IPsec VTI site to site issues on 1.4.2

wh0else · May 28, 2025, 6:31am

Hi!

I am trying to migrate away from pfSense, so I have installed a VyOS 1.4.2 VM at a cloud provider to announce my IPv6 networks over BGP, from my home lab.

The home lab is running a Palo Alto Networks firewall, so have to use IPsec from the PAN to the VyOS to announce my prefixes.

This worked as expected in pfSense, but in VyOS, even though both phases are up, I can just get through a few pings before traffic drops:

admin@ip6:~$ ping 2001:67c:339a:ff::2 source-address 2001:67c:339a:ff::1
PING 2001:67c:339a:ff::2(2001:67c:339a:ff::2) from 2001:67c:339a:ff::1 : 56 data bytes
From 2001:67c:339a:ff::1 icmp_seq=1 Destination unreachable: Address unreachable
From 2001:67c:339a:ff::1 icmp_seq=2 Destination unreachable: Address unreachable
From 2001:67c:339a:ff::1 icmp_seq=3 Destination unreachable: Address unreachable
From 2001:67c:339a:ff::1 icmp_seq=61 Destination unreachable: Address unreachable
From 2001:67c:339a:ff::1 icmp_seq=62 Destination unreachable: Address unreachable
64 bytes from 2001:67c:339a:ff::2: icmp_seq=63 ttl=63 time=15.5 ms
64 bytes from 2001:67c:339a:ff::2: icmp_seq=64 ttl=63 time=15.9 ms
64 bytes from 2001:67c:339a:ff::2: icmp_seq=88 ttl=63 time=16.5 ms
64 bytes from 2001:67c:339a:ff::2: icmp_seq=89 ttl=63 time=15.0 ms
64 bytes from 2001:67c:339a:ff::2: icmp_seq=90 ttl=63 time=14.8 ms

I got traffic flowing again when I manually initiated from the PAN device, but it quickly stops again.

Relevant config:

set interfaces vti vti0 address '2001:67c:339a:ff::1/126'
set interfaces vti vti0 mtu '1280'
set vpn ipsec authentication psk ike-example-com id 'ike.example2.com'
set vpn ipsec authentication psk ike-example-com id 'ike.example.com'
set vpn ipsec authentication psk ike-example-com secret 'longstringhere'
set vpn ipsec esp-group modern-crypto lifetime '3600'
set vpn ipsec esp-group modern-crypto mode 'tunnel'
set vpn ipsec esp-group modern-crypto pfs 'dh-group1'
set vpn ipsec esp-group modern-crypto proposal 1 encryption 'aes128'
set vpn ipsec esp-group modern-crypto proposal 1 hash 'sha1'
set vpn ipsec ike-group modern-crypto ikev2-reauth
set vpn ipsec ike-group modern-crypto key-exchange 'ikev2'
set vpn ipsec ike-group modern-crypto lifetime '28800'
set vpn ipsec ike-group modern-crypto proposal 1 dh-group '1'
set vpn ipsec ike-group modern-crypto proposal 1 encryption 'aes128'
set vpn ipsec ike-group modern-crypto proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer ike-example-com authentication local-id 'ike.example2.com'
set vpn ipsec site-to-site peer ike-example-com authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer ike-example-com authentication remote-id 'ike.example.com'
set vpn ipsec site-to-site peer ike-example-com connection-type 'initiate'
set vpn ipsec site-to-site peer ike-example-com ike-group 'modern-crypto'
set vpn ipsec site-to-site peer ike-example-com ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer ike-example-com local-address '185.125.172.170'
set vpn ipsec site-to-site peer ike-example-com remote-address 'ike.example.com'
set vpn ipsec site-to-site peer ike-example-com vti bind 'vti0'
set vpn ipsec site-to-site peer ike-example-com vti esp-group 'modern-crypto'

Anyone have any tips for this issue?

