There is only one GRE/IPsec tunnel on this installation. As you can see here:
user@vyos:~$ sudo swanctl --list-conns peer-vpn.domain.com-tunnel-1: , no reauthentication, no rekeying local: 172.16.101.16 remote: vpn.domain.com local public key authentication: id: vpn10.domain.com certs: C=XX, ST=XX, L=XXX, O=XX, OU=XX, CN=vpn10.domain.com, [email protected] remote public key authentication: id: vpn.domain.com peer-vpn.domain.com-tunnel-1: TUNNEL, rekeying every 3060s local: 172.20.10.1/32[gre] remote: 172.20.1.1/32[gre]
But 'show vpn ipsec sa' shows this tunnel twice:
user@vyos:~$ show vpn ipsec sa Connection State Up Bytes In/Out Remote address Remote ID Proposal ----------------------------- ------- ------- -------------- ---------------- --------------- --------------------------------------- peer-vpn.domain.com-tunnel-1 up 3 hours 1M/1M 1.2.3.4 vpn.domain.com AES_CBC_128/HMAC_SHA2_256_128/MODP_2048 peer-vpn.domain.com-tunnel-1 up 3 hours 1M/1M 1.2.3.4 vpn.domain.com AES_CBC_128/HMAC_SHA2_256_128/MODP_2048
Tunnel is fully functional.