To reproduce this bug we need 2 nodes a 2 vti interfaces.
One of the peers should be configured with a random ESP-group parameters for vti, another with correct.
i.e we should to set working 1 vti interface and 1 not working
- Both tunnels in down state (disabled eth1)
vyos@vyos:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal --------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------- peer-192.0.2.2-tunnel-vti down N/A N/A N/A N/A N/A N/A peer-203.0.113.2-tunnel-vti down N/A N/A N/A N/A N/A N/A
- Enable eth1, so one of the tunnels is "up"
vyos@vyos# del interfaces ethernet eth1 disable [edit] vyos@vyos# commit [edit] vyos@vyos:~$ show vpn ipsec sa Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/show_ipsec_sa.py", line 111, in <module> sa_data = sorted(sa_data, key=lambda peer: peer[0]) TypeError: '<' not supported between instances of 'str' and 'bytes' vyos@vyos:~$ vyos@vyos:~$
Left Router config
set interfaces ethernet eth1 address '192.0.2.1/30' set interfaces ethernet eth1 address '203.0.113.1/30' set interfaces ethernet eth1 address '100.64.0.1/30' set interfaces vti vti0 address '10.0.1.1/30' set interfaces vti vti1 address '10.0.0.1/30' set vpn ipsec esp-group ESP-GRP-VTI_down compression 'disable' set vpn ipsec esp-group ESP-GRP-VTI_down lifetime '1800' set vpn ipsec esp-group ESP-GRP-VTI_down mode 'tunnel' set vpn ipsec esp-group ESP-GRP-VTI_down pfs 'enable' set vpn ipsec esp-group ESP-GRP-VTI_down proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-GRP-VTI_down proposal 1 hash 'sha1' set vpn ipsec esp-group ESP-GRP-VTI_up compression 'disable' set vpn ipsec esp-group ESP-GRP-VTI_up lifetime '1800' set vpn ipsec esp-group ESP-GRP-VTI_up mode 'tunnel' set vpn ipsec esp-group ESP-GRP-VTI_up pfs 'enable' set vpn ipsec esp-group ESP-GRP-VTI_up proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-GRP-VTI_up proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-GRP-VTI_down close-action 'none' set vpn ipsec ike-group IKE-GRP-VTI_down ikev2-reauth 'no' set vpn ipsec ike-group IKE-GRP-VTI_down key-exchange 'ikev1' set vpn ipsec ike-group IKE-GRP-VTI_down lifetime '3600' set vpn ipsec ike-group IKE-GRP-VTI_down proposal 1 dh-group '2' set vpn ipsec ike-group IKE-GRP-VTI_down proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-GRP-VTI_down proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-GRP-VTI_up close-action 'none' set vpn ipsec ike-group IKE-GRP-VTI_up ikev2-reauth 'no' set vpn ipsec ike-group IKE-GRP-VTI_up key-exchange 'ikev1' set vpn ipsec ike-group IKE-GRP-VTI_up lifetime '3600' set vpn ipsec ike-group IKE-GRP-VTI_up proposal 1 dh-group '2' set vpn ipsec ike-group IKE-GRP-VTI_up proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-GRP-VTI_up proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer 192.0.2.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.0.2.2 authentication pre-shared-secret 'SeCrEt' set vpn ipsec site-to-site peer 192.0.2.2 connection-type 'initiate' set vpn ipsec site-to-site peer 192.0.2.2 ike-group 'IKE-GRP-VTI_down' set vpn ipsec site-to-site peer 192.0.2.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 192.0.2.2 local-address '192.0.2.1' set vpn ipsec site-to-site peer 192.0.2.2 vti bind 'vti1' set vpn ipsec site-to-site peer 192.0.2.2 vti esp-group 'ESP-GRP-VTI_down' set vpn ipsec site-to-site peer 203.0.113.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 203.0.113.2 authentication pre-shared-secret 'SeCrEt' set vpn ipsec site-to-site peer 203.0.113.2 connection-type 'initiate' set vpn ipsec site-to-site peer 203.0.113.2 ike-group 'IKE-GRP-VTI_up' set vpn ipsec site-to-site peer 203.0.113.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 203.0.113.2 local-address '203.0.113.1' set vpn ipsec site-to-site peer 203.0.113.2 vti bind 'vti0' set vpn ipsec site-to-site peer 203.0.113.2 vti esp-group 'ESP-GRP-VTI_up'
Right Router Config
set interfaces ethernet eth1 address '192.0.2.2/30' set interfaces ethernet eth1 address '203.0.113.2/30' set interfaces ethernet eth1 address '100.64.0.2/30' set interfaces vti vti0 address '10.0.1.2/30' set interfaces vti vti1 address '10.0.0.2/30' set vpn ipsec esp-group ESP-GRP-VTI_down compression 'disable' set vpn ipsec esp-group ESP-GRP-VTI_down lifetime '1800' set vpn ipsec esp-group ESP-GRP-VTI_down mode 'tunnel' set vpn ipsec esp-group ESP-GRP-VTI_down pfs 'disable' set vpn ipsec esp-group ESP-GRP-VTI_down proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-GRP-VTI_down proposal 1 hash 'sha384' set vpn ipsec esp-group ESP-GRP-VTI_up compression 'disable' set vpn ipsec esp-group ESP-GRP-VTI_up lifetime '1800' set vpn ipsec esp-group ESP-GRP-VTI_up mode 'tunnel' set vpn ipsec esp-group ESP-GRP-VTI_up pfs 'enable' set vpn ipsec esp-group ESP-GRP-VTI_up proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-GRP-VTI_up proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-GRP-VTI_down ikev2-reauth 'no' set vpn ipsec ike-group IKE-GRP-VTI_down key-exchange 'ikev1' set vpn ipsec ike-group IKE-GRP-VTI_down lifetime '3600' set vpn ipsec ike-group IKE-GRP-VTI_down proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-GRP-VTI_down proposal 1 hash 'sha1' set vpn ipsec ike-group IKE-GRP-VTI_up ikev2-reauth 'no' set vpn ipsec ike-group IKE-GRP-VTI_up key-exchange 'ikev1' set vpn ipsec ike-group IKE-GRP-VTI_up lifetime '3600' set vpn ipsec ike-group IKE-GRP-VTI_up proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-GRP-VTI_up proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'SeCrEt' set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'IKE-GRP-VTI_down' set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2' set vpn ipsec site-to-site peer 192.0.2.1 vti bind 'vti1' set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group 'ESP-GRP-VTI_down' set vpn ipsec site-to-site peer 203.0.113.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret 'SeCrEt' set vpn ipsec site-to-site peer 203.0.113.1 ike-group 'IKE-GRP-VTI_up' set vpn ipsec site-to-site peer 203.0.113.1 local-address '203.0.113.2' set vpn ipsec site-to-site peer 203.0.113.1 vti bind 'vti0' set vpn ipsec site-to-site peer 203.0.113.1 vti esp-group 'ESP-GRP-VTI_up'