tjh · May 28, 2025, 9:58pm

The first thing to do would be to look at the logs

wh0else · May 30, 2025, 5:20pm

Oh, forgot to paste the logs…
I can’t see any obvious errors here

May 30 19:07:35 systemd[1]: Starting strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
May 30 19:07:35 charon[5275]: 00[DMN] Starting charon-systemd IKE daemon (strongSwan 5.9.11, Linux 6.6.79-amd64-vyos, x86_64)
May 30 19:07:35 charon-systemd[5275]: Starting charon-systemd IKE daemon (strongSwan 5.9.11, Linux 6.6.79-amd64-vyos, x86_64)
May 30 19:07:35 charon[5275]: 00[CFG] PKCS11 module '<name>' lacks library path
May 30 19:07:35 charon-systemd[5275]: PKCS11 module '<name>' lacks library path
May 30 19:07:35 charon[5275]: 00[PTS] TPM 2.0 - could not load "libtss2-tcti-tabrmd.so.0"
May 30 19:07:35 charon-systemd[5275]: TPM 2.0 - could not load "libtss2-tcti-tabrmd.so.0"
May 30 19:07:35 charon[5275]: 00[LIB] plugin 'tpm': failed to load - tpm_plugin_create returned NULL
May 30 19:07:35 charon-systemd[5275]: plugin 'tpm': failed to load - tpm_plugin_create returned NULL
May 30 19:07:35 charon[5275]: 00[LIB] providers loaded by OpenSSL: legacy default
May 30 19:07:35 charon-systemd[5275]: providers loaded by OpenSSL: legacy default
May 30 19:07:35 charon[5275]: 00[CFG] install DNS servers in '/etc/resolv.conf'
May 30 19:07:35 charon-systemd[5275]: install DNS servers in '/etc/resolv.conf'
May 30 19:07:35 charon[5275]: 00[NET] using forecast interface eth0
May 30 19:07:35 charon-systemd[5275]: using forecast interface eth0
May 30 19:07:35 charon[5275]: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
May 30 19:07:35 swanctl[5299]: loaded ike secret 'ike-ike-example-com'
May 30 19:07:35 swanctl[5299]: no authorities found, 0 unloaded
May 30 19:07:35 swanctl[5299]: no pools found, 0 unloaded
May 30 19:07:35 swanctl[5299]: loaded connection 'ike-example-com'
May 30 19:07:35 swanctl[5299]: successfully loaded 1 connections, 0 unloaded
May 30 19:07:35 charon-systemd[5275]: joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
May 30 19:07:35 charon[5275]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 30 19:07:35 charon-systemd[5275]: loading ca certificates from '/etc/ipsec.d/cacerts'
May 30 19:07:35 charon[5275]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 30 19:07:35 charon-systemd[5275]: loading aa certificates from '/etc/ipsec.d/aacerts'
May 30 19:07:35 charon[5275]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 30 19:07:35 charon-systemd[5275]: loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 30 19:07:35 charon[5275]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 30 19:07:35 charon-systemd[5275]: loading attribute certificates from '/etc/ipsec.d/acerts'
May 30 19:07:35 charon[5275]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 30 19:07:35 charon-systemd[5275]: loading crls from '/etc/ipsec.d/crls'
May 30 19:07:35 charon[5275]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 30 19:07:35 charon-systemd[5275]: loading secrets from '/etc/ipsec.secrets'
May 30 19:07:35 charon[5275]: 00[CFG] opening secrets file '/etc/ipsec.secrets' failed: No such file or directory
May 30 19:07:35 charon-systemd[5275]: opening secrets file '/etc/ipsec.secrets' failed: No such file or directory
May 30 19:07:35 charon[5275]: 00[CFG] loaded 0 RADIUS server configurations
May 30 19:07:35 charon-systemd[5275]: loaded 0 RADIUS server configurations
May 30 19:07:35 charon[5275]: 00[CFG] HA config misses local/remote address
May 30 19:07:35 charon-systemd[5275]: HA config misses local/remote address
May 30 19:07:35 charon[5275]: 00[LIB] loaded plugins: charon-systemd test-vectors pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark forecast stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire addrblock counters
May 30 19:07:35 charon-systemd[5275]: loaded plugins: charon-systemd test-vectors pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark forecast stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire addrblock counters
May 30 19:07:35 charon[5275]: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 30 19:07:35 charon-systemd[5275]: dropped capabilities, running as uid 0, gid 0
May 30 19:07:35 charon[5275]: 00[JOB] spawning 16 worker threads
