During the configuration applying the vpn ipsec logging log-modes option, the actual state of IPSec daemons is not checked. This leads to the situation when this option never applying actually during the system boot or initial VPN configuration.
For example, on a router with an empty configuration:
set interfaces ethernet eth0 address 192.0.2.2/25 set interfaces vti vti0 address 192.0.2.254/25 set vpn ipsec esp-group e1 proposal 1 encryption 'aes256' set vpn ipsec esp-group e1 proposal 1 hash 'sha256' set vpn ipsec ike-group i1 key-exchange 'ikev2' set vpn ipsec ike-group i1 proposal 1 encryption 'aes256' set vpn ipsec ike-group i1 proposal 1 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec logging log-modes 'any' set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'secret' set vpn ipsec site-to-site peer 192.0.2.1 default-esp-group 'e1' set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'i1' set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2' set vpn ipsec site-to-site peer 192.0.2.1 vti bind 'vti0'
Will generate:
vyos@vyos# commit [ vpn ] connecting to 'unix:///var/run/charon.ctl' failed: No such file or directory failed to connect to stroke socket 'unix:///var/run/charon.ctl' Warning: unable to [Stroking log source any to loglevel 1], received error code 65280
It is necessary to add a check for the charon daemon's state and apply the option only when it will be available.