I had been attempting to get a stable site-to-site VPN connection, and it kept dropping whenever the other side attempted to initiate. The logs were showing the following error:
Jul 13 14:02:33 vyos-prod charon: 01[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jul 13 14:02:33 vyos-prod charon: 01[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Even though PFS was configured for dh-group14 implicitly, the local config wasn't reporting it's proposal to the other side with MODP_2048 in it.
Looking at the /etc/ipsec.conf:
ike=aes256-sha256-modp2048! keyexchange=ikev2 reauth=no ikelifetime=28800s dpddelay=30s dpdtimeout=120s dpdaction=restart esp=aes256-sha256! keylife=3600s rekeymargin=540s type=tunnel pfs=yes pfsgroup=modp2048
Clearly the pfsgroup was in there, but I noticed it wasn't on the "esp=" line like it was with "ike=". So, I manually changed the "esp=" line to read:
After that I restarted the ipsec process, and the error went away, and the connection remained stable.
Now I am worried that I will have to remember to redo that change in the ipsec.conf any time I adjust any ipsec settings.