May 30 19:07:35 charon-systemd[5275]: spawning 16 worker threads
May 30 19:07:35 charon[5275]: 04[CFG] loaded IKE shared key with id 'ike-ike-example-com' for: 'ip6-2.example.com', 'ike.example.com'
May 30 19:07:35 charon-systemd[5275]: loaded IKE shared key with id 'ike-ike-example-com' for: 'ip6-2.example.com', 'ike.example.com'
May 30 19:07:35 charon[5275]: 06[CFG] added vici connection: ike-example-com
May 30 19:07:35 charon-systemd[5275]: added vici connection: ike-example-com
May 30 19:07:35 charon[5275]: 06[CFG] initiating 'ike-example-com-vti'
May 30 19:07:35 charon-systemd[5275]: initiating 'ike-example-com-vti'
May 30 19:07:35 charon[5275]: 06[IKE] <ike-example-com|1> initiating IKE_SA ike-example-com[1] to 83.243.133.133
May 30 19:07:35 charon-systemd[5275]: initiating IKE_SA ike-example-com[1] to 83.243.133.133
May 30 19:07:35 charon[5275]: 06[ENC] <ike-example-com|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 30 19:07:35 charon-systemd[5275]: generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 30 19:07:35 charon[5275]: 06[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (332 bytes)
May 30 19:07:35 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (332 bytes)
May 30 19:07:35 systemd[1]: Started strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
May 30 19:07:35 charon[5275]: 02[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (244 bytes)
May 30 19:07:35 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (244 bytes)
May 30 19:07:35 charon[5275]: 02[ENC] <ike-example-com|1> parsed IKE_SA_INIT response 0 [ SA KE No ]
May 30 19:07:35 charon-systemd[5275]: parsed IKE_SA_INIT response 0 [ SA KE No ]
May 30 19:07:35 charon[5275]: 02[CFG] <ike-example-com|1> selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_521
May 30 19:07:35 charon-systemd[5275]: selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_521
May 30 19:07:35 charon[5275]: 02[IKE] <ike-example-com|1> authentication of 'ip6-2.example.com' (myself) with pre-shared key
May 30 19:07:35 charon-systemd[5275]: authentication of 'ip6-2.example.com' (myself) with pre-shared key
May 30 19:07:35 charon[5275]: 02[IKE] <ike-example-com|1> establishing CHILD_SA ike-example-com-vti{1}
May 30 19:07:35 charon-systemd[5275]: establishing CHILD_SA ike-example-com-vti{1}
May 30 19:07:35 charon[5275]: 02[ENC] <ike-example-com|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
May 30 19:07:35 charon-systemd[5275]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
May 30 19:07:35 charon[5275]: 02[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (391 bytes)
May 30 19:07:35 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (391 bytes)
May 30 19:07:35 charon[5275]: 03[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (248 bytes)
May 30 19:07:35 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (248 bytes)
May 30 19:07:35 charon[5275]: 03[ENC] <ike-example-com|1> parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
May 30 19:07:35 charon-systemd[5275]: parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
May 30 19:07:35 charon[5275]: 03[IKE] <ike-example-com|1> authentication of 'ike.example.com' with pre-shared key successful
May 30 19:07:35 charon-systemd[5275]: authentication of 'ike.example.com' with pre-shared key successful
May 30 19:07:35 charon[5275]: 03[IKE] <ike-example-com|1> IKE_SA ike-example-com[1] established between 185.14.97.41[ip6-2.example.com]...83.243.133.133[ike.example.com]
May 30 19:07:35 charon-systemd[5275]: IKE_SA ike-example-com[1] established between 185.14.97.41[ip6-2.example.com]...83.243.133.133[ike.example.com]
May 30 19:07:35 charon[5275]: 03[IKE] <ike-example-com|1> scheduling rekeying in 27139s
May 30 19:07:35 charon-systemd[5275]: scheduling rekeying in 27139s
May 30 19:07:35 charon[5275]: 03[IKE] <ike-example-com|1> maximum IKE_SA lifetime 30019s
May 30 19:07:35 charon-systemd[5275]: maximum IKE_SA lifetime 30019s
May 30 19:07:35 charon[5275]: 03[IKE] <ike-example-com|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
May 30 19:07:35 charon-systemd[5275]: received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
May 30 19:07:35 charon[5275]: 03[CFG] <ike-example-com|1> selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
