Have you tried resetting peer from both side?
I seen similar issues. When I reset peer from both side, it start working.
That is, if we restart / reset one end, then VPN goes down and wont come up automatically. Then if we reset the peer on other side, it comes up successfully.
It looks like the problem occurs when the VPN process is restarted or peer is reset on one end. If the peer IP is not reachable due to any interruptions in network, VPN goes down and it comes up automatic when the peer become reachable. As you said it is still an issue because the other side need to be reset when any reset or restart happened on one side. I am still searching for a fix for it. I also observed that it happens only when NAT-T is enabled between two Vyatta devices. If NAT-T is not enabled, i dont see this issue.
Do you think this is particular to 2 Vyatta devices, or will it affect a Vyatta/other device as well?
I have managed to move one side so that it can have a public IP and not behind a firewall, but I still need NAT-T as the other can’t be moved out from behind the firewall - this problem still persists (due to NAT-T)
I have not seen this issue when we use vyatta with other devices ( cisco )
When we used vyatta with other device, the NAT-T is enabled only in other device. It works fine without any issues.
I think you can try without NAT-T enabled. That is using “remote-id @x.x.com” in VPN config. I seen it works without NAT-T enabled. Also VPN comes up automatic if you reset or restart one side. But i did see another issue when we use this config ( without nat-t ) If tunnel is idle for some time and traffic is initiated from the network which is not behind firewall, it wont allow traffic. I still see the tunnels are up and “packets out” in source side. but at destination side, no packets are received in tunnels. But if you initiate traffic from the network which is behind firewall, the tunnels start workings and you can connect from other side as well once it started working. If your traffic is always initiated from the network which is not behind firewall, then this config works fine.
I did see that we can make it work without NAT-T if we can DNAT “ESP” and “AH” protocol to the vyatta private IP.
That means, apart from port 500/udp and 4500/udp, if you able to DNAT “ESP” / “AH” protocol to he vyatta private IP, then it can work without enabling NAT-T
Also we will need to keep “remote-id @xyz.com” configuration.