IPSec VPN 'Timed out while resetting vpn ipsec peer' VyOS 1.4-rolling-202201080317

Hi
I have an IPSec VPN between two vyos vms version VyOS 1.4-rolling-202201080317
Every so often the VPN disconnects and resetting the VPN from both ends, fails with

vyos@peer-2:~$ reset vpn ipsec-peer peer-1-ip
Timed out while resetting peer_peer-1-ip_vti
Peer reset result: failed
vyos@peer-2:~$ reset vpn ipsec-peer peer-1-ip
Timed out while resetting peer_peer-1-ip_vti
Peer reset result: failed

This is sometimes mitigated by first running restart vpn and then attempting a reset after.
Could this be a problem with my configuration, or something else?
Would really appreciate some insights.

My configs are:

peer-2
set vpn ipsec esp-group esp-vyos0 compression ‘disable’
set vpn ipsec esp-group esp-vyos0 lifetime ‘3600’
set vpn ipsec esp-group esp-vyos0 mode ‘tunnel’
set vpn ipsec esp-group esp-vyos0 pfs ‘dh-group19’
set vpn ipsec esp-group esp-vyos0 proposal 10 encryption ‘aes256gcm128’
set vpn ipsec esp-group esp-vyos0 proposal 10 hash ‘sha256’

set vpn ipsec ike-group ike-vyos0 dead-peer-detection action ‘restart’
set vpn ipsec ike-group ike-vyos0 dead-peer-detection interval ‘30’
set vpn ipsec ike-group ike-vyos0 dead-peer-detection timeout ‘120’
set vpn ipsec ike-group ike-vyos0 ikev2-reauth ‘no’
set vpn ipsec ike-group ike-vyos0 key-exchange ‘ikev2’
set vpn ipsec ike-group ike-vyos0 lifetime ‘10800’
set vpn ipsec ike-group ike-vyos0 mobike ‘disable’
set vpn ipsec ike-group ike-vyos0 proposal 10 dh-group ‘19’
set vpn ipsec ike-group ike-vyos0 proposal 10 encryption ‘aes256gcm128’
set vpn ipsec ike-group ike-vyos0 proposal 10 hash ‘sha256’
set vpn ipsec site-to-site peer peer-1-ip ike-group ‘ike-vyos0’

peer-1
set vpn ipsec ike-group ike-vyos1 dead-peer-detection action ‘restart’
set vpn ipsec ike-group ike-vyos1 dead-peer-detection interval ‘30’
set vpn ipsec ike-group ike-vyos1 dead-peer-detection timeout ‘120’
set vpn ipsec ike-group ike-vyos1 ikev2-reauth ‘no’
set vpn ipsec ike-group ike-vyos1 key-exchange ‘ikev2’
set vpn ipsec ike-group ike-vyos1 lifetime ‘10800’
set vpn ipsec ike-group ike-vyos1 mobike ‘disable’
set vpn ipsec ike-group ike-vyos1 proposal 10 dh-group ‘19’
set vpn ipsec ike-group ike-vyos1 proposal 10 encryption ‘aes256gcm128’
set vpn ipsec ike-group ike-vyos1 proposal 10 hash ‘sha256’
set vpn ipsec site-to-site peer peer-2-ip ike-group ‘ike-vyos1’

set vpn ipsec esp-group esp-vyos1 compression ‘disable’
set vpn ipsec esp-group esp-vyos1 lifetime ‘3600’
set vpn ipsec esp-group esp-vyos1 mode ‘tunnel’
set vpn ipsec esp-group esp-vyos1 pfs ‘dh-group19’
set vpn ipsec esp-group esp-vyos1 proposal 10 encryption ‘aes256gcm128’
set vpn ipsec esp-group esp-vyos1 proposal 10 hash ‘sha256’
set vpn ipsec site-to-site peer peer-2-ip default-esp-group ‘esp-vyos1’
set vpn ipsec site-to-site peer peer-2-ip vti esp-group ‘esp-vyos1’

hi @sinaowolabi , could you please also provide the logs and the outputs below:

sudo journalctl -x | grep charon
sudo cat /etc/swanctl/swanctl.conf

Maybe something will be shown there.

peer-1-swanctl.conf.txt (2.3 KB)
Thanks!
Charon.log is really large so I’ll upload it a bit later, but here’s the swanctl.conf from peer-1.

As I understand it is impossible to reset the peer if connection with this peer was not established.
And it is possible if 1 or both phases a established

Ok but what am I doing wrong here? Is anything wrong with the ipsec configuration?

Charon logs are here:

It was too big to upload (315MB)

And Ive updated vyos to the latest, on both vms, (1.4-rolling-202203130618), and here are charon logs, outage-peer1.txt (76.7 KB)
outage-peer2.txt (115.8 KB)
from the outage experienced this morning and my attempts to manually reset the tunnel (using restart vpn and reset vpn ipsec-peer <peer ip> commands).

Also the VPN problems seem to occur daily around this time, and also during the afternoon, so about twice each day.

I would really appreciate any insights.

@sinaowolabi try to use aes256gcm96 encryption with dh-group 19 or change dh-group to 20 with aes256gcm128 encryption algo. Here you could find compatibility table in strongswan documentation: IKEv2 Cipher Suites - strongSwan

Ok, I have changed aes256gcm128 to aes256gcm96 and have reset the tunnel.
Hoping this will help.

VPN died again, attaching sanitized logs from yesterday till this morning.
Hopefully some new insights can be obtained?

outage-peer1.txt (280.0 KB)
outage-peer2.txt (239.6 KB)

Oh just realized I flubbed the reconfiguration suggested (applied to esp and not to ike).
Regardless, I would appreciate any other tips.

@sinaowolabi okay seems strange, maybe checking full logs may show something useful in this case. Also, try to specify one side as initiator and the other one as a responder under the vpn configuration. Mybe there are any connectivity issues between devices or something platform related? Try to check your setup with different rolling releases, that might also help.