May 30 19:07:35 charon-systemd[5275]: selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
May 30 19:07:35 charon[5275]: 03[IKE] <ike-example-com|1> CHILD_SA ike-example-com-vti{1} established with SPIs c3d2c04a_i 83d23a8d_o and TS 0.0.0.0/0 === 0.0.0.0/0
May 30 19:07:35 charon-systemd[5275]: CHILD_SA ike-example-com-vti{1} established with SPIs c3d2c04a_i 83d23a8d_o and TS 0.0.0.0/0 === 0.0.0.0/0
May 30 19:07:35 vti-up-down[5306]: Interface vti0 up-client ike-example-com-vti
May 30 19:07:35 sudo[5307]:     root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ip route delete default table 220
May 30 19:07:35 sudo[5307]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
May 30 19:07:35 sudo[5307]: pam_unix(sudo:session): session closed for user root
May 30 19:07:35 charon[5275]: 03[CHD] <ike-example-com|1> updown: Error: FIB table does not exist.
May 30 19:07:35 charon-systemd[5275]: updown: Error: FIB table does not exist.
May 30 19:07:35 sudo[5327]:     root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/dmidecode -t 4
May 30 19:07:35 sudo[5327]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
May 30 19:07:35 sudo[5327]: pam_unix(sudo:session): session closed for user root
May 30 19:07:36 sudo[5338]:     root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ip link set vti0 up
May 30 19:07:36 sudo[5338]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
May 30 19:07:36 sudo[5338]: pam_unix(sudo:session): session closed for user root
May 30 19:07:41 charon[5275]: 11[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:07:41 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:07:41 charon[5275]: 11[ENC] <ike-example-com|1> parsed INFORMATIONAL request 0 [ ]
May 30 19:07:41 charon-systemd[5275]: parsed INFORMATIONAL request 0 [ ]
May 30 19:07:41 charon[5275]: 11[ENC] <ike-example-com|1> generating INFORMATIONAL response 0 [ ]
May 30 19:07:41 charon-systemd[5275]: generating INFORMATIONAL response 0 [ ]
May 30 19:07:41 charon[5275]: 11[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:07:41 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:07:46 charon[5275]: 14[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:07:46 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:07:46 charon[5275]: 14[ENC] <ike-example-com|1> parsed INFORMATIONAL request 1 [ ]
May 30 19:07:46 charon-systemd[5275]: parsed INFORMATIONAL request 1 [ ]
May 30 19:07:46 charon[5275]: 14[ENC] <ike-example-com|1> generating INFORMATIONAL response 1 [ ]
May 30 19:07:46 charon-systemd[5275]: generating INFORMATIONAL response 1 [ ]
May 30 19:07:46 charon[5275]: 14[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:07:46 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:07:51 charon[5275]: 14[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:07:51 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:07:51 charon[5275]: 14[ENC] <ike-example-com|1> parsed INFORMATIONAL request 2 [ ]
May 30 19:07:51 charon-systemd[5275]: parsed INFORMATIONAL request 2 [ ]
May 30 19:07:51 charon[5275]: 14[ENC] <ike-example-com|1> generating INFORMATIONAL response 2 [ ]
May 30 19:07:51 charon-systemd[5275]: generating INFORMATIONAL response 2 [ ]
May 30 19:07:51 charon[5275]: 14[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:07:51 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:07:56 charon[5275]: 16[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:07:56 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:07:56 charon[5275]: 16[ENC] <ike-example-com|1> parsed INFORMATIONAL request 3 [ ]
May 30 19:07:56 charon-systemd[5275]: parsed INFORMATIONAL request 3 [ ]
May 30 19:07:56 charon[5275]: 16[ENC] <ike-example-com|1> generating INFORMATIONAL response 3 [ ]
May 30 19:07:56 charon-systemd[5275]: generating INFORMATIONAL response 3 [ ]
May 30 19:07:56 charon[5275]: 16[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:07:56 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:00 charon[5275]: 15[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (424 bytes)
May 30 19:08:00 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (424 bytes)
