IPsec peers dh-group negotiation issue with pfs enabled and multiple proposals configured with IKEv1
Closed, ResolvedPublicBUG
Actions

Assigned To

None

Authored By

	e.khudiyev
	Mar 1 2022, 9:07 AM

Description

Issue description

When more than 1 proposal with different dh-groups are configured under IKE group configuration, during phase-2 initiating peer with pfs enabled forcing to use only dh-group configured under the first proposal in IKE (applicable for IKEv1).

Example:

VyOS1 <--IPsec--> VyOS2
Version: VyOS 1.4-rolling-202202230317

VyOS1 configuration:

*IKE*
set vpn ipsec ike-group IKE-1 close-action 'none'
set vpn ipsec ike-group IKE-1 ikev2-reauth 'no'
set vpn ipsec ike-group IKE-1 key-exchange 'ikev1'
set vpn ipsec ike-group IKE-1 lifetime '3600'
set vpn ipsec ike-group IKE-1 proposal 1 dh-group '5'
set vpn ipsec ike-group IKE-1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-1 proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-1 proposal 2 dh-group '2'
set vpn ipsec ike-group IKE-1 proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE-1 proposal 2 hash 'sha1'

*ESP*
set vpn ipsec esp-group ESP-1 compression 'disable'
set vpn ipsec esp-group ESP-1 lifetime '1800'
set vpn ipsec esp-group ESP-1 mode 'tunnel'
set vpn ipsec esp-group ESP-1 pfs 'enable'
set vpn ipsec esp-group ESP-1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-1 proposal 1 hash 'sha1'

*Rest of the IPsec config*
set vpn ipsec interface 'bond0'
set vpn ipsec site-to-site peer 10.1.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.1.2.2 authentication pre-shared-secret 'MySecretKey'
set vpn ipsec site-to-site peer 10.1.2.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.1.2.2 ike-group 'IKE-1'
set vpn ipsec site-to-site peer 10.1.2.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 10.1.2.2 local-address '10.1.1.2'
set vpn ipsec site-to-site peer 10.1.2.2 tunnel 0 esp-group 'ESP-1'
set vpn ipsec site-to-site peer 10.1.2.2 tunnel 0 local prefix '192.168.1.0/24'
set vpn ipsec site-to-site peer 10.1.2.2 tunnel 0 remote prefix '192.168.2.0/24'

VyOS2 configuration:

*IKE*
set vpn ipsec ike-group IKE-1 close-action 'none'
set vpn ipsec ike-group IKE-1 ikev2-reauth 'no'
set vpn ipsec ike-group IKE-1 key-exchange 'ikev1'
set vpn ipsec ike-group IKE-1 lifetime '3600'
set vpn ipsec ike-group IKE-1 proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-1 proposal 1 hash 'sha1'

*ESP*
set vpn ipsec esp-group ESP-1 compression 'disable'
set vpn ipsec esp-group ESP-1 lifetime '1800'
set vpn ipsec esp-group ESP-1 mode 'tunnel'
set vpn ipsec esp-group ESP-1 pfs 'enable'
set vpn ipsec esp-group ESP-1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-1 proposal 1 hash 'sha1'

*Rest of the IPsec config*
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.1.1.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.1.1.2 authentication pre-shared-secret 'MySecretKey'
set vpn ipsec site-to-site peer 10.1.1.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.1.1.2 ike-group 'IKE-1'
set vpn ipsec site-to-site peer 10.1.1.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 10.1.1.2 local-address '10.1.2.2'
set vpn ipsec site-to-site peer 10.1.1.2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 10.1.1.2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 10.1.1.2 tunnel 0 esp-group 'ESP-1'
set vpn ipsec site-to-site peer 10.1.1.2 tunnel 0 local prefix '192.168.2.0/24'
set vpn ipsec site-to-site peer 10.1.1.2 tunnel 0 remote prefix '192.168.1.0/24'

Diagnostics and logs

VyOS1

vyos@VyOS-1:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.1.2.2 10.1.2.2                       10.1.1.2 10.1.1.2

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     310     0

vyos@VyOS-1:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------

vyos@VyOS-1:~$ cat /etc/swanctl/swanctl.conf
### Autogenerated by vpn_ipsec.py ###

connections {
    peer_10-1-2-2 {
        proposals = aes256-sha1-modp1536,aes256-sha1-modp1024
        version = 1
        local_addrs = 10.1.1.2 # dhcp:no
        remote_addrs = 10.1.2.2
        rekey_time = 3600s
        mobike = yes
        keyingtries = 0
        local {
            auth = psk
        }
        remote {
            id = "10.1.2.2"
            auth = psk
        }
        children {
            peer_10-1-2-2_tunnel_0 {
                esp_proposals = aes256-sha1-modp1536
                life_time = 1800s
                local_ts = 192.168.1.0/24
                remote_ts = 192.168.2.0/24
                ipcomp = no
                mode = tunnel
                start_action = start
            }
        }
    }

}

pools {
}

secrets {
    ike_10-1-2-2 {
        id-local = 10.1.1.2 # dhcp:no
        id-remote = 10.1.2.2
        secret = "MySecretKey"
    }
}


