I’m having an issue where if I add a second tunnel to peer_1, none of the tunnels will establish. The remote side is a Cisco ASA.
show version
Version: VyOS 1.4.2
Release train: sagitta
Release flavor: generic
Built by: VyOS Networks Iberia S.L.U.
Built on: Tue 01 Apr 2025 17:21 UTC
Build UUID: 01cfd92d-64ae-406c-83f7-bc75e509b75a
Build commit ID: 9cc58255f19640-dirty
Architecture: x86_64
Boot via: installed image
System type: Xen HVM guest
show conf com | match vpn
set vpn ipsec authentication psk peer_1 id '1.2.3.4'
set vpn ipsec authentication psk peer_1 id '1.2.3.5'
set vpn ipsec authentication psk peer_1 secret '****'
set vpn ipsec esp-group espv2-bch lifetime '3600'
set vpn ipsec esp-group espv2-bch mode 'tunnel'
set vpn ipsec esp-group espv2-bch pfs 'disable'
set vpn ipsec esp-group espv2-bch proposal 1 encryption 'aes256'
set vpn ipsec esp-group espv2-bch proposal 1 hash 'sha512'
set vpn ipsec ike-group ikev2-bch dead-peer-detection action 'restart'
set vpn ipsec ike-group ikev2-bch dead-peer-detection interval '15'
set vpn ipsec ike-group ikev2-bch dead-peer-detection timeout '30'
set vpn ipsec ike-group ikev2-bch key-exchange 'ikev2'
set vpn ipsec ike-group ikev2-bch lifetime '86400'
set vpn ipsec ike-group ikev2-bch proposal 1 dh-group '21'
set vpn ipsec ike-group ikev2-bch proposal 1 encryption 'aes256'
set vpn ipsec ike-group ikev2-bch proposal 1 hash 'sha512'
set vpn ipsec interface 'eth1'
set vpn ipsec options
set vpn ipsec site-to-site peer peer_1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_1 authentication remote-id '1.2.3.4'
set vpn ipsec site-to-site peer peer_1 connection-type 'initiate'
set vpn ipsec site-to-site peer peer_1 default-esp-group 'espv2-bch'
set vpn ipsec site-to-site peer peer_1 ike-group 'ikev2-bch'
set vpn ipsec site-to-site peer peer_1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_1 local-address '1.2.3.5'
set vpn ipsec site-to-site peer peer_1 remote-address '1.2.3.4'
set vpn ipsec site-to-site peer peer_1 tunnel 1 esp-group 'espv2-bch'
set vpn ipsec site-to-site peer peer_1 tunnel 1 local prefix '1.2.3.6/32'
set vpn ipsec site-to-site peer peer_1 tunnel 1 remote prefix '10.0.0.0/8'
set vpn ipsec site-to-site peer peer_1 tunnel 2 esp-group 'espv2-bch'
set vpn ipsec site-to-site peer peer_1 tunnel 2 local prefix '1.2.3.6/32'
set vpn ipsec site-to-site peer peer_1 tunnel 2 remote prefix '172.16.0.0/12'
sudo swanctl -L
peer_1: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 15s
local: 1.2.3.5
remote: 1.2.3.4
local pre-shared key authentication:
remote pre-shared key authentication:
id: 1.2.3.4
peer_1-tunnel-1: TUNNEL, rekeying every 3272s, dpd action is start
local: 1.2.3.6/32
remote: 10.0.0.0/8
peer_1-tunnel-2: TUNNEL, rekeying every 3272s, dpd action is start
local: 1.2.3.6/32
remote: 172.16.0.0/12
show vpn ipsec connections
Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal
---------------------------- ------- ------ ---------------- ----------------- ---------------- ---------- -------------- ----------------------------------
peer_1 down IKEv2 1.2.3.4 - - 1.2.3.4 -
peer_1-tunnel-1 IPsec 1.2.3.4 1.2.3.6/32 10.0.0.0/8 1.2.3.4 -
peer_1-tunnel-2 IPsec 1.2.3.4 1.2.3.6/32 172.16.0.0/12 1.2.3.4 -