May 30 19:08:00 charon[5275]: 15[ENC] <ike-example-com|1> parsed CREATE_CHILD_SA request 4 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
May 30 19:08:00 charon-systemd[5275]: parsed CREATE_CHILD_SA request 4 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
May 30 19:08:00 charon[5275]: 15[IKE] <ike-example-com|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
May 30 19:08:00 charon-systemd[5275]: received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
May 30 19:08:00 charon[5275]: 15[CFG] <ike-example-com|1> selected proposal: ESP:AES_GCM_16_256/ECP_521/NO_EXT_SEQ
May 30 19:08:00 charon-systemd[5275]: selected proposal: ESP:AES_GCM_16_256/ECP_521/NO_EXT_SEQ
May 30 19:08:00 charon[5275]: 15[CFG] <ike-example-com|1> updating reqid for policy 0.0.0.0/0 === 0.0.0.0/0 in from 1 to 2
May 30 19:08:00 charon-systemd[5275]: updating reqid for policy 0.0.0.0/0 === 0.0.0.0/0 in from 1 to 2
May 30 19:08:00 charon[5275]: 15[CFG] <ike-example-com|1> updating reqid for policy 0.0.0.0/0 === 0.0.0.0/0 fwd from 1 to 2
May 30 19:08:00 charon-systemd[5275]: updating reqid for policy 0.0.0.0/0 === 0.0.0.0/0 fwd from 1 to 2
May 30 19:08:00 charon[5275]: 15[CFG] <ike-example-com|1> updating reqid for policy 0.0.0.0/0 === 0.0.0.0/0 out from 1 to 2
May 30 19:08:00 charon-systemd[5275]: updating reqid for policy 0.0.0.0/0 === 0.0.0.0/0 out from 1 to 2
May 30 19:08:00 charon[5275]: 15[IKE] <ike-example-com|1> CHILD_SA ike-example-com-vti{2} established with SPIs c548c33f_i f2bb9f7d_o and TS 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
May 30 19:08:00 charon-systemd[5275]: CHILD_SA ike-example-com-vti{2} established with SPIs c548c33f_i f2bb9f7d_o and TS 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
May 30 19:08:00 vti-up-down[5374]: Interface vti0 up-client ike-example-com-vti
May 30 19:08:01 sudo[5375]:     root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ip route delete default table 220
May 30 19:08:01 sudo[5375]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
May 30 19:08:01 sudo[5375]: pam_unix(sudo:session): session closed for user root
May 30 19:08:01 charon[5275]: 15[CHD] <ike-example-com|1> updown: Error: FIB table does not exist.
May 30 19:08:01 charon-systemd[5275]: updown: Error: FIB table does not exist.
May 30 19:08:01 vti-up-down[5379]: Interface vti0 up-client-v6 ike-example-com-vti
May 30 19:08:01 charon[5275]: 15[ENC] <ike-example-com|1> generating CREATE_CHILD_SA response 4 [ SA No KE TSi TSr ]
May 30 19:08:01 charon-systemd[5275]: generating CREATE_CHILD_SA response 4 [ SA No KE TSi TSr ]
May 30 19:08:01 charon[5275]: 15[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (405 bytes)
May 30 19:08:01 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (405 bytes)
May 30 19:08:01 charon[5275]: 11[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:01 charon[5275]: 11[ENC] <ike-example-com|1> parsed INFORMATIONAL request 5 [ ]
May 30 19:08:01 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:01 charon[5275]: 11[ENC] <ike-example-com|1> generating INFORMATIONAL response 5 [ ]
May 30 19:08:01 charon-systemd[5275]: parsed INFORMATIONAL request 5 [ ]
May 30 19:08:01 charon[5275]: 11[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:01 charon-systemd[5275]: generating INFORMATIONAL response 5 [ ]
May 30 19:08:01 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:03 charon[5275]: 04[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:03 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:03 charon[5275]: 04[ENC] <ike-example-com|1> parsed INFORMATIONAL request 6 [ D ]
May 30 19:08:03 charon-systemd[5275]: parsed INFORMATIONAL request 6 [ D ]
May 30 19:08:03 charon[5275]: 04[IKE] <ike-example-com|1> received DELETE for ESP CHILD_SA with SPI 83d23a8d
May 30 19:08:03 charon-systemd[5275]: received DELETE for ESP CHILD_SA with SPI 83d23a8d
May 30 19:08:03 charon[5275]: 04[IKE] <ike-example-com|1> closing CHILD_SA ike-example-com-vti{1} with SPIs c3d2c04a_i (2016 bytes) 83d23a8d_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
May 30 19:08:03 charon-systemd[5275]: closing CHILD_SA ike-example-com-vti{1} with SPIs c3d2c04a_i (2016 bytes) 83d23a8d_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
