Multiple tunnels with IKEv2 connection

coach-x · January 20, 2017, 7:31pm

We are connecting two Vyos 1.1.7 installs to create an ipsec VPN tunnel with multiple networks (tunnels) using IKEv1, everything works perfectly:

vyatta@dbvyos201:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
172.17.5.111                            172.17.5.110

    Description: DBVYOS202-VPN Tunnel

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    1       up     0.0/0.0        aes256   sha1_96 no     3000    3600    all
    2       up     0.0/0.0        aes256   sha1_96 no     2520    3600    all


vyatta@dbvyos201:/var/log$ sudo ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.17.5.110:4500
000 interface eth0/eth0 172.17.5.110:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "peer-172.17.5.111-tunnel-1": 192.168.0.0/16===172.17.5.110[172.17.5.110]...172.17.5.111[172.17.5.111]===192.168.1.1/32; unrouted; eroute owner: #0
000 "peer-172.17.5.111-tunnel-1":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-172.17.5.111-tunnel-1":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 16,32; interface: eth0;
000 "peer-172.17.5.111-tunnel-1":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "peer-172.17.5.111-tunnel-1":   IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1024
000 "peer-172.17.5.111-tunnel-2": 10.55.0.0/16===172.17.5.110[172.17.5.110]...172.17.5.111[172.17.5.111]===192.168.1.1/32; unrouted; eroute owner: #0
000 "peer-172.17.5.111-tunnel-2":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-172.17.5.111-tunnel-2":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 16,32; interface: eth0;
000 "peer-172.17.5.111-tunnel-2":   newest ISAKMP SA: #4; newest IPsec SA: #0;
000 "peer-172.17.5.111-tunnel-2":   IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1024

When changing the key-exchange to ikev2 and only having a single tunnel, everything still works correctly:

vyatta@dbvyos201:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
172.17.5.111                            172.17.5.110

    Description: DBVYOS202-VPN Tunnel

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    1       up     0.0/0.0        aes256   sha1_96 no     960     3600    all

vyatta@dbvyos201:~$ sudo ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.17.5.110:4500
000 interface eth0/eth0 172.17.5.110:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 67 seconds, since Jan 20 12:00:11 2017
  malloc: sbrk 253952, mmap 0, used 136408, free 117544
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 4
  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
  172.17.5.110
Connections:
peer-172.17.5.111-tunnel-1:  172.17.5.110...172.17.5.111
peer-172.17.5.111-tunnel-1:   local:  [172.17.5.110] uses pre-shared key authentication
peer-172.17.5.111-tunnel-1:   remote: [172.17.5.111] uses any authentication
peer-172.17.5.111-tunnel-1:   child:  192.168.5.5/32 === 192.168.1.1/32
Routed Connections:
peer-172.17.5.111-tunnel-1{1}:  ROUTED, TUNNEL
peer-172.17.5.111-tunnel-1{1}:   192.168.5.5/32 === 192.168.1.1/32
Security Associations:
peer-172.17.5.111-tunnel-1[2]: ESTABLISHED 65 seconds ago, 172.17.5.110[172.17.5.110]...172.17.5.111[172.17.5.111]
peer-172.17.5.111-tunnel-1[2]: IKE SPIs: 82b23ee9b11f31fb_i f100b239ec30a37c_r*, rekeying in 2 hours
peer-172.17.5.111-tunnel-1[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-172.17.5.111-tunnel-1{3}:  INSTALLED, TUNNEL, ESP SPIs: c5475c02_i cc41c561_o
peer-172.17.5.111-tunnel-1{3}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 44 minutes
peer-172.17.5.111-tunnel-1{3}:   192.168.5.5/32 === 192.168.1.1/32

The problem occurs when adding a second connection/tunnel, there are no security associations for the newly created tunnel. Resetting the connection on both sides has no effect, the second tunnel will not come “up”

vyatta@dbvyos201:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
n/a                                     n/a

    Description: DBVYOS202-VPN Tunnel

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    2       down   n/a            n/a      n/a     no     0       n/a     all


Peer ID / IP                            Local ID / IP
------------                            -------------
172.17.5.111                            172.17.5.110