Feb 28 11:01:26 VyOS-1 charon[1849]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.101-amd64-vyos, x86_64)
Feb 28 11:01:27 VyOS-1 sudo[1858]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:27 VyOS-1 sudo[1860]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] PKCS11 module '<name>' lacks library path
Feb 28 11:01:27 VyOS-1 sudo[1890]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:27 VyOS-1 sudo[1990]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:27 VyOS-1 sudo[1992]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] loaded 0 RADIUS server configurations
Feb 28 11:01:27 VyOS-1 charon[1849]: 00[CFG] HA config misses local/remote address
Feb 28 11:01:27 VyOS-1 charon[1849]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Feb 28 11:01:27 VyOS-1 charon[1849]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 28 11:01:27 VyOS-1 charon[1849]: 00[JOB] spawning 16 worker threads
Feb 28 11:01:27 VyOS-1 sudo[2013]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:27 VyOS-1 ipsec_starter[1847]: charon (1849) started after 780 ms
Feb 28 11:01:27 VyOS-1 charon[1849]: 05[CFG] loaded IKE shared key with id 'ike_10-1-2-2' for: '10.1.1.2', '10.1.2.2'
Feb 28 11:01:27 VyOS-1 charon[1849]: 10[CFG] added vici connection: peer_10-1-2-2
Feb 28 11:01:27 VyOS-1 charon[1849]: 10[CFG] initiating 'peer_10-1-2-2_tunnel_0'
Feb 28 11:01:27 VyOS-1 charon[1849]: 10[IKE] <peer_10-1-2-2|1> initiating Main Mode IKE_SA peer_10-1-2-2[1] to 10.1.2.2
Feb 28 11:01:27 VyOS-1 charon[1849]: 10[ENC] <peer_10-1-2-2|1> generating ID_PROT request 0 [ SA V V V V V ]
Feb 28 11:01:27 VyOS-1 charon[1849]: 10[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (216 bytes)
Feb 28 11:01:27 VyOS-1 charon[1849]: 16[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (160 bytes)
Feb 28 11:01:27 VyOS-1 charon[1849]: 16[ENC] <peer_10-1-2-2|1> parsed ID_PROT response 0 [ SA V V V V ]
Feb 28 11:01:27 VyOS-1 charon[1849]: 16[IKE] <peer_10-1-2-2|1> received XAuth vendor ID
Feb 28 11:01:27 VyOS-1 charon[1849]: 16[IKE] <peer_10-1-2-2|1> received DPD vendor ID
Feb 28 11:01:27 VyOS-1 charon[1849]: 16[IKE] <peer_10-1-2-2|1> received FRAGMENTATION vendor ID
Feb 28 11:01:27 VyOS-1 charon[1849]: 16[IKE] <peer_10-1-2-2|1> received NAT-T (RFC 3947) vendor ID
Feb 28 11:01:27 VyOS-1 charon[1849]: 16[CFG] <peer_10-1-2-2|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 28 11:01:27 VyOS-1 charon[1849]: 16[ENC] <peer_10-1-2-2|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 28 11:01:27 VyOS-1 charon[1849]: 16[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes)
Feb 28 11:01:27 VyOS-1 charon[1849]: 05[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes)
Feb 28 11:01:27 VyOS-1 charon[1849]: 05[ENC] <peer_10-1-2-2|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 28 11:01:27 VyOS-1 charon[1849]: 05[ENC] <peer_10-1-2-2|1> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Feb 28 11:01:27 VyOS-1 charon[1849]: 05[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (108 bytes)
Feb 28 11:01:27 VyOS-1 charon[1849]: 07[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes)
Feb 28 11:01:27 VyOS-1 charon[1849]: 07[ENC] <peer_10-1-2-2|1> parsed ID_PROT response 0 [ ID HASH ]
Feb 28 11:01:27 VyOS-1 charon[1849]: 07[IKE] <peer_10-1-2-2|1> IKE_SA peer_10-1-2-2[1] established between 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2]
Feb 28 11:01:27 VyOS-1 charon[1849]: 07[IKE] <peer_10-1-2-2|1> scheduling rekeying in 3402s
Feb 28 11:01:27 VyOS-1 charon[1849]: 07[IKE] <peer_10-1-2-2|1> maximum IKE_SA lifetime 3762s
Feb 28 11:01:27 VyOS-1 charon[1849]: 07[ENC] <peer_10-1-2-2|1> generating QUICK_MODE request 113552097 [ HASH SA No KE ID ID ]
Feb 28 11:01:27 VyOS-1 charon[1849]: 07[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (380 bytes)
Feb 28 11:01:27 VyOS-1 charon[1849]: 06[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes)
Feb 28 11:01:27 VyOS-1 charon[1849]: 06[ENC] <peer_10-1-2-2|1> parsed INFORMATIONAL_V1 request 495653456 [ HASH N(NO_PROP) ]
Feb 28 11:01:27 VyOS-1 charon[1849]: 06[IKE] <peer_10-1-2-2|1> received NO_PROPOSAL_CHOSEN error notify
Feb 28 11:01:30 VyOS-1 charon[1849]: 08[NET] <2> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (180 bytes)
Feb 28 11:01:30 VyOS-1 charon[1849]: 08[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V ]
Feb 28 11:01:30 VyOS-1 charon[1849]: 08[IKE] <2> received XAuth vendor ID
Feb 28 11:01:30 VyOS-1 charon[1849]: 08[IKE] <2> received DPD vendor ID
Feb 28 11:01:30 VyOS-1 charon[1849]: 08[IKE] <2> received FRAGMENTATION vendor ID
Feb 28 11:01:30 VyOS-1 charon[1849]: 08[IKE] <2> received NAT-T (RFC 3947) vendor ID
Feb 28 11:01:30 VyOS-1 charon[1849]: 08[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 28 11:01:30 VyOS-1 charon[1849]: 08[IKE] <2> 10.1.2.2 is initiating a Main Mode IKE_SA
Feb 28 11:01:30 VyOS-1 charon[1849]: 08[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 28 11:01:30 VyOS-1 charon[1849]: 08[ENC] <2> generating ID_PROT response 0 [ SA V V V V ]
Feb 28 11:01:30 VyOS-1 charon[1849]: 08[NET] <2> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (160 bytes)
Feb 28 11:01:30 VyOS-1 charon[1849]: 09[NET] <2> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes)
Feb 28 11:01:30 VyOS-1 charon[1849]: 09[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 28 11:01:30 VyOS-1 charon[1849]: 09[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 28 11:01:30 VyOS-1 charon[1849]: 09[NET] <2> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes)
Feb 28 11:01:30 VyOS-1 charon[1849]: 11[NET] <2> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes)
Feb 28 11:01:30 VyOS-1 charon[1849]: 11[ENC] <2> parsed ID_PROT request 0 [ ID HASH ]
Feb 28 11:01:30 VyOS-1 charon[1849]: 11[CFG] <2> looking for pre-shared key peer configs matching 10.1.1.2...10.1.2.2[10.1.2.2]
Feb 28 11:01:30 VyOS-1 charon[1849]: 11[CFG] <2> selected peer config "peer_10-1-2-2"
Feb 28 11:01:30 VyOS-1 charon[1849]: 11[IKE] <peer_10-1-2-2|2> IKE_SA peer_10-1-2-2[2] established between 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2]
Feb 28 11:01:30 VyOS-1 charon[1849]: 11[IKE] <peer_10-1-2-2|2> scheduling rekeying in 3275s
Feb 28 11:01:30 VyOS-1 charon[1849]: 11[IKE] <peer_10-1-2-2|2> maximum IKE_SA lifetime 3635s
Feb 28 11:01:30 VyOS-1 charon[1849]: 11[ENC] <peer_10-1-2-2|2> generating ID_PROT response 0 [ ID HASH ]
Feb 28 11:01:30 VyOS-1 charon[1849]: 11[NET] <peer_10-1-2-2|2> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes)
Feb 28 11:01:30 VyOS-1 charon[1849]: 13[NET] <peer_10-1-2-2|2> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (316 bytes)
Feb 28 11:01:30 VyOS-1 charon[1849]: 13[ENC] <peer_10-1-2-2|2> parsed QUICK_MODE request 3521146508 [ HASH SA No KE ID ID ]
Feb 28 11:01:30 VyOS-1 charon[1849]: 13[CFG] <peer_10-1-2-2|2> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 28 11:01:30 VyOS-1 charon[1849]: 13[CFG] <peer_10-1-2-2|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Feb 28 11:01:30 VyOS-1 charon[1849]: 13[IKE] <peer_10-1-2-2|2> no matching proposal found, sending NO_PROPOSAL_CHOSEN
Feb 28 11:01:30 VyOS-1 charon[1849]: 13[ENC] <peer_10-1-2-2|2> generating INFORMATIONAL_V1 request 2163880087 [ HASH N(NO_PROP) ]
Feb 28 11:01:30 VyOS-1 charon[1849]: 13[NET] <peer_10-1-2-2|2> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes)
Feb 28 11:01:41 VyOS-1 charon[1849]: 05[IKE] <peer_10-1-2-2|1> deleting IKE_SA peer_10-1-2-2[1] between 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2]
Feb 28 11:01:41 VyOS-1 charon[1849]: 05[IKE] <peer_10-1-2-2|1> sending DELETE for IKE_SA peer_10-1-2-2[1]
Feb 28 11:01:41 VyOS-1 charon[1849]: 05[ENC] <peer_10-1-2-2|1> generating INFORMATIONAL_V1 request 3348301110 [ HASH D ]
Feb 28 11:01:41 VyOS-1 charon[1849]: 05[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (92 bytes)

