PROT response 0 [ ID HASH V ]
Apr 21 13:18:29 vyos-1-test charon: 06[ENC] received unknown vendor ID: 49:4b:45:76:32
Apr 21 13:18:29 vyos-1-test charon: 06[IKE] IKE_SA peer-52.213.158.99-tunnel-vti[2] established between 193.22.137.224[193.22.137.224]…52.213.158.99[52.213.158.99]
Apr 21 13:18:29 vyos-1-test charon: 06[IKE] scheduling reauthentication in 28022s
Apr 21 13:18:29 vyos-1-test charon: 06[IKE] maximum IKE_SA lifetime 28562s
Apr 21 13:18:29 vyos-1-test charon: 06[ENC] generating QUICK_MODE request 4134439583 [ HASH SA No KE ID ID ]
Apr 21 13:18:29 vyos-1-test charon: 06[NET] sending packet: from 193.22.137.224[4500] to 52.213.158.99[4500] (316 bytes)
Apr 21 13:18:29 vyos-1-test charon: 16[NET] received packet: from 34.248.154.183[4500] to 193.22.137.224[4500] (76 bytes)
Apr 21 13:18:29 vyos-1-test charon: 16[ENC] parsed ID_PROT response 0 [ ID HASH V ]
Apr 21 13:18:29 vyos-1-test charon: 16[ENC] received unknown vendor ID: 49:4b:45:76:32
Apr 21 13:18:29 vyos-1-test charon: 16[IKE] IKE_SA peer-34.248.154.183-tunnel-vti[1] established between 193.22.137.224[193.22.137.224]…34.248.154.183[34.248.154.183]
Apr 21 13:18:29 vyos-1-test charon: 16[IKE] scheduling reauthentication in 28032s
Apr 21 13:18:29 vyos-1-test charon: 16[IKE] maximum IKE_SA lifetime 28572s
Apr 21 13:18:29 vyos-1-test charon: 16[ENC] generating QUICK_MODE request 2899531295 [ HASH SA No KE ID ID ]
Apr 21 13:18:29 vyos-1-test charon: 16[NET] sending packet: from 193.22.137.224[4500] to 34.248.154.183[4500] (316 bytes)
Apr 21 13:18:30 vyos-1-test charon: 10[NET] received packet: from 52.213.158.99[4500] to 193.22.137.224[4500] (300 bytes)
Apr 21 13:18:30 vyos-1-test charon: 10[ENC] parsed QUICK_MODE response 4134439583 [ HASH SA No KE ID ID ]
Apr 21 13:18:30 vyos-1-test charon: 11[NET] received packet: from 34.248.154.183[4500] to 193.22.137.224[4500] (300 bytes)
Apr 21 13:18:30 vyos-1-test charon: 10[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Apr 21 13:18:30 vyos-1-test charon: 11[ENC] parsed QUICK_MODE response 2899531295 [ HASH SA No KE ID ID ]
Apr 21 13:18:30 vyos-1-test charon: 11[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Apr 21 13:18:30 vyos-1-test charon: 10[IKE] CHILD_SA peer-52.213.158.99-tunnel-vti{1} established with SPIs c4d365c2_i 324c08d8_o and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 21 13:18:30 vyos-1-test charon: 11[IKE] CHILD_SA peer-34.248.154.183-tunnel-vti{2} established with SPIs c13510bd_i 59552ed7_o and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 21 13:18:30 vyos-1-test charon: 10[ENC] generating QUICK_MODE request 4134439583 [ HASH ]
Apr 21 13:18:30 vyos-1-test charon: 11[CHD] updown: RTNETLINK answers: No such process
Apr 21 13:18:30 vyos-1-test charon: 10[NET] sending packet: from 193.22.137.224[4500] to 52.213.158.99[4500] (60 bytes)
Apr 21 13:18:30 vyos-1-test charon: 11[ENC] generating QUICK_MODE request 2899531295 [ HASH ]
Apr 21 13:18:30 vyos-1-test charon: 11[NET] sending packet: from 193.22.137.224[4500] to 34.248.154.183[4500] (60 bytes)
Apr 21 13:18:36 vyos-1-test charon: 09[NET] received packet: from 52.213.158.99[4500] to 193.22.137.224[4500] (92 bytes)
Apr 21 13:18:36 vyos-1-test charon: 09[ENC] parsed INFORMATIONAL_V1 request 1454073570 [ HASH N(DPD) ]
Apr 21 13:18:36 vyos-1-test charon: 09[ENC] generating INFORMATIONAL_V1 request 2178428233 [ HASH N(DPD_ACK) ]
Apr 21 13:18:36 vyos-1-test charon: 09[NET] sending packet: from 193.22.137.224[4500] to 52.213.158.99[4500] (92 bytes)
Apr 21 13:18:36 vyos-1-test charon: 09[NET] received packet: from 52.213.158.99[4500] to 193.22.137.224[4500] (76 bytes)
Apr 21 13:18:36 vyos-1-test charon: 09[ENC] parsed INFORMATIONAL_V1 request 1662169137 [ HASH D ]