May 30 19:08:03 charon[5275]: 04[IKE] <ike-example-com|1> sending DELETE for ESP CHILD_SA with SPI c3d2c04a
May 30 19:08:03 charon-systemd[5275]: sending DELETE for ESP CHILD_SA with SPI c3d2c04a
May 30 19:08:03 charon[5275]: 04[IKE] <ike-example-com|1> CHILD_SA closed
May 30 19:08:03 charon-systemd[5275]: CHILD_SA closed
May 30 19:08:03 vti-up-down[5382]: Interface vti0 down-client ike-example-com-vti
May 30 19:08:03 sudo[5384]:     root : PWD=/ ; USER=root ; COMMAND=/usr/sbin/ip link set vti0 down
May 30 19:08:03 sudo[5384]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
May 30 19:08:03 sudo[5384]: pam_unix(sudo:session): session closed for user root
May 30 19:08:03 charon[5275]: 04[ENC] <ike-example-com|1> generating INFORMATIONAL response 6 [ D ]
May 30 19:08:03 charon-systemd[5275]: generating INFORMATIONAL response 6 [ D ]
May 30 19:08:03 charon[5275]: 04[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (69 bytes)
May 30 19:08:03 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (69 bytes)
May 30 19:08:08 charon[5275]: 06[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:08 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:08 charon[5275]: 06[ENC] <ike-example-com|1> parsed INFORMATIONAL request 7 [ ]
May 30 19:08:08 charon-systemd[5275]: parsed INFORMATIONAL request 7 [ ]
May 30 19:08:08 charon[5275]: 06[ENC] <ike-example-com|1> generating INFORMATIONAL response 7 [ ]
May 30 19:08:08 charon-systemd[5275]: generating INFORMATIONAL response 7 [ ]
May 30 19:08:08 charon[5275]: 06[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:08 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:13 charon[5275]: 11[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:13 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:13 charon[5275]: 11[ENC] <ike-example-com|1> parsed INFORMATIONAL request 8 [ ]
May 30 19:08:13 charon-systemd[5275]: parsed INFORMATIONAL request 8 [ ]
May 30 19:08:13 charon[5275]: 11[ENC] <ike-example-com|1> generating INFORMATIONAL response 8 [ ]
May 30 19:08:13 charon-systemd[5275]: generating INFORMATIONAL response 8 [ ]
May 30 19:08:13 charon[5275]: 11[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:13 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:18 charon[5275]: 06[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:18 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:18 charon[5275]: 06[ENC] <ike-example-com|1> parsed INFORMATIONAL request 9 [ ]
May 30 19:08:18 charon-systemd[5275]: parsed INFORMATIONAL request 9 [ ]
May 30 19:08:18 charon[5275]: 06[ENC] <ike-example-com|1> generating INFORMATIONAL response 9 [ ]
May 30 19:08:18 charon-systemd[5275]: generating INFORMATIONAL response 9 [ ]
May 30 19:08:18 charon[5275]: 06[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:18 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:23 charon[5275]: 16[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:23 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:23 charon[5275]: 16[ENC] <ike-example-com|1> parsed INFORMATIONAL request 10 [ ]
May 30 19:08:23 charon-systemd[5275]: parsed INFORMATIONAL request 10 [ ]
May 30 19:08:23 charon[5275]: 16[ENC] <ike-example-com|1> generating INFORMATIONAL response 10 [ ]
May 30 19:08:23 charon-systemd[5275]: generating INFORMATIONAL response 10 [ ]
May 30 19:08:23 charon[5275]: 16[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:23 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:28 charon[5275]: 12[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:28 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:28 charon[5275]: 12[ENC] <ike-example-com|1> parsed INFORMATIONAL request 11 [ ]
May 30 19:08:28 charon-systemd[5275]: parsed INFORMATIONAL request 11 [ ]
May 30 19:08:28 charon[5275]: 12[ENC] <ike-example-com|1> generating INFORMATIONAL response 11 [ ]
May 30 19:08:28 charon-systemd[5275]: generating INFORMATIONAL response 11 [ ]
May 30 19:08:28 charon[5275]: 12[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:28 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:33 charon[5275]: 03[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:33 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:33 charon[5275]: 03[ENC] <ike-example-com|1> parsed INFORMATIONAL request 12 [ ]