Exact logs pointing to the issue:

Feb 28 11:01:27 VyOS-1 charon[1849]: 06[ENC] <peer_10-1-2-2|1> parsed INFORMATIONAL_V1 request 495653456 [ HASH N(NO_PROP) ]
Feb 28 11:01:27 VyOS-1 charon[1849]: 06[IKE] <peer_10-1-2-2|1> received NO_PROPOSAL_CHOSEN error notify

Feb 28 11:01:30 VyOS-1 charon[1849]: 13[CFG] <peer_10-1-2-2|2> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 28 11:01:30 VyOS-1 charon[1849]: 13[CFG] <peer_10-1-2-2|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Feb 28 11:01:30 VyOS-1 charon[1849]: 13[IKE] <peer_10-1-2-2|2> no matching proposal found, sending NO_PROPOSAL_CHOSEN

VyOS2

vyos@VyOS-2:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.1.1.2 10.1.1.2                       10.1.2.2 10.1.2.2

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     605     0

vyos@VyOS-2:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------

vyos@VyOS-2:~$ cat /etc/swanctl/swanctl.conf
### Autogenerated by vpn_ipsec.py ###

connections {
    peer_10-1-1-2 {
        proposals = aes256-sha1-modp1024
        version = 1
        local_addrs = 10.1.2.2 # dhcp:no
        remote_addrs = 10.1.1.2
        rekey_time = 3600s
        mobike = yes
        keyingtries = 0
        local {
            auth = psk
        }
        remote {
            id = "10.1.1.2"
            auth = psk
        }
        children {
            peer_10-1-1-2_tunnel_0 {
                esp_proposals = aes256-sha1-modp1024
                life_time = 1800s
                local_ts = 192.168.2.0/24
                remote_ts = 192.168.1.0/24
                ipcomp = no
                mode = tunnel
vyos@VyOS-2:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.1.1.2 10.1.1.2                       10.1.2.2 10.1.2.2

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     605     0

vyos@VyOS-2:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------

vyos@VyOS-2:~$ cat /etc/swanctl/swanctl.conf
### Autogenerated by vpn_ipsec.py ###

connections {
    peer_10-1-1-2 {
        proposals = aes256-sha1-modp1024
        version = 1
        local_addrs = 10.1.2.2 # dhcp:no
        remote_addrs = 10.1.1.2
        rekey_time = 3600s
        mobike = yes
        keyingtries = 0
        local {
            auth = psk
        }
        remote {
            id = "10.1.1.2"
            auth = psk
        }
        children {
            peer_10-1-1-2_tunnel_0 {
                esp_proposals = aes256-sha1-modp1024
                life_time = 1800s
                local_ts = 192.168.2.0/24
                remote_ts = 192.168.1.0/24
                ipcomp = no
                mode = tunnel
                start_action = start
            }
        }
    }

}

pools {
}

secrets {
    ike_10-1-1-2 {
        id-local = 10.1.2.2 # dhcp:no
        id-remote = 10.1.1.2
        secret = "MySecretKey"
    }
}