Apr 21 13:18:36 vyos-1-test charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI 324c08d8
Apr 21 13:18:36 vyos-1-test charon: 09[IKE] closing CHILD_SA peer-52.213.158.99-tunnel-vti{1} with SPIs c4d365c2_i (0 bytes) 324c08d8_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 21 13:18:36 vyos-1-test charon: 09[KNL] error uninstalling route installed with policy 0.0.0.0/0 === 0.0.0.0/0 out ( mark 9437186/0xffffffff)
Apr 21 13:18:36 vyos-1-test charon: 11[NET] received packet: from 52.213.158.99[4500] to 193.22.137.224[4500] (76 bytes)
Apr 21 13:18:36 vyos-1-test charon: 11[ENC] parsed INFORMATIONAL_V1 request 2544248524 [ HASH D ]
Apr 21 13:18:36 vyos-1-test charon: 11[IKE] received DELETE for ESP CHILD_SA with SPI 6ae89b75
Apr 21 13:18:36 vyos-1-test charon: 11[IKE] CHILD_SA not found, ignored
Apr 21 13:18:36 vyos-1-test charon: 15[NET] received packet: from 52.213.158.99[4500] to 193.22.137.224[4500] (92 bytes)
Apr 21 13:18:36 vyos-1-test charon: 15[ENC] parsed INFORMATIONAL_V1 request 1488930708 [ HASH D ]
Apr 21 13:18:36 vyos-1-test charon: 15[IKE] received DELETE for IKE_SA peer-52.213.158.99-tunnel-vti[2]
Apr 21 13:18:36 vyos-1-test charon: 15[IKE] deleting IKE_SA peer-52.213.158.99-tunnel-vti[2] between 193.22.137.224[193.22.137.224]…52.213.158.99[52.213.158.99]
Apr 21 13:18:38 vyos-1-test charon: 07[NET] received packet: from 34.248.154.183[4500] to 193.22.137.224[4500] (76 bytes)
Apr 21 13:18:38 vyos-1-test charon: 07[ENC] parsed INFORMATIONAL_V1 request 3291773723 [ HASH D ]
Apr 21 13:18:38 vyos-1-test charon: 07[IKE] received DELETE for ESP CHILD_SA with SPI 238a24f7
Apr 21 13:18:38 vyos-1-test charon: 07[IKE] CHILD_SA not found, ignored
Apr 21 13:18:38 vyos-1-test charon: 12[NET] received packet: from 34.248.154.183[4500] to 193.22.137.224[4500] (92 bytes)
Apr 21 13:18:38 vyos-1-test charon: 12[ENC] parsed INFORMATIONAL_V1 request 437439622 [ HASH N(DPD) ]
Apr 21 13:18:38 vyos-1-test charon: 12[ENC] generating INFORMATIONAL_V1 request 2193480375 [ HASH N(DPD_ACK) ]
Apr 21 13:18:38 vyos-1-test charon: 12[NET] sending packet: from 193.22.137.224[4500] to 34.248.154.183[4500] (92 bytes)
Apr 21 13:18:38 vyos-1-test charon: 13[NET] received packet: from 34.248.154.183[4500] to 193.22.137.224[4500] (76 bytes)
Apr 21 13:18:38 vyos-1-test charon: 13[ENC] parsed INFORMATIONAL_V1 request 791120643 [ HASH D ]
Apr 21 13:18:38 vyos-1-test charon: 13[IKE] received DELETE for ESP CHILD_SA with SPI 59552ed7
Apr 21 13:18:38 vyos-1-test charon: 13[IKE] closing CHILD_SA peer-34.248.154.183-tunnel-vti{2} with SPIs c13510bd_i (0 bytes) 59552ed7_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
Apr 21 13:18:38 vyos-1-test charon: 05[NET] received packet: from 34.248.154.183[4500] to 193.22.137.224[4500] (92 bytes)
Apr 21 13:18:38 vyos-1-test charon: 05[ENC] parsed INFORMATIONAL_V1 request 3400101018 [ HASH D ]
Apr 21 13:18:38 vyos-1-test charon: 05[IKE] received DELETE for IKE_SA peer-34.248.154.183-tunnel-vti[1]
Apr 21 13:18:38 vyos-1-test charon: 05[IKE] deleting IKE_SA peer-34.248.154.183-tunnel-vti[1] between 193.22.137.224[193.22.137.224]…34.248.154.183[34.248.154.183]

Do you also need logs after restart vpn command?

Nope, IKEv1.

Jeff · April 21, 2020, 1:24pm

Well first switch to IKEv2 and I bet your issue will be solved

mzuc · April 21, 2020, 1:31pm

It worked! Thanks!
Do you have an explanation for that? It doesn’t make much sense to me

Jeff · April 21, 2020, 2:42pm

IKEv1 doesn’t have good mechanism to handle disconnected peer / broken session. You can use dead peer detection but it’s not very efficient.

IKEv2 has major improvement in this domain, among others.

system · April 23, 2020, 2:42pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.