When between two hosts exists two or more tunnels, which share the same IKE SA, all child-sas shows as down by the "show vpn ike sa" command, no matter of real state:
vyos@vyos02:~$ show vpn ipsec sa Connection State Up Bytes In/Out Remote address Remote ID Proposal -------------------------- ------- ---------- -------------- ---------------- ----------- --------------------------------------------------------- peer-192.168.30.1-tunnel-1 up 20 seconds 0B/0B 192.168.30.1 N/A AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 peer-192.168.30.1-tunnel-2 up 20 seconds 0B/0B 192.168.30.1 N/A AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 peer-192.168.30.1-tunnel-3 up 20 seconds 0B/0B 192.168.30.1 N/A AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 peer-192.168.30.1-tunnel-5 up 20 seconds 0B/0B 192.168.30.1 N/A AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072 vyos@vyos02:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- n/a 192.168.30.2 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ down N/A n/a n/a n/a(n/a) no 0 n/a down N/A n/a n/a n/a(n/a) no 0 n/a down N/A n/a n/a n/a(n/a) no 0 n/a Peer ID / IP Local ID / IP ------------ ------------- 192.168.30.1 192.168.30.2 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv1 aes256 sha256_128 15(MODP_3072) no 3600 28800
Most likely, this is a parsing problem of sudo ipsec statusall output.