Feb 28 11:01:25 VyOS-2 charon[1790]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.101-amd64-vyos, x86_64)
Feb 28 11:01:25 VyOS-2 sudo[1799]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:25 VyOS-2 sudo[1801]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:25 VyOS-2 charon[1790]: 00[CFG] PKCS11 module '<name>' lacks library path
Feb 28 11:01:25 VyOS-2 sudo[1808]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:26 VyOS-2 sudo[1906]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:26 VyOS-2 sudo[1933]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:26 VyOS-2 sudo[1935]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] loaded 0 RADIUS server configurations
Feb 28 11:01:26 VyOS-2 sudo[1940]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:01:26 VyOS-2 charon[1790]: 00[CFG] HA config misses local/remote address
Feb 28 11:01:26 VyOS-2 charon[1790]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Feb 28 11:01:26 VyOS-2 charon[1790]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 28 11:01:26 VyOS-2 charon[1790]: 00[JOB] spawning 16 worker threads
Feb 28 11:01:26 VyOS-2 ipsec_starter[1788]: charon (1790) started after 960 ms
Feb 28 11:01:26 VyOS-2 charon[1790]: 08[CFG] loaded IKE shared key with id 'ike_10-1-1-2' for: '10.1.2.2', '10.1.1.2'
Feb 28 11:01:26 VyOS-2 charon[1790]: 10[CFG] added vici connection: peer_10-1-1-2
Feb 28 11:01:26 VyOS-2 charon[1790]: 10[CFG] initiating 'peer_10-1-1-2_tunnel_0'
Feb 28 11:01:26 VyOS-2 charon[1790]: 10[IKE] <peer_10-1-1-2|1> initiating Main Mode IKE_SA peer_10-1-1-2[1] to 10.1.1.2
Feb 28 11:01:26 VyOS-2 charon[1790]: 10[ENC] <peer_10-1-1-2|1> generating ID_PROT request 0 [ SA V V V V V ]
Feb 28 11:01:26 VyOS-2 charon[1790]: 10[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (180 bytes)
Feb 28 11:01:28 VyOS-2 charon[1790]: 07[NET] <2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (216 bytes)
Feb 28 11:01:28 VyOS-2 charon[1790]: 07[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V ]
Feb 28 11:01:28 VyOS-2 charon[1790]: 07[IKE] <2> received XAuth vendor ID
Feb 28 11:01:28 VyOS-2 charon[1790]: 07[IKE] <2> received DPD vendor ID
Feb 28 11:01:28 VyOS-2 charon[1790]: 07[IKE] <2> received FRAGMENTATION vendor ID
Feb 28 11:01:28 VyOS-2 charon[1790]: 07[IKE] <2> received NAT-T (RFC 3947) vendor ID
Feb 28 11:01:28 VyOS-2 charon[1790]: 07[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 28 11:01:28 VyOS-2 charon[1790]: 07[IKE] <2> 10.1.1.2 is initiating a Main Mode IKE_SA
Feb 28 11:01:28 VyOS-2 charon[1790]: 07[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 28 11:01:28 VyOS-2 charon[1790]: 07[ENC] <2> generating ID_PROT response 0 [ SA V V V V ]
Feb 28 11:01:28 VyOS-2 charon[1790]: 07[NET] <2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (160 bytes)
Feb 28 11:01:28 VyOS-2 charon[1790]: 08[NET] <2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes)
Feb 28 11:01:28 VyOS-2 charon[1790]: 08[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 28 11:01:28 VyOS-2 charon[1790]: 08[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 28 11:01:28 VyOS-2 charon[1790]: 08[NET] <2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes)
Feb 28 11:01:28 VyOS-2 charon[1790]: 14[NET] <2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (108 bytes)
Feb 28 11:01:28 VyOS-2 charon[1790]: 14[ENC] <2> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Feb 28 11:01:28 VyOS-2 charon[1790]: 14[CFG] <2> looking for pre-shared key peer configs matching 10.1.2.2...10.1.1.2[10.1.1.2]
Feb 28 11:01:28 VyOS-2 charon[1790]: 14[CFG] <2> selected peer config "peer_10-1-1-2"
Feb 28 11:01:28 VyOS-2 charon[1790]: 14[IKE] <peer_10-1-1-2|2> IKE_SA peer_10-1-1-2[2] established between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2]
Feb 28 11:01:28 VyOS-2 charon[1790]: 14[IKE] <peer_10-1-1-2|2> scheduling rekeying in 3442s
Feb 28 11:01:28 VyOS-2 charon[1790]: 14[IKE] <peer_10-1-1-2|2> maximum IKE_SA lifetime 3802s
Feb 28 11:01:28 VyOS-2 charon[1790]: 14[ENC] <peer_10-1-1-2|2> generating ID_PROT response 0 [ ID HASH ]
Feb 28 11:01:28 VyOS-2 charon[1790]: 14[NET] <peer_10-1-1-2|2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes)
Feb 28 11:01:28 VyOS-2 charon[1790]: 16[NET] <peer_10-1-1-2|2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (380 bytes)
Feb 28 11:01:28 VyOS-2 charon[1790]: 16[ENC] <peer_10-1-1-2|2> parsed QUICK_MODE request 113552097 [ HASH SA No KE ID ID ]
Feb 28 11:01:28 VyOS-2 charon[1790]: 16[CFG] <peer_10-1-1-2|2> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Feb 28 11:01:28 VyOS-2 charon[1790]: 16[CFG] <peer_10-1-1-2|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 28 11:01:28 VyOS-2 charon[1790]: 16[IKE] <peer_10-1-1-2|2> no matching proposal found, sending NO_PROPOSAL_CHOSEN
Feb 28 11:01:28 VyOS-2 charon[1790]: 16[ENC] <peer_10-1-1-2|2> generating INFORMATIONAL_V1 request 495653456 [ HASH N(NO_PROP) ]
Feb 28 11:01:28 VyOS-2 charon[1790]: 16[NET] <peer_10-1-1-2|2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes)
Feb 28 11:01:31 VyOS-2 charon[1790]: 09[IKE] <peer_10-1-1-2|1> sending retransmit 1 of request message ID 0, seq 1
Feb 28 11:01:31 VyOS-2 charon[1790]: 09[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (180 bytes)
Feb 28 11:01:31 VyOS-2 charon[1790]: 11[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (160 bytes)
Feb 28 11:01:31 VyOS-2 charon[1790]: 11[ENC] <peer_10-1-1-2|1> parsed ID_PROT response 0 [ SA V V V V ]
Feb 28 11:01:31 VyOS-2 charon[1790]: 11[IKE] <peer_10-1-1-2|1> received XAuth vendor ID
Feb 28 11:01:31 VyOS-2 charon[1790]: 11[IKE] <peer_10-1-1-2|1> received DPD vendor ID
Feb 28 11:01:31 VyOS-2 charon[1790]: 11[IKE] <peer_10-1-1-2|1> received FRAGMENTATION vendor ID
Feb 28 11:01:31 VyOS-2 charon[1790]: 11[IKE] <peer_10-1-1-2|1> received NAT-T (RFC 3947) vendor ID
Feb 28 11:01:31 VyOS-2 charon[1790]: 11[CFG] <peer_10-1-1-2|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 28 11:01:31 VyOS-2 charon[1790]: 11[ENC] <peer_10-1-1-2|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 28 11:01:31 VyOS-2 charon[1790]: 11[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes)
Feb 28 11:01:31 VyOS-2 charon[1790]: 12[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes)
Feb 28 11:01:31 VyOS-2 charon[1790]: 12[ENC] <peer_10-1-1-2|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 28 11:01:31 VyOS-2 charon[1790]: 12[ENC] <peer_10-1-1-2|1> generating ID_PROT request 0 [ ID HASH ]
Feb 28 11:01:31 VyOS-2 charon[1790]: 12[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes)
Feb 28 11:01:31 VyOS-2 charon[1790]: 05[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes)
Feb 28 11:01:31 VyOS-2 charon[1790]: 05[ENC] <peer_10-1-1-2|1> parsed ID_PROT response 0 [ ID HASH ]
Feb 28 11:01:31 VyOS-2 charon[1790]: 05[IKE] <peer_10-1-1-2|1> IKE_SA peer_10-1-1-2[1] established between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2]
Feb 28 11:01:31 VyOS-2 charon[1790]: 05[IKE] <peer_10-1-1-2|1> scheduling rekeying in 3458s
Feb 28 11:01:31 VyOS-2 charon[1790]: 05[IKE] <peer_10-1-1-2|1> maximum IKE_SA lifetime 3818s
Feb 28 11:01:31 VyOS-2 charon[1790]: 05[ENC] <peer_10-1-1-2|1> generating QUICK_MODE request 3521146508 [ HASH SA No KE ID ID ]
Feb 28 11:01:31 VyOS-2 charon[1790]: 05[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (316 bytes)
Feb 28 11:01:31 VyOS-2 charon[1790]: 13[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes)
Feb 28 11:01:31 VyOS-2 charon[1790]: 13[ENC] <peer_10-1-1-2|1> parsed INFORMATIONAL_V1 request 2163880087 [ HASH N(NO_PROP) ]
Feb 28 11:01:31 VyOS-2 charon[1790]: 13[IKE] <peer_10-1-1-2|1> received NO_PROPOSAL_CHOSEN error notify
Feb 28 11:01:41 VyOS-2 charon[1790]: 14[NET] <peer_10-1-1-2|2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (92 bytes)
Feb 28 11:01:41 VyOS-2 charon[1790]: 14[ENC] <peer_10-1-1-2|2> parsed INFORMATIONAL_V1 request 3348301110 [ HASH D ]
Feb 28 11:01:41 VyOS-2 charon[1790]: 14[IKE] <peer_10-1-1-2|2> received DELETE for IKE_SA peer_10-1-1-2[2]
Feb 28 11:01:41 VyOS-2 charon[1790]: 14[IKE] <peer_10-1-1-2|2> deleting IKE_SA peer_10-1-1-2[2] between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2]

Exact logs pointing to the issue:

Feb 28 11:01:28 VyOS-2 charon[1790]: 16[CFG] <peer_10-1-1-2|2> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Feb 28 11:01:28 VyOS-2 charon[1790]: 16[CFG] <peer_10-1-1-2|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 28 11:01:28 VyOS-2 charon[1790]: 16[IKE] <peer_10-1-1-2|2> no matching proposal found, sending NO_PROPOSAL_CHOSEN

Feb 28 11:01:31 VyOS-2 charon[1790]: 13[ENC] <peer_10-1-1-2|1> parsed INFORMATIONAL_V1 request 2163880087 [ HASH N(NO_PROP) ]
Feb 28 11:01:31 VyOS-2 charon[1790]: 13[IKE] <peer_10-1-1-2|1> received NO_PROPOSAL_CHOSEN error notify

After changes in VyOS1 swanctl.conf

children {
            peer_10-1-2-2_tunnel_0 {
                esp_proposals = aes256-sha1-modp1536,aes256-sha1-modp1024

vyos@VyOS-1:~$ restart vpn
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
loaded ike secret 'ike_10-1-2-2'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'peer_10-1-2-2'
successfully loaded 1 connections, 0 unloaded

vyos@VyOS-1:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.1.2.2 10.1.2.2                       10.1.1.2 10.1.1.2

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     14      0

vyos@VyOS-1:~$ show vpn ipsec sa
Connection              State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
----------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer_10-1-2-2_tunnel_0  up       15s       0B/0B           0B/0B             10.1.2.2          10.1.2.2     AES_CBC_256/HMAC_SHA1_96/MODP_1024

