To reproduce, configure vti ipsec tunnel and reset it.
VyOS configuration:
set interfaces ethernet eth1 address '100.64.0.1/30' set interfaces vti vti1 address '10.0.102.1/30' set interfaces vti vti1 description 'Tunnel to 100.64.0.2' set vpn ipsec esp-group group-ESP compression 'disable' set vpn ipsec esp-group group-ESP lifetime '3600' set vpn ipsec esp-group group-ESP mode 'tunnel' set vpn ipsec esp-group group-ESP pfs 'dh-group19' set vpn ipsec esp-group group-ESP proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group group-ESP proposal 10 hash 'sha256' set vpn ipsec ike-group group-IKE dead-peer-detection action 'hold' set vpn ipsec ike-group group-IKE dead-peer-detection interval '30' set vpn ipsec ike-group group-IKE dead-peer-detection timeout '120' set vpn ipsec ike-group group-IKE ikev2-reauth 'no' set vpn ipsec ike-group group-IKE key-exchange 'ikev2' set vpn ipsec ike-group group-IKE lifetime '28000' set vpn ipsec ike-group group-IKE mobike 'disable' set vpn ipsec ike-group group-IKE proposal 10 dh-group '19' set vpn ipsec ike-group group-IKE proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group group-IKE proposal 10 hash 'sha256' set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer 100.64.0.2 authentication id '100.64.0.1' set vpn ipsec site-to-site peer 100.64.0.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 100.64.0.2 authentication pre-shared-secret 'SSSecccRetT' set vpn ipsec site-to-site peer 100.64.0.2 authentication remote-id '100.64.0.2' set vpn ipsec site-to-site peer 100.64.0.2 connection-type 'initiate' set vpn ipsec site-to-site peer 100.64.0.2 ike-group 'group-IKE' set vpn ipsec site-to-site peer 100.64.0.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 100.64.0.2 local-address '100.64.0.1' set vpn ipsec site-to-site peer 100.64.0.2 vti bind 'vti1' set vpn ipsec site-to-site peer 100.64.0.2 vti esp-group 'group-ESP'
Reset tunnel:
vyos@r1-roll:~$ reset vpn ipsec-peer 100.64.0.2 vti establishing CHILD_SA peer_100-64-0-2_vti{4} generating CREATE_CHILD_SA request 4 [ SA No KE TSi TSr ] sending packet: from 100.64.0.1[500] to 100.64.0.2[500] (337 bytes) received packet: from 100.64.0.2[500] to 100.64.0.1[500] (257 bytes) parsed CREATE_CHILD_SA response 4 [ SA No KE TSi TSr ] selected proposal: ESP:AES_GCM_16_256/ECP_256/NO_EXT_SEQ CHILD_SA peer_100-64-0-2_vti{4} established with SPIs cc054d99_i cbbfdf07_o and TS 0.0.0.0/0 === 0.0.0.0/0 connection 'peer_100-64-0-2_vti' established successfully Peer reset result: success vyos@r1-roll:~$
Tunnel statuses, multiple child SA "Installed" with equal peer-name:
vyos@r1-roll:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------------------- peer_100-64-0-2_vti up 12m30s 0B/0B 0/0 100.64.0.2 N/A AES_GCM_16_256/ECP_256 vyos@r1-roll:~$ vyos@r1-roll:~$ sudo swanctl -l peer_100-64-0-2: #1, ESTABLISHED, IKEv2, 3be5f436f0262f6e_i* c04e1e3c5fe4a15b_r local '100.64.0.1' @ 100.64.0.1[500] remote '100.64.0.2' @ 100.64.0.2[500] AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256 established 754s ago, rekeying in 24669s peer_100-64-0-2_vti: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256 installed 754s ago, rekeying in 2846s, expires in 2846s in c88e155d (-|0x00000002), 0 bytes, 0 packets, 447s ago out caaa62ac (-|0x00000002), 0 bytes, 0 packets local 0.0.0.0/0 remote 0.0.0.0/0 peer_100-64-0-2_vti: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256 installed 609s ago, rekeying in 2991s, expires in 2991s in cccc3259 (-|0x00000002), 336 bytes, 4 packets, 447s ago out c2fe4554 (-|0x00000002), 336 bytes, 4 packets, 447s ago local 0.0.0.0/0 remote 0.0.0.0/0 peer_100-64-0-2_vti: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256 installed 380s ago, rekeying in 3220s, expires in 3220s in c89c771e (-|0x00000002), 0 bytes, 0 packets out c2d46f2a (-|0x00000002), 0 bytes, 0 packets local 0.0.0.0/0 remote 0.0.0.0/0 peer_100-64-0-2_vti: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256 installed 359s ago, rekeying in 3241s, expires in 3241s in cc054d99 (-|0x00000002), 0 bytes, 0 packets out cbbfdf07 (-|0x00000002), 0 bytes, 0 packets local 0.0.0.0/0 remote 0.0.0.0/0 vyos@r1-roll:~$