    Description: DBVYOS202-VPN Tunnel

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    1       up     0.0/0.0        aes256   sha1_96 no     2220    3600    all


vyatta@dbvyos201:~$ sudo ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.17.5.110:4500
000 interface eth0/eth0 172.17.5.110:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
  uptime: 63 minutes, since Jan 20 12:00:12 2017
  malloc: sbrk 253952, mmap 0, used 139656, free 114296
  worker threads: 7 idle of 16, job queue load: 0, scheduled events: 4
  loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
  172.17.5.110
Connections:
peer-172.17.5.111-tunnel-1:  172.17.5.110...172.17.5.111
peer-172.17.5.111-tunnel-1:   local:  [172.17.5.110] uses pre-shared key authentication
peer-172.17.5.111-tunnel-1:   remote: [172.17.5.111] uses any authentication
peer-172.17.5.111-tunnel-1:   child:  192.168.5.5/32 === 192.168.1.1/32
peer-172.17.5.111-tunnel-2:   child:  192.168.6.6/32 === 192.168.2.2/32
Routed Connections:
peer-172.17.5.111-tunnel-1{1}:  ROUTED, TUNNEL
peer-172.17.5.111-tunnel-1{1}:   192.168.5.5/32 === 192.168.1.1/32
peer-172.17.5.111-tunnel-2{4}:  ROUTED, TUNNEL
peer-172.17.5.111-tunnel-2{4}:   192.168.6.6/32 === 192.168.2.2/32
Security Associations:
peer-172.17.5.111-tunnel-1[2]: ESTABLISHED 63 minutes ago, 172.17.5.110[172.17.5.110]...172.17.5.111[172.17.5.111]
peer-172.17.5.111-tunnel-1[2]: IKE SPIs: 82b23ee9b11f31fb_i f100b239ec30a37c_r*, rekeying in 106 minutes
peer-172.17.5.111-tunnel-1[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-172.17.5.111-tunnel-1{3}:  INSTALLED, TUNNEL, ESP SPIs: c0555b56_i cec9c529_o
peer-172.17.5.111-tunnel-1{3}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 23 minutes
peer-172.17.5.111-tunnel-1{3}:   192.168.5.5/32 === 192.168.1.1/32

We have seen this behavior when connecting two vyos sytems as well as connecting to Azure. We are not able to send traffic across the second tunnel, but traffic does flow on the first tunnel.

Is this the expected behavior for IKEv2? Has anyone been able to get Vyos to connect ipsec VPN with IKEv2? Ive attached the config for multiple tunnels and IKEv2.

16again · January 22, 2017, 9:43pm

Shouldn’t you send packets 192.168.6.6/32 => 192.168.2.2/32 , to get 2nd tunnel up?
Moreover, what’s the output of
sudo swanctl --log
when setting up VPN?

coach-x · January 23, 2017, 8:15pm

Thank you for the response, I did initiate traffic and was able to ping and connect to the server. However, the output still does not look correct. The problem is, once I connect to 192.168.6.6 I can no longer connect to 192.168.5.5. Once, I disconnect from the session, I am then not able to connect to 192.168.6.6.

vyatta@dbvyos201:~$ show vpn ipsec sa detail

Peer IP: n/a
Peer ID: n/a
Local IP: n/a
Local ID: n/a
NAT Traversal: no
NAT Source Port: n/a
NAT Dest Port: n/a

Description: DBVYOS202-VPN Tunnel

Tunnel 2:
    State:                  down
    Inbound SPI:            c051a19d
    Outbound SPI:           cfed5559
    Encryption:             aes256
    Hash:                   sha1_96
    PFS Group:              n/a

    Local Net:              192.168.6.6/32
    Local Protocol:         all
    Local Port:             all

    Remote Net:             192.168.2.2/32
    Remote Protocol:        all
    Remote Port:            all

    Inbound Bytes:          0.0
    Outbound Bytes:         0.0
    Active Time (s):        -1140
    Lifetime (s):           n/a

Peer IP: 172.17.5.111
Peer ID: 172.17.5.111
Local IP: 172.17.5.110
Local ID: 172.17.5.110
NAT Traversal: no
NAT Source Port: n/a
NAT Dest Port: n/a

Description: DBVYOS202-VPN Tunnel

Tunnel 1:
    State:                  down
    Inbound SPI:            n/a
    Outbound SPI:           n/a
    Encryption:             n/a
    Hash:                   n/a
    PFS Group:              disable

    Local Net:              n/a
    Local Protocol:         all
    Local Port:             all

    Remote Net:             n/a
    Remote Protocol:        all
    Remote Port:            all

