Multiple IPsec tunnels - only one shows as up

rasmuoy · December 26, 2022, 3:54pm

I have a remote environment with multiple firewalls, I’m trying to set up two routes to them as a backup.

On my local vyos only one connection shows as up:

Local

show vpn ipsec connections

Connection         State    Type    Remote address    Local TS         Remote TS        Local id    Remote id    Proposal
-----------------  -------  ------  ----------------  ---------------  ---------------  ----------  -----------  -------------------------------------
REMOTE01           down     IKEv2   1.2.3.4           -                -                LOCAL      REMOTE01     -
REMOTE01-tunnel-1  down     IPsec   1.2.3.4           192.168.99.2/32  192.168.99.1/32  LOCAL      REMOTE01     -
REMOTE03           up       IKEv2   1.2.3.5           -                -                LOCAL      REMOTE03     AES_CBC/256/HMAC_SHA2_512_256/ECP_521
REMOTE03-tunnel-1  up       IPsec   1.2.3.5           192.168.99.2/32  192.168.99.3/32  LOCAL      REMOTE03     AES_CBC/256/HMAC_SHA2_512_256/None

show vpn ipsec sa

Connection         State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------  -------  --------  --------------  ----------------  ----------------  -----------  -----------------------------
REMOTE01-tunnel-1  up       26m40s    3M/2M           5K/7K             1.2.3.4           REMOTE01     AES_CBC_256/HMAC_SHA2_512_256
REMOTE03-tunnel-1  up       16m53s    57K/10K         391/112           1.2.3.5           REMOTE03     AES_CBC_256/HMAC_SHA2_512_256

Remote

Remote01

show vpn ipsec connections

Connection       State    Type    Remote address         Local TS         Remote TS        Local id    Remote id    Proposal
---------------  -------  ------  ---------------------  ---------------  ---------------  ----------  -----------  -------------------------------------
LOCAL            up       IKEv2   local.fqdn.com         -                -                REMOTE01    LOCAL        AES_CBC/256/HMAC_SHA2_512_256/ECP_521
LOCAL-tunnel-1   up       IPsec   local.fqdn.com         192.168.99.1/32  192.168.99.2/32  REMOTE01    LOCAL        AES_CBC/256/HMAC_SHA2_512_256/None

show vpn ipsec sa

Connection       State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
---------------  -------  --------  --------------  ----------------  ----------------  -----------  -----------------------------
LOCAL-tunnel-1   up       32m43s    2M/4M           8K/6K             4.3.2.1     LOCAL       AES_CBC_256/HMAC_SHA2_512_256

Remote03

show vpn ipsec connections

Connection       State    Type    Remote address         Local TS         Remote TS        Local id    Remote id    Proposal
---------------  -------  ------  ---------------------  ---------------  ---------------  ----------  -----------  -------------------------------------
LOCAL            up       IKEv2   local.fqdn.com         -                -                REMOTE03    LOCAL        AES_CBC/256/HMAC_SHA2_512_256/ECP_521
LOCAL-tunnel-1   up       IPsec   local.fqdn.com         192.168.99.3/32  192.168.99.2/32  REMOTE03    LOCAL        AES_CBC/256/HMAC_SHA2_512_256/None

show vpn ipsec sa

Connection       State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
---------------  -------  --------  --------------  ----------------  ----------------  -----------  -----------------------------
LOCAL-tunnel-1   up       20m59s    12K/68K         137/492           4.3.2.1           LOCAL       AES_CBC_256/HMAC_SHA2_512_256

I have tried changing names and IPs on both sides to see if it’s just overlapping things that are not working - since I’m using tunnel-1 etc for both sides. But nothing seems to help, I’m still only getting a single connection listed as up. Both tunnels seem to work as expected though.

Is this a bug?

Viacheslav · December 30, 2022, 9:24pm

Could you send an example of the configuration?

