I have situation where there is VPN connection between Vyos and ISP’s router.
At first the VPN is up, can ping remote prefix (remote prefix is in kernel route) and traffic can go through.
However after few hours (in my current situation 9 to 10hours) the prefix route in kernel is missing. Unable to ping remote prefixes and no traffic going through. The VPN is up with traffic Bytes In/Out shows N/A :
vyos@vyos:~$ sh vpn ipsec sa | strip-private
Connection State Up Bytes In/Out Remote address Remote ID Proposal
peer-xxx.xxx.251.6-tunnel-1 up 44 minutes N/A xxx.xxx.251.6 N/A AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
I have to restart VPN everytime this issue happen. It start to happen after I upgrade vyos 1.1.8 to 1.2.
Any idea why this is happen?
Are you using IKEv1? Dead peer detection is a IKEv1 addendum
It is not needed when using IKEv2 (it is built in).
It not using it already, consider switching to IKEv2.
Otherwise you may want to check the lifetime configure in the IKE group and ESP group, and check whether they match those configured on the remote endpoint.
I am using IKE v1 on site to site tunnels. My Phase 2 was originally down when I looked. However after adding dead peer detection, all my vpns have stayed up.
Hi Zakwan, I saw your Post about ‘VPN UP but no traffic after few hours’ on VyOS, and mentioned you put a script to reset the peer if that happens. Would be possible to share details on the script? I am facing same problem. Thanks.
I use below script (in my situation I suppose to receive 10.190.0.0/15 in kernel route table 220, so whenever this ip disappear from routing table it will perform reset vpn ipsec-peer command):
RC=0
run=/opt/vyatta/bin/vyatta-op-cmd-wrapper
for key in “${!IPSEC_PEERS[@]}”
do
NOUP=$run show ip route table 220 |grep 10.190.0.0/15 |grep -wv up |wc -l
if [ ${NOUP} != 1 ]
then
$run reset vpn ipsec-peer ${IPSEC_PEERS[$key]}
MAIL_BODY+=“- peer ${IPSEC_PEERS[$key]}: missing KPN VPN IPSec received route.\r\nAn automatic ‘reset vpn ipsec-peer’ has been executed\r\n”
RC=1
fi