    Inbound Bytes:          0.0
    Outbound Bytes:         0.0
    Active Time (s):        0
    Lifetime (s):           3600

vyatta@dbvyos201:~$ sudo ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.17.5.110:4500
000 interface eth0/eth0 172.17.5.110:500
000 %myid = ‘%any’
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 59 minutes, since Jan 23 14:01:40 2017
malloc: sbrk 253952, mmap 0, used 159320, free 94632
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 10
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
172.17.5.110
Connections:
peer-172.17.5.111-tunnel-1: 172.17.5.110…172.17.5.111
peer-172.17.5.111-tunnel-1: local: [172.17.5.110] uses pre-shared key authentication
peer-172.17.5.111-tunnel-1: remote: [172.17.5.111] uses any authentication
peer-172.17.5.111-tunnel-1: child: 192.168.5.5/32 === 192.168.1.1/32
peer-172.17.5.111-tunnel-2: child: 192.168.6.6/32 === 192.168.2.2/32
Routed Connections:
peer-172.17.5.111-tunnel-1{1}: ROUTED, TUNNEL
peer-172.17.5.111-tunnel-1{1}: 192.168.5.5/32 === 192.168.1.1/32
peer-172.17.5.111-tunnel-2{2}: ROUTED, TUNNEL
peer-172.17.5.111-tunnel-2{2}: 192.168.6.6/32 === 192.168.2.2/32
Security Associations:
peer-172.17.5.111-tunnel-1[1]: ESTABLISHED 56 minutes ago, 172.17.5.110[172.17.5.110]…172.17.5.111[172.17.5.111]
peer-172.17.5.111-tunnel-1[1]: IKE SPIs: fd7d4ba9b1815dcc_i* 70f0e234b6aade8d_r, rekeying in 113 minutes
peer-172.17.5.111-tunnel-1[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-172.17.5.111-tunnel-1{6}: INSTALLED, TUNNEL, ESP SPIs: c13fc36a_i c6468724_o
peer-172.17.5.111-tunnel-1{6}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying active
peer-172.17.5.111-tunnel-1{6}: 192.168.5.5/32 === 192.168.1.1/32
peer-172.17.5.111-tunnel-1{8}: INSTALLED, TUNNEL, ESP SPIs: c0f56d20_i ca55732e_o
peer-172.17.5.111-tunnel-1{8}: AES_CBC_256/HMAC_SHA1_96, 11158 bytes_i (2933s ago), 11714 bytes_o (2933s ago), rekeying active
peer-172.17.5.111-tunnel-1{8}: 192.168.5.5/32 === 192.168.1.1/32
peer-172.17.5.111-tunnel-2{12}: INSTALLED, TUNNEL, ESP SPIs: c06c20a9_i cc422358_o
peer-172.17.5.111-tunnel-2{12}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 33 minutes
peer-172.17.5.111-tunnel-2{12}: 192.168.6.6/32 === 192.168.2.2/32
peer-172.17.5.111-tunnel-2{5}: INSTALLED, TUNNEL, ESP SPIs: c051a19d_i cfed5559_o
peer-172.17.5.111-tunnel-2{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 30 minutes
peer-172.17.5.111-tunnel-2{5}: 192.168.6.6/32 === 192.168.2.2/32
peer-172.17.5.111-tunnel-2{9}: INSTALLED, TUNNEL, ESP SPIs: c6e89e11_i c207c077_o
peer-172.17.5.111-tunnel-2{9}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 36 minutes
peer-172.17.5.111-tunnel-2{9}: 192.168.6.6/32 === 192.168.2.2/32
peer-172.17.5.111-tunnel-2{7}: INSTALLED, TUNNEL, ESP SPIs: c0c616af_i c6e2f63c_o
peer-172.17.5.111-tunnel-2{7}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 29 minutes
peer-172.17.5.111-tunnel-2{7}: 192.168.6.6/32 === 192.168.2.2/32
peer-172.17.5.111-tunnel-2{10}: INSTALLED, TUNNEL, ESP SPIs: cbca4a42_i ca119492_o
peer-172.17.5.111-tunnel-2{10}: AES_CBC_256/HMAC_SHA1_96, 3872 bytes_i (256s ago), 3984 bytes_o (256s ago), rekeying in 38 minutes
peer-172.17.5.111-tunnel-2{10}: 192.168.6.6/32 === 192.168.2.2/32

I am unable to bring the tunnel back up with a reset of the VPN:

Jan 23 15:10:32 dbvyos201 pluto[16815]: forgetting secrets
Jan 23 15:10:32 dbvyos201 pluto[16815]: loading secrets from “/etc/ipsec.secrets”
Jan 23 15:10:32 dbvyos201 pluto[16815]: loaded PSK secret for 172.17.5.110 172.17.5.111
Jan 23 15:10:32 dbvyos201 pluto[16815]: loading secrets from “/etc/dmvpn.secrets”
Jan 23 15:10:32 dbvyos201 pluto[16815]: Changing to directory ‘/etc/ipsec.d/crls’
Jan 23 15:10:32 dbvyos201 pluto[16815]: “peer-172.17.5.111-tunnel-1”: deleting connection
Jan 23 15:10:32 dbvyos201 pluto[16815]: forgetting secrets
Jan 23 15:10:32 dbvyos201 pluto[16815]: loading secrets from “/etc/ipsec.secrets”
Jan 23 15:10:32 dbvyos201 pluto[16815]: loaded PSK secret for 172.17.5.110 172.17.5.111
Jan 23 15:10:32 dbvyos201 pluto[16815]: loading secrets from “/etc/dmvpn.secrets”
Jan 23 15:10:32 dbvyos201 pluto[16815]: Changing to directory ‘/etc/ipsec.d/crls’
Jan 23 15:10:32 dbvyos201 pluto[16815]: added connection description “peer-172.17.5.111-tunnel-1”
Jan 23 15:10:32 dbvyos201 ipsec_starter[16726]: routing ‘peer-172.17.5.111-tunnel-1’ failed
Jan 23 15:10:33 dbvyos201 pluto[16815]: forgetting secrets
Jan 23 15:10:33 dbvyos201 pluto[16815]: loading secrets from “/etc/ipsec.secrets”
Jan 23 15:10:33 dbvyos201 pluto[16815]: loaded PSK secret for 172.17.5.110 172.17.5.111
Jan 23 15:10:33 dbvyos201 pluto[16815]: loading secrets from “/etc/dmvpn.secrets”
Jan 23 15:10:33 dbvyos201 pluto[16815]: Changing to directory ‘/etc/ipsec.d/crls’
Jan 23 15:10:33 dbvyos201 pluto[16815]: “peer-172.17.5.111-tunnel-2”: deleting connection
Jan 23 15:10:33 dbvyos201 pluto[16815]: forgetting secrets
Jan 23 15:10:33 dbvyos201 pluto[16815]: loading secrets from “/etc/ipsec.secrets”
Jan 23 15:10:33 dbvyos201 pluto[16815]: loaded PSK secret for 172.17.5.110 172.17.5.111
Jan 23 15:10:33 dbvyos201 pluto[16815]: loading secrets from “/etc/dmvpn.secrets”
Jan 23 15:10:33 dbvyos201 pluto[16815]: Changing to directory ‘/etc/ipsec.d/crls’
Jan 23 15:10:33 dbvyos201 pluto[16815]: added connection description “peer-172.17.5.111-tunnel-2”
Jan 23 15:10:33 dbvyos201 ipsec_starter[16726]: routing ‘peer-172.17.5.111-tunnel-2’ failed

It does not appear the swanctl command was available in strongswan 4.5.2.

https://wiki.strongswan.org/projects/strongswan/wiki/swanctl

mp1256 · April 14, 2017, 9:53am

Hello coach-x

I’ve the same problem after switching to ikev2. Everything worked fine before, when I’ve used ikev1.

It seems that the logging for strongswan is not configured correctly in vyos, because it should be called “charon” instead of “pluto” and there is no output after “charonlog”.

My VPN-counterpart is a Zyxel Zywall 110.

robsonntk · July 11, 2017, 7:39pm

Hi,

I was trying setting vpn ipsec site-to-site with ikev2 and NAT-T, I’m using vyos 1.1.6.
I have a problem, I don’t get look any error however my vpn doesn’t close.