show conf com | match vpn
sudo swanctl -L
sudo swanctl -l

rasmuoy · December 31, 2022, 2:58pm

Config

set vpn ipsec esp-group ESPG1 lifetime '3600'
set vpn ipsec esp-group ESPG1 mode 'tunnel'
set vpn ipsec esp-group ESPG1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESPG1 proposal 1 hash 'sha512'
set vpn ipsec ike-group IKEG1 close-action 'restart'
set vpn ipsec ike-group IKEG1 dead-peer-detection action 'restart'
set vpn ipsec ike-group IKEG1 dead-peer-detection interval '15'
set vpn ipsec ike-group IKEG1 dead-peer-detection timeout '30'
set vpn ipsec ike-group IKEG1 ikev2-reauth
set vpn ipsec ike-group IKEG1 key-exchange 'ikev2'
set vpn ipsec ike-group IKEG1 lifetime '28800'
set vpn ipsec ike-group IKEG1 proposal 1 dh-group '21'
set vpn ipsec ike-group IKEG1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKEG1 proposal 1 hash 'sha512'
set vpn ipsec interface 'pppoe0'
set vpn ipsec site-to-site peer REMOTE01 authentication local-id 'LOCAL'
set vpn ipsec site-to-site peer REMOTE01 authentication mode 'rsa'
set vpn ipsec site-to-site peer REMOTE01 authentication remote-id 'REMOTE01'
set vpn ipsec site-to-site peer REMOTE01 authentication rsa local-key 'ipsec-LOCAL'
set vpn ipsec site-to-site peer REMOTE01 authentication rsa remote-key 'ipsec-REMOTE01'
set vpn ipsec site-to-site peer REMOTE01 connection-type 'initiate'
set vpn ipsec site-to-site peer REMOTE01 default-esp-group 'ESPG1'
set vpn ipsec site-to-site peer REMOTE01 ike-group 'IKEG1'
set vpn ipsec site-to-site peer REMOTE01 local-address 'any'
set vpn ipsec site-to-site peer REMOTE01 remote-address '1.2.3.4'
set vpn ipsec site-to-site peer REMOTE01 tunnel 1 local prefix '192.168.99.2/32'
set vpn ipsec site-to-site peer REMOTE01 tunnel 1 remote prefix '192.168.99.1/32'
set vpn ipsec site-to-site peer REMOTE03 authentication local-id 'LOCAL'
set vpn ipsec site-to-site peer REMOTE03 authentication mode 'rsa'
set vpn ipsec site-to-site peer REMOTE03 authentication remote-id 'REMOTE03'
set vpn ipsec site-to-site peer REMOTE03 authentication rsa local-key 'ipsec-LOCAL'
set vpn ipsec site-to-site peer REMOTE03 authentication rsa remote-key 'ipsec-REMOTE03'
set vpn ipsec site-to-site peer REMOTE03 connection-type 'initiate'
set vpn ipsec site-to-site peer REMOTE03 default-esp-group 'ESPG1'
set vpn ipsec site-to-site peer REMOTE03 ike-group 'IKEG1'
set vpn ipsec site-to-site peer REMOTE03 local-address 'any'
set vpn ipsec site-to-site peer REMOTE03 remote-address '1.2.3.5'
set vpn ipsec site-to-site peer REMOTE03 tunnel 1 local prefix '192.168.99.2/32'
set vpn ipsec site-to-site peer REMOTE03 tunnel 1 remote prefix '192.168.99.3/32'

sudo swanctl -L

REMOTE01: IKEv2, no reauthentication, rekeying every 28800s, dpd delay 15s
  local:  %any
  remote: 1.2.3.4
  local public key authentication:
    id: LOCAL
    certs: LOCAL
  remote public key authentication:
    id: REMOTE01
    certs: REMOTE01
  REMOTE01-tunnel-1: TUNNEL, rekeying every 3600s, dpd action is restart
    local:  192.168.99.2/32
    remote: 192.168.99.1/32
REMOTE03: IKEv2, no reauthentication, rekeying every 28800s, dpd delay 15s
  local:  %any
  remote: 1.2.3.5
  local public key authentication:
    id: LOCAL
    certs: LOCAL
  remote public key authentication:
    id: REMOTE03
    certs: REMOTE03
  REMOTE03-tunnel-1: TUNNEL, rekeying every 3600s, dpd action is restart
    local:  192.168.99.2/32
    remote: 192.168.99.3/32

sudo swanctl -l

REMOTE01: #5, ESTABLISHED, IKEv2, 71b8f4b58e1b25ec_i 2df235f73439c048_r*
  local  'LOCAL' @ x.x.x.205[4500]
  remote 'REMOTE01' @ 1.2.3.4[4500]
  AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
  established 26s ago, rekeying in 26690s
  REMOTE01-tunnel-1: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_512_256
    installed 26s ago, rekeying in 3574s, expires in 3574s
    in  c040fb30,    972 bytes,     8 packets,     5s ago
    out ca6465e6,   1296 bytes,     8 packets,     6s ago
    local  192.168.99.2/32
    remote 192.168.99.1/32
REMOTE03: #3, ESTABLISHED, IKEv2, a2e9695facea0fad_i 02e9061f881d69cf_r*
  local  'LOCAL' @ x.x.x.205[4500]
  remote 'REMOTE03' @ 1.2.3.5[4500]
  AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
  established 37s ago, rekeying in 28477s
  REMOTE03-tunnel-1: #3, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_512_256
    installed 37s ago, rekeying in 3563s, expires in 3563s
    in  caac306a,   1572 bytes,    13 packets,     6s ago
    out cb6a5852,   1660 bytes,    13 packets,     6s ago
    local  192.168.99.2/32
    remote 192.168.99.3/32
REMOTE03: #2, CONNECTING, IKEv2, 0d04c67009209fe4_i* 5ad524a9c8c87061_r
  local  'LOCAL' @ x.x.x.205[4500]
  remote 'REMOTE03' @ 1.2.3.5[4500]
  AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521
  active:  IKE_CERT_PRE IKE_AUTH IKE_CERT_POST CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE

a.srividya · January 2, 2023, 5:51pm

Submitted a bug report for this: ⚓ T4906 ipsec connections shows only one connection as up

can you share your VyOS version.

rasmuoy · January 2, 2023, 6:41pm

Yes of course, I should have posted that initially.

The issue is the same on all of the newest rolling releases I have tried, but I’m currently on:
VyOS 1.4-rolling-202212170319

chungvu · January 3, 2023, 4:51pm

I’m on VyOS 1.4-rolling-202212260706 come with same issue.