May 30 19:08:33 charon-systemd[5275]: parsed INFORMATIONAL request 12 [ ]
May 30 19:08:33 charon[5275]: 03[ENC] <ike-example-com|1> generating INFORMATIONAL response 12 [ ]
May 30 19:08:33 charon-systemd[5275]: generating INFORMATIONAL response 12 [ ]
May 30 19:08:33 charon[5275]: 03[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:33 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:38 charon[5275]: 05[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:38 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:38 charon[5275]: 05[ENC] <ike-example-com|1> parsed INFORMATIONAL request 13 [ ]
May 30 19:08:38 charon-systemd[5275]: parsed INFORMATIONAL request 13 [ ]
May 30 19:08:38 charon[5275]: 05[ENC] <ike-example-com|1> generating INFORMATIONAL response 13 [ ]
May 30 19:08:38 charon-systemd[5275]: generating INFORMATIONAL response 13 [ ]
May 30 19:08:38 charon[5275]: 05[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:38 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:43 charon[5275]: 06[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:43 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:43 charon[5275]: 06[ENC] <ike-example-com|1> parsed INFORMATIONAL request 14 [ ]
May 30 19:08:43 charon-systemd[5275]: parsed INFORMATIONAL request 14 [ ]
May 30 19:08:43 charon[5275]: 06[ENC] <ike-example-com|1> generating INFORMATIONAL response 14 [ ]
May 30 19:08:43 charon-systemd[5275]: generating INFORMATIONAL response 14 [ ]
May 30 19:08:43 charon[5275]: 06[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:43 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:48 charon[5275]: 03[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:48 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:48 charon[5275]: 03[ENC] <ike-example-com|1> parsed INFORMATIONAL request 15 [ ]
May 30 19:08:48 charon-systemd[5275]: parsed INFORMATIONAL request 15 [ ]
May 30 19:08:48 charon[5275]: 03[ENC] <ike-example-com|1> generating INFORMATIONAL response 15 [ ]
May 30 19:08:48 charon-systemd[5275]: generating INFORMATIONAL response 15 [ ]
May 30 19:08:48 charon[5275]: 03[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:48 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:53 charon[5275]: 05[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:53 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:53 charon[5275]: 05[ENC] <ike-example-com|1> parsed INFORMATIONAL request 16 [ ]
May 30 19:08:53 charon-systemd[5275]: parsed INFORMATIONAL request 16 [ ]
May 30 19:08:53 charon[5275]: 05[ENC] <ike-example-com|1> generating INFORMATIONAL response 16 [ ]
May 30 19:08:53 charon-systemd[5275]: generating INFORMATIONAL response 16 [ ]
May 30 19:08:53 charon[5275]: 05[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:53 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:58 charon[5275]: 16[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:58 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:08:58 charon[5275]: 16[ENC] <ike-example-com|1> parsed INFORMATIONAL request 17 [ ]
May 30 19:08:58 charon-systemd[5275]: parsed INFORMATIONAL request 17 [ ]
May 30 19:08:58 charon[5275]: 16[ENC] <ike-example-com|1> generating INFORMATIONAL response 17 [ ]
May 30 19:08:58 charon-systemd[5275]: generating INFORMATIONAL response 17 [ ]
May 30 19:08:58 charon[5275]: 16[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:08:58 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:09:03 charon[5275]: 15[NET] <ike-example-com|1> received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:09:03 charon-systemd[5275]: received packet: from 83.243.133.133[500] to 185.14.97.41[500] (72 bytes)
May 30 19:09:03 charon[5275]: 15[ENC] <ike-example-com|1> parsed INFORMATIONAL request 18 [ ]
May 30 19:09:03 charon-systemd[5275]: parsed INFORMATIONAL request 18 [ ]
May 30 19:09:03 charon[5275]: 15[ENC] <ike-example-com|1> generating INFORMATIONAL response 18 [ ]
May 30 19:09:03 charon-systemd[5275]: generating INFORMATIONAL response 18 [ ]
May 30 19:09:03 charon[5275]: 15[NET] <ike-example-com|1> sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)
May 30 19:09:03 charon-systemd[5275]: sending packet: from 185.14.97.41[500] to 83.243.133.133[500] (57 bytes)

