Not able to establish more than one ikev2 tunnel per site-to-site peer

General questions
1

I’m having an issue where if I add a second tunnel to peer_1, none of the tunnels will establish. The remote side is a Cisco ASA.

show version
Version:          VyOS 1.4.2
Release train:    sagitta
Release flavor:   generic

Built by:         VyOS Networks Iberia S.L.U.
Built on:         Tue 01 Apr 2025 17:21 UTC
Build UUID:       01cfd92d-64ae-406c-83f7-bc75e509b75a
Build commit ID:  9cc58255f19640-dirty

Architecture:     x86_64
Boot via:         installed image
System type:      Xen HVM guest

show conf com | match vpn
set vpn ipsec authentication psk peer_1 id '1.2.3.4'
set vpn ipsec authentication psk peer_1 id '1.2.3.5'
set vpn ipsec authentication psk peer_1 secret '****'
set vpn ipsec esp-group espv2-bch lifetime '3600'
set vpn ipsec esp-group espv2-bch mode 'tunnel'
set vpn ipsec esp-group espv2-bch pfs 'disable'
set vpn ipsec esp-group espv2-bch proposal 1 encryption 'aes256'
set vpn ipsec esp-group espv2-bch proposal 1 hash 'sha512'
set vpn ipsec ike-group ikev2-bch dead-peer-detection action 'restart'
set vpn ipsec ike-group ikev2-bch dead-peer-detection interval '15'
set vpn ipsec ike-group ikev2-bch dead-peer-detection timeout '30'
set vpn ipsec ike-group ikev2-bch key-exchange 'ikev2'
set vpn ipsec ike-group ikev2-bch lifetime '86400'
set vpn ipsec ike-group ikev2-bch proposal 1 dh-group '21'
set vpn ipsec ike-group ikev2-bch proposal 1 encryption 'aes256'
set vpn ipsec ike-group ikev2-bch proposal 1 hash 'sha512'
set vpn ipsec interface 'eth1'
set vpn ipsec options
set vpn ipsec site-to-site peer peer_1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_1 authentication remote-id '1.2.3.4'
set vpn ipsec site-to-site peer peer_1 connection-type 'initiate'
set vpn ipsec site-to-site peer peer_1 default-esp-group 'espv2-bch'
set vpn ipsec site-to-site peer peer_1 ike-group 'ikev2-bch'
set vpn ipsec site-to-site peer peer_1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_1 local-address '1.2.3.5'
set vpn ipsec site-to-site peer peer_1 remote-address '1.2.3.4'
set vpn ipsec site-to-site peer peer_1 tunnel 1 esp-group 'espv2-bch'
set vpn ipsec site-to-site peer peer_1 tunnel 1 local prefix '1.2.3.6/32'
set vpn ipsec site-to-site peer peer_1 tunnel 1 remote prefix '10.0.0.0/8'
set vpn ipsec site-to-site peer peer_1 tunnel 2 esp-group 'espv2-bch'
set vpn ipsec site-to-site peer peer_1 tunnel 2 local prefix '1.2.3.6/32'
set vpn ipsec site-to-site peer peer_1 tunnel 2 remote prefix '172.16.0.0/12'

sudo swanctl -L
peer_1: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 15s
  local:  1.2.3.5
  remote: 1.2.3.4
  local pre-shared key authentication:
  remote pre-shared key authentication:
    id: 1.2.3.4
  peer_1-tunnel-1: TUNNEL, rekeying every 3272s, dpd action is start
    local:  1.2.3.6/32
    remote: 10.0.0.0/8
  peer_1-tunnel-2: TUNNEL, rekeying every 3272s, dpd action is start
    local:  1.2.3.6/32
    remote: 172.16.0.0/12

show vpn ipsec connections
Connection                    State    Type    Remote address    Local TS           Remote TS         Local id    Remote id       Proposal
----------------------------  -------  ------  ----------------  -----------------  ----------------  ----------  --------------  ----------------------------------
peer_1           down     IKEv2   1.2.3.4    -                  -                             1.2.3.4  -
peer_1-tunnel-1           IPsec   1.2.3.4    1.2.3.6/32  10.0.0.0/8               1.2.3.4  -
peer_1-tunnel-2           IPsec   1.2.3.4    1.2.3.6/32  172.16.0.0/12         1.2.3.4  -
2

I’ve made some progress. It appears the if I define the peer with all the remote prefixes in a single tunnel, vyos will establish the single tunnel with multiple remote traffic selectors.

tunnel 1 {
  local {
    prefix 1.2.3.6/32
  }
  remote {
    prefix 10.0.0.0/8
    prefix 172.16.0.0/12
  }
}

Maybe this is my solution but I don’t know how it looks on the far end. I’ll report back when I know more.

3

It seems the Cisco bug, not VyOS
Bug Search Tool or something like this.

4

How does it work if you configure just a single peer and not two of them at once?

Im thinking if the Cisco ASA is correctly configured along with the network in between such as MTU-sizes are a not too uncommon cause of an IPsec tunnel to fail to setup?

Also you seem to have setup peer_1 twice.

In my world a single peer will only have a single ID (or CN if x509 aka certs are being used).

Then when you configure the peer IP-address it have either a static one or “unknown” as 0.0.0.0/0 (the later is common when you are the concentrator and the clients uses DHCP over the internet or mobile networks - this also means thats its always the client who will initiate the tunnel. If static IP is used then both parties can initiate the tunnel which is often prefered for a site-to-site connection to avoid unnecessary downtime).

5

In the example I provided I only intended to configure a single peer. I was also confused by:

set vpn ipsec authentication psk peer_1 id '1.2.3.4'
set vpn ipsec authentication psk peer_1 id '1.2.3.5'
set vpn ipsec authentication psk peer_1 secret '****'

and assumed this meant to associate the secret to both 1.2.3.4 the local peer and 1.2.3.5 the remote peer. It looks like this:

 authentication {
     psk peer_1 {
         id 1.2.3.4
         id 1.2.3.5
         secret *****

Is that incorrect?

6

When I delete vpn ipsec authentication psk peer_1 id 1.2.3.5 still the tunnels fail to establish if there are more than one defined.

7

Hi @greg.toews i will suggest opening a ticket at support.vyos.com, and someone from the engineers will help you

8

ok I believe the problem is solved. PFS was required but the far side. After enabling PFS in ESP group on my side, tunnels established as expected.

Thank you all for your help

9

So how did the one line or two lines of peer_1 id worked out now when the rest of the config is correct?

My gut feelings are still that having two id’s is “wrong” and perhaps a bug in vyos-configd to allow for that?

You should only have the remote id there and not your local one.

10

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.