Currently I am attempting to setup an IPSec tunnel between a VyOS router and a PA-5050. The use case, is that my VyOS router's public IP is dynamically set each day by our ISP. Therefore, the PA-5050 should accept requests from any public IP that matches the IKE and IPSec parameters with the correct pre-shared key.
Due to Palo Alto's peculiar requirement of enabling Aggressive Mode for dynamic peer tunnel establishment when using IKEv1, I am forced to use IKEv2 as it is my understanding that VyOS does not support Aggressive Mode. As such, I have created the tunnel and it does come up. However, the issues I am facing are two-fold: Phase 2 rekeying and traffic not being passed to the bound VTI.
When the life time expires on Phase 2 SA the VyOS box sends a rekey request to the Palo Alto and does nothing from there. Granted, this could be an issue with Palo Alto's processing of IKEv2 but I have used them extensively in the past without issue. Also this issue persists with a static peer on IKEv2 only.
The second issue I've been having is that once the tunnel is up (and before a rekey occurs) the VTI stays ADMIN DOWN. When I disable/delete disable the VTI, it goes up/up, however, I cannot reach the other device's tunnel interface. I've run tcpdumps on each device and I can see the traffic leave the VTI and hit the Palo Alto. I can also see the reply leave the Palo Alto and hit the physical interface (eth2) on the VyOS box. However, the encrypted traffic never seems to be passed to the VTI (vti0).
TL;DR: IPSec Phase 2 rekey fails when using IKEv2, even with a static peer IP and VTI bound to IPSec interface doesn't receive traffic from IPSec interface.
I am wondering if this is a known issue? Apologies for the long post. If more information is needed I am happy to provide it.
I can't say if it is a bug or not, but I can confirm that I oversee similar behavior on IKEv2 IPsec site to site tunnel between Vyatta (in AWS) and UBNT ER-Lite router, after re-keying interval is over, there is no more traffic can pass in between two locations.
At the moment I switched that link to IKEv1, if someone from devs need something I can upload some debugs if I still retain access (those systems are customer's and he probably will change access credentials soon)