tjh · June 3, 2025, 6:06pm

wh0else:

May 30 19:08:03 charon[5275]: 04[IKE] <ike-example-com|1> received DELETE for ESP CHILD_SA with SPI 83d23a8d
May 30 19:08:03 charon-systemd[5275]: received DELETE for ESP CHILD_SA with SPI 83d23a8d
May 30 19:08:03 charon[5275]: 04[IKE] <ike-example-com|1> closing CHILD_SA ike-example-com-vti{1} with SPIs c3d2c04a_i (2016 bytes) 83d23a8d_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
May 30 19:08:03 charon-systemd[5275]: closing CHILD_SA ike-example-com-vti{1} with SPIs c3d2c04a_i (2016 bytes) 83d23a8d_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
May 30 19:08:03 charon[5275]: 04[IKE] <ike-example-com|1> sending DELETE for ESP CHILD_SA with SPI c3d2c04a
May 30 19:08:03 charon-systemd[5275]: sending DELETE for ESP CHILD_SA with SPI c3d2c04a
May 30 19:08:03 charon[5275]: 04[IKE] <ike-example-com|1> CHILD_SA closed

This seems to indicate the PA is asking to remove the SA.

Are there any logs from the PA side indiciating why it might be doing that?

wh0else · June 6, 2025, 9:51am

I can’t see any obvious errors on the PA either. The same setup worked on an OPNsense installation.

If I sudo ifconfig vti0 up it works again for a bit, but after every reboot the interface is admin down for some reason