Why multiple tunnels are being created? is this a bug?

Hi Team,

I configured this tunnel and not sure why it is creating multiple tunnels and not sure why??
Here is the config

 run show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.10.13.10 10.10.13.10                 10.10.11.10 10.10.11.10

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA2_256_128 MODP_1536      no     1       26287

Peer ID / IP                            Local ID / IP
------------                            -------------
10.10.13.10 10.10.13.10                 10.10.11.10 10.10.11.10

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA2_256_128 MODP_1536      no     1       25978

Peer ID / IP                            Local ID / IP
------------                            -------------
10.10.13.10 10.10.13.10                 10.10.11.10 10.10.11.10

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA2_256_128 MODP_1536      no     6       28158

And here is on peer

Peer ID / IP                            Local ID / IP
------------                            -------------
10.10.11.10 10.10.11.10                 10.10.13.10 10.10.13.10

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA2_256_128 MODP_1536      no     3       27257

Peer ID / IP                            Local ID / IP
------------                            -------------
10.10.11.10                             10.10.13.10

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    down   IKEv1   n/a          n/a           n/a            no     0       0

Peer ID / IP                            Local ID / IP
------------                            -------------
10.10.11.10 10.10.11.10                 10.10.13.10 10.10.13.10

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA2_256_128 MODP_1536      no     8       26831
run show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ---------------------------------------
R3-vti        down     14s       1K/0B           14/0              10.10.13.10       10.10.13.10  AES_CBC_256/HMAC_SHA2_256_128/MODP_1536
R3-vti        up       4s        956B/1010B      12/13             10.10.13.10       10.10.13.10  AES_CBC_256/HMAC_SHA2_256_128/MODP_1536
R3-vti        up       5s        0B/104B         0/2               10.10.13.10       10.10.13.10  AES_CBC_256/HMAC_SHA2_256_128/MODP_1536
R3-vti        up       5s        164B/0B         3/0               10.10.13.10       10.10.13.10  AES_CBC_256/HMAC_SHA2_256_128/MODP_1536
R3-vti        up       9s        1K/1K           14/16             10.10.13.10       10.10.13.10  AES_CBC_256/HMAC_SHA2_256_128/MODP_1536
R1
set high-availability vrrp group ETH0 address 10.10.11.10
set high-availability vrrp group ETH0 advertise-interval '1'
set high-availability vrrp group ETH0 interface 'eth0'
set high-availability vrrp group ETH0 priority '100'
set high-availability vrrp group ETH0 track interface 'eth0'
set high-availability vrrp group ETH0 vrid '10'
set high-availability vrrp group ETH1 address 10.10.12.10
set high-availability vrrp group ETH1 advertise-interval '1'
set high-availability vrrp group ETH1 interface 'eth1'
set high-availability vrrp group ETH1 priority '100'
set high-availability vrrp group ETH1 track interface 'eth1'
set high-availability vrrp group ETH1 vrid '20'
set interfaces ethernet eth0 address '10.10.11.15/24'
set interfaces ethernet eth0 hw-id '00:0c:29:8f:c8:2a'
set interfaces ethernet eth1 address '10.10.12.15/24'
set interfaces ethernet eth1 hw-id '00:0c:29:8f:c8:34'
set interfaces loopback lo
set interfaces vti vti2 address '169.254.1.1/30'
set protocols bgp address-family ipv4-unicast network 10.10.12.0/24
set protocols bgp neighbor 169.254.1.2 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 169.254.1.2 disable-connected-check
set protocols bgp neighbor 169.254.1.2 remote-as '65501'
set protocols bgp neighbor 169.254.1.2 timers holdtime '10'
set protocols bgp neighbor 169.254.1.2 timers keepalive '2'
set protocols bgp neighbor 169.254.1.2 update-source '169.254.1.1'
set protocols bgp system-as '65500'
set protocols static route 0.0.0.0/0 next-hop 10.10.11.100
set protocols static route 169.254.1.2/32 interface vti2
set service ntp allow-client address '127.0.0.0/8'
set service ntp allow-client address '169.254.0.0/16'
set service ntp allow-client address '10.0.0.0/8'
set service ntp allow-client address '172.16.0.0/12'
set service ntp allow-client address '192.168.0.0/16'
set service ntp allow-client address '::1/128'
set service ntp allow-client address 'fe80::/10'
set service ntp allow-client address 'fc00::/7'
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ssh
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'MUM-R1'
set system login user vyos authentication encrypted-password '$6$rounds=656000$/5dAQVZ2RIYhA.Ov$2BCxkSvUiRdhjlAdjgfGzYgRPAYHUQbA4MzjpAEt7PYnWQmhTZXQAcTH9lFtJJJ8fs533uHQSlHw0izxrCYOZ0'
set system login user vyos authentication plaintext-password ''
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set vpn ipsec authentication psk VYOS id '10.10.13.10'
set vpn ipsec authentication psk VYOS secret 'admin@123'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group5'
set vpn ipsec esp-group ESP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE dead-peer-detection interval '5'
set vpn ipsec ike-group IKE dead-peer-detection timeout '5'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE proposal 10 dh-group '5'
set vpn ipsec ike-group IKE proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer R3 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer R3 authentication remote-id '10.10.13.10'
set vpn ipsec site-to-site peer R3 ike-group 'IKE'
set vpn ipsec site-to-site peer R3 local-address '10.10.11.10'
set vpn ipsec site-to-site peer R3 remote-address '10.10.13.10'
set vpn ipsec site-to-site peer R3 vti bind 'vti2'
set vpn ipsec site-to-site peer R3 vti esp-group 'ESP'

