Vyos 1.3.1-S1 - Restart VPN Command - No IPSEC Configured

Bugs
1

Hello,
When issueing the ‘restart vpn’ command, it states VPN is not configured even when the IPSEC tunnels are up and active. Does anyone else have this issue?

2

Can you show this output?
and

show vpn ipsec sa
show vpn ike sa
3

Here is the sanitized output
user@REMOTE-FW-01:~$ show vpn ips sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

peer-x.x.x.x-tunnel-0 up 32m5s 19K/28K 418/428 x.x.x.x N/A AES_CBC_256/HMAC_SHA2_256_128
peer-x.x.x.x-tunnel-1 down N/A N/A N/A N/A N/A N/A

user@REMOTE-FW-01:~$ show vpn ike sa
Peer ID / IP Local ID / IP

x.x.x.x x.x.x.x

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
up     IKEv2   aes256   sha256_128 14(MODP_2048)  no     3600    86400

user@REMOTE-FW-01:~$ restart vpn
IPsec VPN not configured

4

Can you show IPSec part configuration?
and
show version

5

Version: VyOS 1.3.1-S1
Release train: equuleus

Built by: Sentrium S.L.
Built on: Mon 28 Mar 2022 17:02 UTC
Build UUID: b89ffc4c-3c7e-4d89-91de-bd89e584c532
Build commit ID: bfd58ad202462f

Architecture: x86_64
Boot via: installed image
System type: bare metal

Hardware vendor: Lanner Electronics
Hardware model: LEB-6032

set vpn ipsec esp-group remotesite-esp compression ‘disable’
set vpn ipsec esp-group remotesite-esp lifetime ‘28800’
set vpn ipsec esp-group remotesite-esp mode ‘tunnel’
set vpn ipsec esp-group remotesite-esp pfs ‘dh-group14’
set vpn ipsec esp-group remotesite-esp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group remotesite-esp proposal 1 hash ‘sha256’
set vpn ipsec ike-group remotesite-ike close-action ‘none’
set vpn ipsec ike-group remotesite-ike dead-peer-detection action ‘restart’
set vpn ipsec ike-group remotesite-ike dead-peer-detection interval ‘30’
set vpn ipsec ike-group remotesite-ike dead-peer-detection timeout ‘120’
set vpn ipsec ike-group remotesite-ike ikev2-reauth ‘no’
set vpn ipsec ike-group remotesite-ike key-exchange ‘ikev2’
set vpn ipsec ike-group remotesite-ike lifetime ‘86400’
set vpn ipsec ike-group remotesite-ike mobike ‘disable’
set vpn ipsec ike-group remotesite-ike proposal 2 dh-group ‘14’
set vpn ipsec ike-group remotesite-ike proposal 2 encryption ‘aes256’
set vpn ipsec ike-group remotesite-ike proposal 2 hash ‘sha256’
set vpn ipsec site-to-site peer x.x.x.x authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret ‘secretkey’
set vpn ipsec site-to-site peer x.x.x.x connection-type ‘initiate’
set vpn ipsec site-to-site peer x.x.x.x force-encapsulation ‘enable’
set vpn ipsec site-to-site peer x.x.x.x ike-group ‘remotesite-ike’
set vpn ipsec site-to-site peer x.x.x.x ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer x.x.x.x local-address 'x.x.x.x ’
set vpn ipsec site-to-site peer x.x.x.x tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.x tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.x tunnel 0 esp-group ‘remotesite-esp’
set vpn ipsec site-to-site peer x.x.x.x tunnel 0 local prefix ‘y.y.y.y/32’
set vpn ipsec site-to-site peer x.x.x.x tunnel 0 remote prefix ‘y.y.y.y/32’
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 esp-group ‘remotesite-esp’
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 local prefix ‘y.y.y.y/32’
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 remote prefix ‘y.y.y.y/32’

and btw traffic is passing through VPN just fine.

6

How about

sudo su
/usr/bin/ipsec restart
7

do you have the next command ?
set vpn ipsec ipsec-interfaces interface <interface name>

1 Like
8

This resolved the issue. Even though it appears the Vyos did not require this for operating IPSEC over this interface, as soon as I enabled this command, the restart command was available.

set vpn ipsec ipsec-interfaces interface ‘eth0’

Thanks for your help

2 Likes
9

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.