VyOS1 logs

Feb 28 11:39:40 VyOS-1 ipsec_starter[1826]: charon stopped after 200 ms
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.101-amd64-vyos, x86_64)
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] PKCS11 module '<name>' lacks library path
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] loaded 0 RADIUS server configurations
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[CFG] HA config misses local/remote address
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 28 11:39:42 VyOS-1 charon[2515]: 00[JOB] spawning 16 worker threads
Feb 28 11:39:42 VyOS-1 ipsec_starter[2513]: charon (2515) started after 40 ms
Feb 28 11:39:45 VyOS-1 charon[2515]: 13[CFG] loaded IKE shared key with id 'ike_10-1-2-2' for: '10.1.1.2', '10.1.2.2'
Feb 28 11:39:45 VyOS-1 charon[2515]: 06[CFG] added vici connection: peer_10-1-2-2
Feb 28 11:39:45 VyOS-1 charon[2515]: 06[CFG] initiating 'peer_10-1-2-2_tunnel_0'
Feb 28 11:39:45 VyOS-1 charon[2515]: 06[IKE] <peer_10-1-2-2|1> initiating Main Mode IKE_SA peer_10-1-2-2[1] to 10.1.2.2
Feb 28 11:39:45 VyOS-1 charon[2515]: 06[ENC] <peer_10-1-2-2|1> generating ID_PROT request 0 [ SA V V V V V ]
Feb 28 11:39:45 VyOS-1 charon[2515]: 06[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (216 bytes)
Feb 28 11:39:45 VyOS-1 charon[2515]: 10[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (160 bytes)
Feb 28 11:39:45 VyOS-1 charon[2515]: 10[ENC] <peer_10-1-2-2|1> parsed ID_PROT response 0 [ SA V V V V ]
Feb 28 11:39:45 VyOS-1 charon[2515]: 10[IKE] <peer_10-1-2-2|1> received XAuth vendor ID
Feb 28 11:39:45 VyOS-1 charon[2515]: 10[IKE] <peer_10-1-2-2|1> received DPD vendor ID
Feb 28 11:39:45 VyOS-1 charon[2515]: 10[IKE] <peer_10-1-2-2|1> received FRAGMENTATION vendor ID
Feb 28 11:39:45 VyOS-1 charon[2515]: 10[IKE] <peer_10-1-2-2|1> received NAT-T (RFC 3947) vendor ID
Feb 28 11:39:45 VyOS-1 charon[2515]: 10[CFG] <peer_10-1-2-2|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 28 11:39:45 VyOS-1 charon[2515]: 10[ENC] <peer_10-1-2-2|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 28 11:39:45 VyOS-1 charon[2515]: 10[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes)
Feb 28 11:39:45 VyOS-1 charon[2515]: 11[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes)
Feb 28 11:39:45 VyOS-1 charon[2515]: 11[ENC] <peer_10-1-2-2|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 28 11:39:45 VyOS-1 charon[2515]: 11[ENC] <peer_10-1-2-2|1> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Feb 28 11:39:45 VyOS-1 charon[2515]: 11[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (108 bytes)
Feb 28 11:39:45 VyOS-1 charon[2515]: 14[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes)
Feb 28 11:39:45 VyOS-1 charon[2515]: 14[ENC] <peer_10-1-2-2|1> parsed ID_PROT response 0 [ ID HASH ]
Feb 28 11:39:45 VyOS-1 charon[2515]: 14[IKE] <peer_10-1-2-2|1> IKE_SA peer_10-1-2-2[1] established between 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2]
Feb 28 11:39:45 VyOS-1 charon[2515]: 14[IKE] <peer_10-1-2-2|1> scheduling rekeying in 3503s
Feb 28 11:39:45 VyOS-1 charon[2515]: 14[IKE] <peer_10-1-2-2|1> maximum IKE_SA lifetime 3863s
Feb 28 11:39:45 VyOS-1 charon[2515]: 14[ENC] <peer_10-1-2-2|1> generating QUICK_MODE request 1625867768 [ HASH SA No KE ID ID ]
Feb 28 11:39:45 VyOS-1 charon[2515]: 14[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (316 bytes)
Feb 28 11:39:45 VyOS-1 charon[2515]: 15[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (316 bytes)
Feb 28 11:39:45 VyOS-1 charon[2515]: 15[ENC] <peer_10-1-2-2|1> parsed QUICK_MODE response 1625867768 [ HASH SA No KE ID ID ]
Feb 28 11:39:45 VyOS-1 charon[2515]: 15[CFG] <peer_10-1-2-2|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 28 11:39:45 VyOS-1 charon[2515]: 15[IKE] <peer_10-1-2-2|1> CHILD_SA peer_10-1-2-2_tunnel_0{1} established with SPIs c3ebf07d_i c8a42da1_o and TS 192.168.1.0/24 === 192.168.2.0/24
Feb 28 11:39:45 VyOS-1 charon[2515]: 15[ENC] <peer_10-1-2-2|1> generating QUICK_MODE request 1625867768 [ HASH ]
Feb 28 11:39:45 VyOS-1 charon[2515]: 15[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (60 bytes)