Jul 11 16:20:18 vyos pluto[5618]: last message repeated 2 times
Jul 11 16:20:58 vyos pluto[5618]: packet from x.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jul 11 16:21:38 vyos pluto[5618]: “peer-x.x.x.x-tunnel-1” #1: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Jul 11 16:21:38 vyos pluto[5618]: “peer-x.x.x.x-tunnel-1” #1: starting keying attempt 2 of an unlimited number
Jul 11 16:21:38 vyos pluto[5618]: “peer-x.x.x.x-tunnel-1” #2: initiating Main Mode to replace #1
Jul 11 16:21:38 vyos pluto[5618]: packet from x.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jul 11 16:22:48 vyos pluto[5618]: last message repeated 3 times
Jul 11 16:23:28 vyos pluto[5618]: packet from x.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jul 11 16:24:49 vyos pluto[5618]: last message repeated 2 times
Jul 11 16:24:53 vyos pluto[5618]: forgetting secrets
Jul 11 16:24:53 vyos pluto[5618]: loading secrets from “/etc/ipsec.secrets”
Jul 11 16:24:53 vyos pluto[5618]: loaded PSK secret for 172.118.0.3 x.x.x.x x.x.x.x
Jul 11 16:24:53 vyos pluto[5618]: loading secrets from “/etc/dmvpn.secrets”
Jul 11 16:24:53 vyos pluto[5618]: Changing to directory ‘/etc/ipsec.d/crls’
Jul 11 16:24:53 vyos pluto[5618]: forgetting secrets
Jul 11 16:24:53 vyos pluto[5618]: loading secrets from “/etc/ipsec.secrets”
Jul 11 16:24:53 vyos pluto[5618]: loaded PSK secret for 172.118.0.3 x.x.x.x x.x.x.x
Jul 11 16:24:53 vyos pluto[5618]: loading secrets from “/etc/dmvpn.secrets”
Jul 11 16:24:53 vyos pluto[5618]: Changing to directory ‘/etc/ipsec.d/crls’
Jul 11 16:24:53 vyos pluto[5618]: forgetting secrets
Jul 11 16:24:53 vyos pluto[5618]: loading secrets from “/etc/ipsec.secrets”
Jul 11 16:24:53 vyos pluto[5618]: loaded PSK secret for 172.118.0.3 x.x.x.x x.x.x.x
Jul 11 16:24:53 vyos pluto[5618]: loading secrets from “/etc/dmvpn.secrets”
Jul 11 16:24:53 vyos pluto[5618]: Changing to directory ‘/etc/ipsec.d/crls’
Jul 11 16:24:53 vyos pluto[5618]: forgetting secrets
Jul 11 16:24:53 vyos pluto[5618]: loading secrets from “/etc/ipsec.secrets”
Jul 11 16:24:53 vyos pluto[5618]: loaded PSK secret for 172.118.0.3 x.x.x.x x.x.x.x
Jul 11 16:24:53 vyos pluto[5618]: loading secrets from “/etc/dmvpn.secrets”
Jul 11 16:24:53 vyos pluto[5618]: Changing to directory ‘/etc/ipsec.d/crls’
Jul 11 16:24:53 vyos pluto[5618]: “peer-x.x.x.x-tunnel-1”: deleting connection
Jul 11 16:24:53 vyos pluto[5618]: “peer-x.x.x.x-tunnel-1” #2: deleting state (STATE_MAIN_I1)
Jul 11 16:24:53 vyos pluto[5618]: added connection description “peer-x.x.x.x-tunnel-1”

Below my settings:

set vpn ipsec esp-group ESP1_PEER compression ‘disable’
set vpn ipsec esp-group ESP1_PEER lifetime ‘3600’
set vpn ipsec esp-group ESP1_PEER mode ‘tunnel’
set vpn ipsec esp-group ESP1_PEER pfs ‘disable’
set vpn ipsec esp-group ESP1_PEER proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP1_PEER proposal 1 hash ‘sha256’
set vpn ipsec ike-group IKE_PEER ikev2-reauth ‘no’
set vpn ipsec ike-group IKE_PEER key-exchange ‘ikev2’
set vpn ipsec ike-group IKE_PEER lifetime ‘28800’
set vpn ipsec ike-group IKE_PEER proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKE_PEER proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE_PEER proposal 1 hash ‘sha256’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer x.x.x.x authentication id ‘x.x.x.x’
set vpn ipsec site-to-site peer x.x.x.x authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret ‘***********’
set vpn ipsec site-to-site peer x.x.x.x connection-type ‘initiate’
set vpn ipsec site-to-site peer x.x.x.x default-esp-group ‘ESP1_PEER’
set vpn ipsec site-to-site peer x.x.x.x description ‘VPN_PRINCIPAL’
set vpn ipsec site-to-site peer x.x.x.x ike-group ‘IKE_PEER’
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer x.x.x.x local-address ‘172.118.0.3’
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 esp-group ‘ESP1_PEER’
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 local prefix ‘172.118.0.3/32’
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 remote prefix ‘x.x.x.x/26’

Is There someone to help me, please?

Thank you for your help.

I’m looking forward for your reply.

Dmitry · September 5, 2019, 6:53pm

Hello @robsonntk, VyOS 1.1 is EOL , you can update your router and this issue might be fixed.
https://vyos.readthedocs.io/en/latest/image-mgmt.html?highlight=update