IPSec VPN 'Timed out while resetting vpn ipsec peer' VyOS 1.4-rolling-202201080317

sinaowolabi · March 10, 2022, 10:31am

Hi
I have an IPSec VPN between two vyos vms version VyOS 1.4-rolling-202201080317
Every so often the VPN disconnects and resetting the VPN from both ends, fails with

vyos@peer-2:~$ reset vpn ipsec-peer peer-1-ip
Timed out while resetting peer_peer-1-ip_vti
Peer reset result: failed
vyos@peer-2:~$ reset vpn ipsec-peer peer-1-ip
Timed out while resetting peer_peer-1-ip_vti
Peer reset result: failed

This is sometimes mitigated by first running restart vpn and then attempting a reset after.
Could this be a problem with my configuration, or something else?
Would really appreciate some insights.

My configs are:

peer-2
set vpn ipsec esp-group esp-vyos0 compression ‘disable’
set vpn ipsec esp-group esp-vyos0 lifetime ‘3600’
set vpn ipsec esp-group esp-vyos0 mode ‘tunnel’
set vpn ipsec esp-group esp-vyos0 pfs ‘dh-group19’
set vpn ipsec esp-group esp-vyos0 proposal 10 encryption ‘aes256gcm128’
set vpn ipsec esp-group esp-vyos0 proposal 10 hash ‘sha256’

set vpn ipsec ike-group ike-vyos0 dead-peer-detection action ‘restart’
set vpn ipsec ike-group ike-vyos0 dead-peer-detection interval ‘30’
set vpn ipsec ike-group ike-vyos0 dead-peer-detection timeout ‘120’
set vpn ipsec ike-group ike-vyos0 ikev2-reauth ‘no’
set vpn ipsec ike-group ike-vyos0 key-exchange ‘ikev2’
set vpn ipsec ike-group ike-vyos0 lifetime ‘10800’
set vpn ipsec ike-group ike-vyos0 mobike ‘disable’
set vpn ipsec ike-group ike-vyos0 proposal 10 dh-group ‘19’
set vpn ipsec ike-group ike-vyos0 proposal 10 encryption ‘aes256gcm128’
set vpn ipsec ike-group ike-vyos0 proposal 10 hash ‘sha256’
set vpn ipsec site-to-site peer peer-1-ip ike-group ‘ike-vyos0’

peer-1
set vpn ipsec ike-group ike-vyos1 dead-peer-detection action ‘restart’
set vpn ipsec ike-group ike-vyos1 dead-peer-detection interval ‘30’
set vpn ipsec ike-group ike-vyos1 dead-peer-detection timeout ‘120’
set vpn ipsec ike-group ike-vyos1 ikev2-reauth ‘no’
set vpn ipsec ike-group ike-vyos1 key-exchange ‘ikev2’
set vpn ipsec ike-group ike-vyos1 lifetime ‘10800’
set vpn ipsec ike-group ike-vyos1 mobike ‘disable’
set vpn ipsec ike-group ike-vyos1 proposal 10 dh-group ‘19’
set vpn ipsec ike-group ike-vyos1 proposal 10 encryption ‘aes256gcm128’
set vpn ipsec ike-group ike-vyos1 proposal 10 hash ‘sha256’
set vpn ipsec site-to-site peer peer-2-ip ike-group ‘ike-vyos1’

set vpn ipsec esp-group esp-vyos1 compression ‘disable’
set vpn ipsec esp-group esp-vyos1 lifetime ‘3600’
set vpn ipsec esp-group esp-vyos1 mode ‘tunnel’
set vpn ipsec esp-group esp-vyos1 pfs ‘dh-group19’
set vpn ipsec esp-group esp-vyos1 proposal 10 encryption ‘aes256gcm128’
set vpn ipsec esp-group esp-vyos1 proposal 10 hash ‘sha256’
set vpn ipsec site-to-site peer peer-2-ip default-esp-group ‘esp-vyos1’
set vpn ipsec site-to-site peer peer-2-ip vti esp-group ‘esp-vyos1’

e.khudiyev · March 10, 2022, 12:57pm

hi @sinaowolabi , could you please also provide the logs and the outputs below:

sudo journalctl -x | grep charon
sudo cat /etc/swanctl/swanctl.conf

Maybe something will be shown there.

sinaowolabi · March 11, 2022, 7:08am

peer-1-swanctl.conf.txt (2.3 KB)
Thanks!
Charon.log is really large so I’ll upload it a bit later, but here’s the swanctl.conf from peer-1.

Viacheslav · March 12, 2022, 4:03pm

As I understand it is impossible to reset the peer if connection with this peer was not established.
And it is possible if 1 or both phases a established

sinaowolabi · March 13, 2022, 2:06am

Ok but what am I doing wrong here? Is anything wrong with the ipsec configuration?

sinaowolabi · March 13, 2022, 2:24am

Charon logs are here:

It was too big to upload (315MB)

sinaowolabi · March 14, 2022, 7:27am

And Ive updated vyos to the latest, on both vms, (1.4-rolling-202203130618), and here are charon logs, outage-peer1.txt (76.7 KB)
outage-peer2.txt (115.8 KB)
from the outage experienced this morning and my attempts to manually reset the tunnel (using restart vpn and reset vpn ipsec-peer <peer ip> commands).

Also the VPN problems seem to occur daily around this time, and also during the afternoon, so about twice each day.

I would really appreciate any insights.

e.khudiyev · March 14, 2022, 1:28pm

@sinaowolabi try to use aes256gcm96 encryption with dh-group 19 or change dh-group to 20 with aes256gcm128 encryption algo. Here you could find compatibility table in strongswan documentation: IKEv2 Cipher Suites :: strongSwan Documentation

sinaowolabi · March 14, 2022, 2:50pm

Ok, I have changed aes256gcm128 to aes256gcm96 and have reset the tunnel.
Hoping this will help.

sinaowolabi · March 15, 2022, 8:21am

VPN died again, attaching sanitized logs from yesterday till this morning.
Hopefully some new insights can be obtained?

outage-peer1.txt (280.0 KB)
outage-peer2.txt (239.6 KB)

sinaowolabi · March 15, 2022, 8:52am

Oh just realized I flubbed the reconfiguration suggested (applied to esp and not to ike).
Regardless, I would appreciate any other tips.

e.khudiyev · March 15, 2022, 8:52am

@sinaowolabi okay seems strange, maybe checking full logs may show something useful in this case. Also, try to specify one side as initiator and the other one as a responder under the vpn configuration. Mybe there are any connectivity issues between devices or something platform related? Try to check your setup with different rolling releases, that might also help.