VyOS2 logs

Feb 28 11:36:10 VyOS-2 charon[1772]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.101-amd64-vyos, x86_64)
Feb 28 11:36:10 VyOS-2 sudo[1781]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:36:10 VyOS-2 sudo[1783]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] PKCS11 module '<name>' lacks library path
Feb 28 11:36:10 VyOS-2 sudo[1831]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:36:10 VyOS-2 sudo[1914]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:36:10 VyOS-2 sudo[1917]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] loaded 0 RADIUS server configurations
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[CFG] HA config misses local/remote address
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 28 11:36:10 VyOS-2 charon[1772]: 00[JOB] spawning 16 worker threads
Feb 28 11:36:10 VyOS-2 ipsec_starter[1770]: charon (1772) started after 700 ms
Feb 28 11:36:10 VyOS-2 sudo[1937]:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/socat -u OPEN:/dev/null UNIX-CONNECT:/var/run/charon.vici
Feb 28 11:36:10 VyOS-2 charon[1772]: 05[CFG] loaded IKE shared key with id 'ike_10-1-1-2' for: '10.1.2.2', '10.1.1.2'
Feb 28 11:36:10 VyOS-2 charon[1772]: 10[CFG] added vici connection: peer_10-1-1-2
Feb 28 11:36:10 VyOS-2 charon[1772]: 10[CFG] initiating 'peer_10-1-1-2_tunnel_0'
Feb 28 11:36:10 VyOS-2 charon[1772]: 10[IKE] <peer_10-1-1-2|1> initiating Main Mode IKE_SA peer_10-1-1-2[1] to 10.1.1.2
Feb 28 11:36:10 VyOS-2 charon[1772]: 10[ENC] <peer_10-1-1-2|1> generating ID_PROT request 0 [ SA V V V V V ]
Feb 28 11:36:10 VyOS-2 charon[1772]: 10[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (180 bytes)
Feb 28 11:36:10 VyOS-2 charon[1772]: 16[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (160 bytes)
Feb 28 11:36:10 VyOS-2 charon[1772]: 16[ENC] <peer_10-1-1-2|1> parsed ID_PROT response 0 [ SA V V V V ]
Feb 28 11:36:10 VyOS-2 charon[1772]: 16[IKE] <peer_10-1-1-2|1> received XAuth vendor ID
Feb 28 11:36:10 VyOS-2 charon[1772]: 16[IKE] <peer_10-1-1-2|1> received DPD vendor ID
Feb 28 11:36:10 VyOS-2 charon[1772]: 16[IKE] <peer_10-1-1-2|1> received FRAGMENTATION vendor ID
Feb 28 11:36:10 VyOS-2 charon[1772]: 16[IKE] <peer_10-1-1-2|1> received NAT-T (RFC 3947) vendor ID
Feb 28 11:36:10 VyOS-2 charon[1772]: 16[CFG] <peer_10-1-1-2|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 28 11:36:10 VyOS-2 charon[1772]: 16[ENC] <peer_10-1-1-2|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 28 11:36:10 VyOS-2 charon[1772]: 16[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes)
Feb 28 11:36:10 VyOS-2 charon[1772]: 05[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes)
Feb 28 11:36:10 VyOS-2 charon[1772]: 05[ENC] <peer_10-1-1-2|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 28 11:36:10 VyOS-2 charon[1772]: 05[ENC] <peer_10-1-1-2|1> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Feb 28 11:36:10 VyOS-2 charon[1772]: 05[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (108 bytes)
Feb 28 11:36:10 VyOS-2 charon[1772]: 06[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes)
Feb 28 11:36:10 VyOS-2 charon[1772]: 06[ENC] <peer_10-1-1-2|1> parsed ID_PROT response 0 [ ID HASH ]
Feb 28 11:36:10 VyOS-2 charon[1772]: 06[IKE] <peer_10-1-1-2|1> IKE_SA peer_10-1-1-2[1] established between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2]
Feb 28 11:36:10 VyOS-2 charon[1772]: 06[IKE] <peer_10-1-1-2|1> scheduling rekeying in 3257s
Feb 28 11:36:10 VyOS-2 charon[1772]: 06[IKE] <peer_10-1-1-2|1> maximum IKE_SA lifetime 3617s
Feb 28 11:36:10 VyOS-2 charon[1772]: 06[ENC] <peer_10-1-1-2|1> generating QUICK_MODE request 1487711632 [ HASH SA No KE ID ID ]
Feb 28 11:36:10 VyOS-2 charon[1772]: 06[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (316 bytes)
Feb 28 11:36:10 VyOS-2 charon[1772]: 07[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes)
Feb 28 11:36:10 VyOS-2 charon[1772]: 07[ENC] <peer_10-1-1-2|1> parsed INFORMATIONAL_V1 request 3716764092 [ HASH N(NO_PROP) ]
Feb 28 11:36:10 VyOS-2 charon[1772]: 07[IKE] <peer_10-1-1-2|1> received NO_PROPOSAL_CHOSEN error notify
Feb 28 11:36:14 VyOS-2 charon[1772]: 08[NET] <2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (216 bytes)
Feb 28 11:36:14 VyOS-2 charon[1772]: 08[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V ]
Feb 28 11:36:14 VyOS-2 charon[1772]: 08[IKE] <2> received XAuth vendor ID
Feb 28 11:36:14 VyOS-2 charon[1772]: 08[IKE] <2> received DPD vendor ID
Feb 28 11:36:14 VyOS-2 charon[1772]: 08[IKE] <2> received FRAGMENTATION vendor ID
Feb 28 11:36:14 VyOS-2 charon[1772]: 08[IKE] <2> received NAT-T (RFC 3947) vendor ID
Feb 28 11:36:14 VyOS-2 charon[1772]: 08[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 28 11:36:14 VyOS-2 charon[1772]: 08[IKE] <2> 10.1.1.2 is initiating a Main Mode IKE_SA
Feb 28 11:36:14 VyOS-2 charon[1772]: 08[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 28 11:36:14 VyOS-2 charon[1772]: 08[ENC] <2> generating ID_PROT response 0 [ SA V V V V ]
Feb 28 11:36:14 VyOS-2 charon[1772]: 08[NET] <2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (160 bytes)
Feb 28 11:36:14 VyOS-2 charon[1772]: 09[NET] <2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes)
Feb 28 11:36:14 VyOS-2 charon[1772]: 09[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 28 11:36:14 VyOS-2 charon[1772]: 09[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 28 11:36:14 VyOS-2 charon[1772]: 09[NET] <2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes)
Feb 28 11:36:14 VyOS-2 charon[1772]: 11[NET] <2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes)
Feb 28 11:36:14 VyOS-2 charon[1772]: 11[ENC] <2> parsed ID_PROT request 0 [ ID HASH ]
Feb 28 11:36:14 VyOS-2 charon[1772]: 11[CFG] <2> looking for pre-shared key peer configs matching 10.1.2.2...10.1.1.2[10.1.1.2]
Feb 28 11:36:14 VyOS-2 charon[1772]: 11[CFG] <2> selected peer config "peer_10-1-1-2"
Feb 28 11:36:14 VyOS-2 charon[1772]: 11[IKE] <peer_10-1-1-2|2> IKE_SA peer_10-1-1-2[2] established between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2]
Feb 28 11:36:14 VyOS-2 charon[1772]: 11[IKE] <peer_10-1-1-2|2> scheduling rekeying in 3407s
Feb 28 11:36:14 VyOS-2 charon[1772]: 11[IKE] <peer_10-1-1-2|2> maximum IKE_SA lifetime 3767s
Feb 28 11:36:14 VyOS-2 charon[1772]: 11[ENC] <peer_10-1-1-2|2> generating ID_PROT response 0 [ ID HASH ]
Feb 28 11:36:14 VyOS-2 charon[1772]: 11[NET] <peer_10-1-1-2|2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes)
Feb 28 11:36:14 VyOS-2 charon[1772]: 13[NET] <peer_10-1-1-2|2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (380 bytes)
Feb 28 11:36:14 VyOS-2 charon[1772]: 13[ENC] <peer_10-1-1-2|2> parsed QUICK_MODE request 50843779 [ HASH SA No KE ID ID ]
Feb 28 11:36:14 VyOS-2 charon[1772]: 13[CFG] <peer_10-1-1-2|2> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ
Feb 28 11:36:14 VyOS-2 charon[1772]: 13[CFG] <peer_10-1-1-2|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 28 11:36:14 VyOS-2 charon[1772]: 13[IKE] <peer_10-1-1-2|2> no matching proposal found, sending NO_PROPOSAL_CHOSEN
Feb 28 11:36:14 VyOS-2 charon[1772]: 13[ENC] <peer_10-1-1-2|2> generating INFORMATIONAL_V1 request 2690722960 [ HASH N(NO_PROP) ]
Feb 28 11:36:14 VyOS-2 charon[1772]: 13[NET] <peer_10-1-1-2|2> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes)
Feb 28 11:36:24 VyOS-2 charon[1772]: 05[IKE] <peer_10-1-1-2|1> deleting IKE_SA peer_10-1-1-2[1] between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2]
Feb 28 11:36:24 VyOS-2 charon[1772]: 05[IKE] <peer_10-1-1-2|1> sending DELETE for IKE_SA peer_10-1-1-2[1]
Feb 28 11:36:24 VyOS-2 charon[1772]: 05[ENC] <peer_10-1-1-2|1> generating INFORMATIONAL_V1 request 3460382921 [ HASH D ]
Feb 28 11:36:24 VyOS-2 charon[1772]: 05[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (92 bytes)
Feb 28 11:39:40 VyOS-2 charon[1772]: 07[NET] <peer_10-1-1-2|2> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (92 bytes)
Feb 28 11:39:40 VyOS-2 charon[1772]: 07[ENC] <peer_10-1-1-2|2> parsed INFORMATIONAL_V1 request 2295507587 [ HASH D ]
Feb 28 11:39:40 VyOS-2 charon[1772]: 07[IKE] <peer_10-1-1-2|2> received DELETE for IKE_SA peer_10-1-1-2[2]
Feb 28 11:39:40 VyOS-2 charon[1772]: 07[IKE] <peer_10-1-1-2|2> deleting IKE_SA peer_10-1-1-2[2] between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2]
Feb 28 11:39:45 VyOS-2 charon[1772]: 08[NET] <3> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (216 bytes)
Feb 28 11:39:45 VyOS-2 charon[1772]: 08[ENC] <3> parsed ID_PROT request 0 [ SA V V V V V ]
Feb 28 11:39:45 VyOS-2 charon[1772]: 08[IKE] <3> received XAuth vendor ID
Feb 28 11:39:45 VyOS-2 charon[1772]: 08[IKE] <3> received DPD vendor ID
Feb 28 11:39:45 VyOS-2 charon[1772]: 08[IKE] <3> received FRAGMENTATION vendor ID
Feb 28 11:39:45 VyOS-2 charon[1772]: 08[IKE] <3> received NAT-T (RFC 3947) vendor ID
Feb 28 11:39:45 VyOS-2 charon[1772]: 08[IKE] <3> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 28 11:39:45 VyOS-2 charon[1772]: 08[IKE] <3> 10.1.1.2 is initiating a Main Mode IKE_SA
Feb 28 11:39:45 VyOS-2 charon[1772]: 08[CFG] <3> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 28 11:39:45 VyOS-2 charon[1772]: 08[ENC] <3> generating ID_PROT response 0 [ SA V V V V ]
Feb 28 11:39:45 VyOS-2 charon[1772]: 08[NET] <3> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (160 bytes)
Feb 28 11:39:45 VyOS-2 charon[1772]: 09[NET] <3> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (244 bytes)
Feb 28 11:39:45 VyOS-2 charon[1772]: 09[ENC] <3> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 28 11:39:45 VyOS-2 charon[1772]: 09[ENC] <3> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 28 11:39:45 VyOS-2 charon[1772]: 09[NET] <3> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (244 bytes)
Feb 28 11:39:45 VyOS-2 charon[1772]: 11[NET] <3> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (108 bytes)
Feb 28 11:39:45 VyOS-2 charon[1772]: 11[ENC] <3> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Feb 28 11:39:45 VyOS-2 charon[1772]: 11[CFG] <3> looking for pre-shared key peer configs matching 10.1.2.2...10.1.1.2[10.1.1.2]
Feb 28 11:39:45 VyOS-2 charon[1772]: 11[CFG] <3> selected peer config "peer_10-1-1-2"
Feb 28 11:39:45 VyOS-2 charon[1772]: 11[IKE] <peer_10-1-1-2|3> IKE_SA peer_10-1-1-2[3] established between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2]
Feb 28 11:39:45 VyOS-2 charon[1772]: 11[IKE] <peer_10-1-1-2|3> scheduling rekeying in 3421s
Feb 28 11:39:45 VyOS-2 charon[1772]: 11[IKE] <peer_10-1-1-2|3> maximum IKE_SA lifetime 3781s
Feb 28 11:39:45 VyOS-2 charon[1772]: 11[ENC] <peer_10-1-1-2|3> generating ID_PROT response 0 [ ID HASH ]
Feb 28 11:39:45 VyOS-2 charon[1772]: 11[NET] <peer_10-1-1-2|3> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (76 bytes)
Feb 28 11:39:45 VyOS-2 charon[1772]: 13[NET] <peer_10-1-1-2|3> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (316 bytes)
Feb 28 11:39:45 VyOS-2 charon[1772]: 13[ENC] <peer_10-1-1-2|3> parsed QUICK_MODE request 1625867768 [ HASH SA No KE ID ID ]
Feb 28 11:39:45 VyOS-2 charon[1772]: 13[CFG] <peer_10-1-1-2|3> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Feb 28 11:39:45 VyOS-2 charon[1772]: 13[ENC] <peer_10-1-1-2|3> generating QUICK_MODE response 1625867768 [ HASH SA No KE ID ID ]
Feb 28 11:39:45 VyOS-2 charon[1772]: 13[NET] <peer_10-1-1-2|3> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (316 bytes)
Feb 28 11:39:45 VyOS-2 charon[1772]: 14[NET] <peer_10-1-1-2|3> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (60 bytes)
Feb 28 11:39:45 VyOS-2 charon[1772]: 14[ENC] <peer_10-1-1-2|3> parsed QUICK_MODE request 1625867768 [ HASH ]
Feb 28 11:39:45 VyOS-2 charon[1772]: 14[IKE] <peer_10-1-1-2|3> CHILD_SA peer_10-1-1-2_tunnel_0{2} established with SPIs c8a42da1_i c3ebf07d_o and TS 192.168.2.0/24 === 192.168.1.0/24

