Vyos command "reset vpn ipsec-peer" is getting stuck



Reset vpn ipsec command is getting stuck or taking too long to come out. I can not use restart vpn as there is multiple tunnel in vyos. Mostly this happens when peer is not reachable. I am seeing following logs in charon

Feb 19 06:54:46 15[CFG] received stroke: terminate ‘peer-’
Feb 19 06:54:46 05[IKE] <peer-|1> destroying IKE_SA in state CONNECTING without notification
Feb 19 06:54:46 06[CFG] received stroke: initiate ‘peer-’
Feb 19 06:54:46 08[IKE] <peer-|2> initiating Main Mode IKE_SA peer-[2] to
Feb 19 06:54:46 08[ENC] <peer-|2> generating ID_PROT request 0 [ SA V V V V V ]
Feb 19 06:54:46 08[NET] <peer-|2> sending packet: from[500] to[500] (344 bytes)
Feb 19 06:54:50 10[IKE] <peer-|2> sending retransmit 1 of request message ID 0, seq 1
Feb 19 06:54:50 10[NET] <peer-|2> sending packet: from[500] to[500] (344 bytes)
Feb 19 06:54:58 09[IKE] <peer-|2> sending retransmit 2 of request message ID 0, seq 1
Feb 19 06:54:58 09[NET] <peer-|2> sending packet: from[500] to[500] (344 bytes)
Feb 19 06:55:11 12[IKE] <peer-|2> sending retransmit 3 of request message ID 0, seq 1
Feb 19 06:55:11 12[NET] <peer-|2> sending packet: from[500] to[500] (344 bytes)
Feb 19 06:55:34 13[IKE] <peer-|2> sending retransmit 4 of request message ID 0, seq 1
Feb 19 06:55:34 13[NET] <peer-|2> sending packet: from[500] to[500] (344 bytes)


What version of VyOS are you using?

Also, can you provide the configuration you are using for the troublesome IPsec tunnel?


Vyos Version: 1.7
Following is the ipsec config of one side. Other side is also configured with same config and tunnel is working fine. The issue comes when one side is not reachable and we try to reset vpn with 'reset vpn ipsec-peer ’ command. Since other side is not reachable vyos tries to re transmit info messages to other side for multiple times and all this time command gets stuck. Ideally reset command should exit and re transmition should happen internally.

ipsec {
auto-update 60
esp-group {
lifetime 43200
pfs disable
proposal 1 {
encryption aes128
hash sha1
ike-group {
dead-peer-detection {
action restart
interval 30
timeout 120
key-exchange ikev1
lifetime 86400
proposal 1 {
dh-group 2
encryption aes128
hash sha1
proposal 2 {
dh-group 14
encryption aes256
hash sha1
proposal 3 {
dh-group 19
encryption aes128
hash md5
proposal 4 {
dh-group 2
encryption aes128
hash sha256
proposal 5 {
dh-group 2
encryption aes128
hash sha384
ipsec-interfaces {
interface eth0
nat-traversal enable
site-to-site {
peer {
authentication {
mode pre-shared-secret
pre-shared-secret secret
remote-id %any
connection-type respond
vti {
bind vti0


I’d recommend migrating to a newer release of VyOS as that one is EOL, as is 1.1.8. I’d recommend building a new 1.2.0 image, or at a minimum 1.1.8 and if possible, could you try to implement IKEv2 for this specific tunnel?


same issue is coming for vyos 1.2.0 and ikev2.


What’s the traffic level’s look like going across this tunnel? Can you try two things for me and test? First,

set vpn ipsec auto-update ‘60’ (Let this command bake for a while and see if stability is improved any)


Adjust dead dead-peer-detection timeout values

Also, can you capture logs as well when you are doing this? I am assuming both sides are on 1.2.0 now correct?


Tired above options already. Tunnel and traffic is stable for days that is not the issue But I have different requirement where connectivity between two vpn gw goes down for some time. I wrote one task scheduler which reset ipsec when connection is down. But when there is no connection between two vpn gw and I do reset vpn that command take too much time to exit and deny my script to run further. When I do reset vpn manually same thing happens. Already provided charon log in my post.