And here is on R3

set interfaces ethernet eth0 address '10.10.13.10/24'
set interfaces ethernet eth0 hw-id '00:0c:29:b7:f5:6f'
set interfaces ethernet eth1 address '10.10.14.10/24'
set interfaces ethernet eth1 hw-id '00:0c:29:b7:f5:79'
set interfaces loopback lo
set interfaces vti vti2 address '169.254.1.2/30'
set protocols bgp address-family ipv4-unicast network 10.10.14.0/24
set protocols bgp neighbor 169.254.1.1 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 169.254.1.1 disable-connected-check
set protocols bgp neighbor 169.254.1.1 remote-as '65500'
set protocols bgp neighbor 169.254.1.1 timers holdtime '10'
set protocols bgp neighbor 169.254.1.1 timers keepalive '2'
set protocols bgp neighbor 169.254.1.1 update-source '169.254.1.2'
set protocols bgp system-as '65501'
set protocols static route 0.0.0.0/0 next-hop 10.10.13.100
set protocols static route 169.254.1.1/32 interface vti2
set service ntp allow-client address '127.0.0.0/8'
set service ntp allow-client address '169.254.0.0/16'
set service ntp allow-client address '10.0.0.0/8'
set service ntp allow-client address '172.16.0.0/12'
set service ntp allow-client address '192.168.0.0/16'
set service ntp allow-client address '::1/128'
set service ntp allow-client address 'fe80::/10'
set service ntp allow-client address 'fc00::/7'
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ssh
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'R3'
set system login user vyos authentication encrypted-password '$6$rounds=656000$AVCeBgETTFcGnWR8$8svKVFlU88AwPYPSWw7mD8g.iOTDxEDSri/skLkWJNeSpaA2woY40avFQmHbO2yfCK2guxYF7wdu0OpC4QDkc/'
set system login user vyos authentication plaintext-password ''
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set vpn ipsec authentication psk VYOS id '10.10.11.10'
set vpn ipsec authentication psk VYOS secret 'admin@123'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group5'
set vpn ipsec esp-group ESP proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE dead-peer-detection interval '5'
set vpn ipsec ike-group IKE dead-peer-detection timeout '5'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE proposal 10 dh-group '5'
set vpn ipsec ike-group IKE proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer MUM authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer MUM authentication remote-id '10.10.11.10'
set vpn ipsec site-to-site peer MUM ike-group 'IKE'
set vpn ipsec site-to-site peer MUM local-address '10.10.13.10'
set vpn ipsec site-to-site peer MUM remote-address '10.10.11.10'
set vpn ipsec site-to-site peer MUM vti bind 'vti2'
set vpn ipsec site-to-site peer MUM vti esp-group 'ESP'

It won’t be a bug, no, it’ll be a configuration issue. If you get the settings wrong, or timers mismatched, IPSEC tends to “flap” like this. Sorry I don’t have time to examine line-by-line your config to see what the issue might be, but I’ve seen this many times in my career (not specifically on Vyos) and it’s always a timeout/mismatch somewhere.

You should take a look at IPsec — VyOS 1.5.x (circinus) documentation and start with some defaults.

Example:

  • Change “ESP pfs dh-group 5” into “EPS pfs enable” to inhert the dh-group from the IKE handshake.
  • Remove all the dead-peer-detection lines to use default (as a start).
  • Change ikev1 to ikev2.
  • Change dh-group 5 to at least dh-group 14 or preferly dh-group 22 or higher.
1 Like

OK - sure let me see and change that

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.