Changing IKEv1 to IKEv2

VyOS1

vyos@VyOS-1# set vpn ipsec ike-group IKE-1 key-exchange ikev2
[edit]
vyos@VyOS-1# commit ; save ; exit
[ vpn ipsec ]
loaded ike secret 'ike_10-1-2-2'
loaded connection 'peer_10-1-2-2'
successfully loaded 1 connections, 0 unloaded

Saving configuration to '/config/config.boot'...
Done
exit
vyos@VyOS-1:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.1.2.2 10.1.2.2                       10.1.1.2 10.1.1.2

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     7       0

vyos@VyOS-1:~$ show vpn ipsec sa
Connection              State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
----------------------  -------  --------  --------------  ----------------  ----------------  -----------  ------------------------
peer_10-1-2-2_tunnel_0  up       9s        0B/0B           0B/0B             10.1.2.2          10.1.2.2     AES_CBC_256/HMAC_SHA1_96

vyos@VyOS-1:~$ cat /etc/swanctl/swanctl.conf
### Autogenerated by vpn_ipsec.py ###

connections {
    peer_10-1-2-2 {
        proposals = aes256-sha1-modp1536,aes256-sha1-modp1024
        version = 2
        local_addrs = 10.1.1.2 # dhcp:no
        remote_addrs = 10.1.2.2
        rekey_time = 3600s
        mobike = yes
        keyingtries = 0
        local {
            auth = psk
        }
        remote {
            id = "10.1.2.2"
            auth = psk
        }
        children {
            peer_10-1-2-2_tunnel_0 {
                esp_proposals = aes256-sha1-modp1536
                life_time = 1800s
                local_ts = 192.168.1.0/24
                remote_ts = 192.168.2.0/24
                ipcomp = no
                mode = tunnel
                start_action = start
            }
        }
    }

}

pools {
}

secrets {
    ike_10-1-2-2 {
        id-local = 10.1.1.2 # dhcp:no
        id-remote = 10.1.2.2
        secret = "MySecretKey"
    }
}


