Routing 'peer-xxxxxxx-tunnel-1' failed

Hi ,

I have been trying to setup a vpn from my side to client side and have been getting routing 'peer-xxxxx-tunnel-1' failed with nothing else being logged. Any idea how can I view the actual cause behind the same. I have already set the logging for all facility to all

Start with checking logs:

show log all | match charon
sudo swanctl -l

And double re-check all parameters from both sites.

Thanks for your reply but I did not find much information using these commands:

vyos@VyOS-AMI:~$ show log all | match charon
May  3 16:02:49 VyOS-AMI ipsec_starter[6472]: charon has died -- restart scheduled (5sec)
May 11 10:32:12 VyOS-AMI ipsec_starter[2737]: charon (2741) started after 100 ms

Which version of VyOS?

Following the is result of show version

vyos@VyOS-AMI:~$ show version
Version:      VyOS 1.1.8
Description:  VyOS 1.1.8 (helium)
Copyright:    2017 VyOS maintainers and contributors
Built by:
Built on:     Sat Nov 11 13:44:36 UTC 2017
Build ID:     1711111344-b483efc
System type:  x86 64-bit
Boot via:     image
Hypervisor:   Xen hvm
HW model:     HVM domU
Uptime:       17:36:35 up 15 days,  7:04,  1 user,  load average: 0.00, 0.01, 0.05

Unfortunately, 1.1.8 is EOL.

can you point to an AWS ami which I can use ?

So I have started using the latest available version on AWS

vyos@ip-10-209-224-157:~$ show version
Version:          VyOS 1.2.7
Release Train:    crux

Built by:         Sentrium S.L.
Built on:         Fri 26 Mar 2021 10:40 UTC
Build UUID:       50a5b0b4-868d-4f86-94d3-30651f47c44d
Build Commit ID:  265c5cfd6a7090

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  Amazon EC2
Hardware model:   t3.medium

I used the same configuration which I had used in the older version. However, it seems I not getting anything in the logs this time, not even the failure message.

Attach your configuration, hide private data.
Are you sure that you open port 500 and 4500 at the aws site?

show vpn ipsec sa
show vpn ike sa 
sudo swanctl -l

Which device on the remote site?

 ipsec {
     esp-group <vpn-group-name> {
         lifetime 3600
         pfs dh-group21
         proposal 1 {
             encryption aes256
             hash sha512
     ike-group <vpn-group-name> {
         ikev2-reauth no
         key-exchange ikev2
         lifetime 28800
         proposal 1 {
             dh-group 21
             encryption aes256
             hash sha512
     ipsec-interfaces {
         interface eth0
     nat-traversal enable
     site-to-site {
         peer <vendor-vpn-box-public-ip> {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret <secret>
             default-esp-group <vpn-group-name>
             ike-group <vpn-group-name>
             local-address <local-interface-private-ip>
             tunnel 1 {
                 local {
                     prefix <my-customer-domain-encryption>
                 remote {
                     prefix <vendor-customer-domain-encryption>

 vyos@ip-<local-interface-private-ip>:~$ show vpn ipsec sa
Connection                   State    Up    Bytes In/Out    Remote address    Remote ID    Proposal
---------------------------  -------  ----  --------------  ----------------  -----------  ----------
peer-<vendor-vpn-box-public-ip>-tunnel-1  down     N/A   N/A             N/A               N/A          N/A

vyos@ip-<local-interface-private-ip>:~$ show vpn ike sa 
Peer ID / IP                            Local ID / IP               
------------                            -------------
<vendor-vpn-box-public-ip>                           <local-interface address>                         

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   IKEv2   n/a      n/a     n/a(n/a)       no     0       n/a 

    vyos@ip-<local-interface-private-ip>:~$ sudo swanctl -l
    peer-<vendor-vpn-box-public-ip>: #6, CONNECTING, IKEv2, xxxxxxxxxx* 0000000000000000_r
      local  '%any' @ <local-interface-private-ip>[500]
      remote '%any' @ <vendor-vpn-box-public-ip> [500]

I have allowed all traffic from at my side. I am not exactly sure what is being used at remote. However as per their logs when I was using 1.1.8 they were receiving a request (not reflecting in my logs) and sending me back a response which was not reflecting in logs too.

Do you get address 10.x.x.x/x via DHCP which translated to External address?

As per my understanding this should be the case. I have attached an EIP with my EC2 instance. Any specific command which can be used to check if I am missing anything.


Try to set authentication id, where y.y.y.y - your external IP address.

del vpn ipsec site-to-site peer x.x.x.x local-address 
set vpn ipsec site-to-site peer x.x.x.x dhcp-interface eth0
set vpn ipsec site-to-site peer x.x.x.x authentication id "y.y.y.y"

After commit try to restart ipsec

sudo ipsec restart

And check logs and state ike/esp/logs again.

The issue was resolved, It seemed to be an issue with my NACL where we had just allowed TCP on all ports rather than allowing UDP too. Thanks @Viacheslav for your support.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.