Feb 28 11:45:53 VyOS-1 vyos-configd[542]: Received message: {"type": "init"}
Feb 28 11:45:54 VyOS-1 vyos-configd[542]: config session pid is 2813
Feb 28 11:45:54 VyOS-1 vyos-configd[542]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/vpn_ipsec.py"}
Feb 28 11:45:54 VyOS-1 vyos-configd[542]: Sending response 8
Feb 28 11:45:54 VyOS-1 charon: 00[DMN] SIGINT received, shutting down
Feb 28 11:45:54 VyOS-1 charon: 00[IKE] <peer_10-1-2-2|1> closing CHILD_SA peer_10-1-2-2_tunnel_0{1} with SPIs c3ebf07d_i (0 bytes) c8a42da1_o (0 bytes) and TS 192.168.1.0/24 === 192.168.2.0/24
Feb 28 11:45:54 VyOS-1 charon: 00[IKE] <peer_10-1-2-2|1> sending DELETE for ESP CHILD_SA with SPI c3ebf07d
Feb 28 11:45:54 VyOS-1 charon: 00[ENC] <peer_10-1-2-2|1> generating INFORMATIONAL_V1 request 762882248 [ HASH D ]
Feb 28 11:45:54 VyOS-1 charon: 00[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (76 bytes)
Feb 28 11:45:54 VyOS-1 charon: 00[IKE] <peer_10-1-2-2|1> deleting IKE_SA peer_10-1-2-2[1] between 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2]
Feb 28 11:45:54 VyOS-1 charon: 00[IKE] <peer_10-1-2-2|1> sending DELETE for IKE_SA peer_10-1-2-2[1]
Feb 28 11:45:54 VyOS-1 charon: 00[ENC] <peer_10-1-2-2|1> generating INFORMATIONAL_V1 request 2578792687 [ HASH D ]
Feb 28 11:45:54 VyOS-1 charon: 00[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (92 bytes)
Feb 28 11:45:54 VyOS-1 ipsec_starter[2513]: charon stopped after 200 ms
Feb 28 11:45:54 VyOS-1 ipsec_starter[2513]: ipsec starter stopped
Feb 28 11:45:57 VyOS-1 ipsec_starter[2934]: Starting strongSwan 5.9.1 IPsec [starter]...
Feb 28 11:45:57 VyOS-1 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.101-amd64-vyos, x86_64)
Feb 28 11:45:57 VyOS-1 charon: 00[CFG] PKCS11 module '<name>' lacks library path
Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 28 11:45:57 VyOS-1 charon: 00[CFG] loaded 0 RADIUS server configurations
Feb 28 11:45:57 VyOS-1 charon: 00[CFG] HA config misses local/remote address
Feb 28 11:45:57 VyOS-1 charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Feb 28 11:45:57 VyOS-1 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 28 11:45:57 VyOS-1 charon: 00[JOB] spawning 16 worker threads
Feb 28 11:45:57 VyOS-1 ipsec_starter[2947]: charon (2948) started after 160 ms
-2' for: '10.1.1.2', '10.1.2.2'
Feb 28 11:45:57 VyOS-1 charon: 10[CFG] added vici connection: peer_10-1-2-2
Feb 28 11:45:57 VyOS-1 charon: 10[CFG] initiating 'peer_10-1-2-2_tunnel_0'
Feb 28 11:45:57 VyOS-1 charon: 10[IKE] <peer_10-1-2-2|1> initiating IKE_SA peer_10-1-2-2[1] to 10.1.2.2
Feb 28 11:45:57 VyOS-1 charon: 10[ENC] <peer_10-1-2-2|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 28 11:45:57 VyOS-1 charon: 10[NET] <peer_10-1-2-2|1> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (444 bytes)
Feb 28 11:45:57 VyOS-1 charon: 16[NET] <peer_10-1-2-2|1> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (36 bytes)
Feb 28 11:45:57 VyOS-1 charon: 16[ENC] <peer_10-1-2-2|1> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Feb 28 11:45:57 VyOS-1 charon: 16[IKE] <peer_10-1-2-2|1> received NO_PROPOSAL_CHOSEN notify error
Feb 28 11:45:57 VyOS-1 systemd[2131]: opt-vyatta-config-tmp-new_config_2813.mount: Succeeded.
Feb 28 11:45:57 VyOS-1 systemd[1]: opt-vyatta-config-tmp-new_config_2813.mount: Succeeded.
Feb 28 11:45:58 VyOS-1 commit: Successful change to active configuration by user vyos on /dev/ttyS0
t: Succeeded.
Feb 28 11:45:58 VyOS-1 systemd[1]: opt-vyatta-config-tmp-new_config_2813.mount: Succeeded.
Feb 28 11:46:11 VyOS-1 charon: 06[NET] <2> received packet: from 10.1.2.2[500] to 10.1.1.2[500] (336 bytes)
Feb 28 11:46:11 VyOS-1 charon: 06[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 28 11:46:11 VyOS-1 charon: 06[IKE] <2> 10.1.2.2 is initiating an IKE_SA
Feb 28 11:46:11 VyOS-1 charon: 06[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 28 11:46:11 VyOS-1 charon: 06[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Feb 28 11:46:11 VyOS-1 charon: 06[NET] <2> sending packet: from 10.1.1.2[500] to 10.1.2.2[500] (344 bytes)
Feb 28 11:46:11 VyOS-1 charon: 07[NET] <2> received packet: from 10.1.2.2[4500] to 10.1.1.2[4500] (268 bytes)
Feb 28 11:46:11 VyOS-1 charon: 07[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 28 11:46:11 VyOS-1 charon: 07[CFG] <2> looking for peer configs matching 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2]
eer_10-1-2-2'
Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> authentication of '10.1.2.2' with pre-shared key successful
Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> peer supports MOBIKE
Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> authentication of '10.1.1.2' (myself) with pre-shared key
Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> IKE_SA peer_10-1-2-2[2] established between 10.1.1.2[10.1.1.2]...10.1.2.2[10.1.2.2]
Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> scheduling rekeying in 3577s
Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> maximum IKE_SA lifetime 3937s
Feb 28 11:46:11 VyOS-1 charon: 07[CFG] <peer_10-1-2-2|2> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Feb 28 11:46:11 VyOS-1 charon: 07[IKE] <peer_10-1-2-2|2> CHILD_SA peer_10-1-2-2_tunnel_0{1} established with SPIs c391282f_i c8e1a207_o and TS 192.168.1.0/24 === 192.168.2.0/24
Feb 28 11:46:11 VyOS-1 charon: 07[ENC] <peer_10-1-2-2|2> generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Feb 28 11:46:11 VyOS-1 charon: 07[NET] <peer_10-1-2-2|2> sending packet: from 10.1.1.2[4500] to 10.1.2.2[4500] (220 bytes)

VyOS2

vyos@VyOS-2# set vpn ipsec ike-group IKE-1 key-exchange ikev2
[edit]
vyos@VyOS-2# commit ; save ; exit
[ vpn ipsec ]
loaded ike secret 'ike_10-1-1-2'
loaded connection 'peer_10-1-1-2'
successfully loaded 1 connections, 0 unloaded

Saving configuration to '/config/config.boot'...
Done
exit
vyos@VyOS-2:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.1.1.2 10.1.1.2                       10.1.2.2 10.1.2.2

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     1020    0

vyos@VyOS-2:~$ show vpn ipsec sa
Connection              State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
----------------------  -------  --------  --------------  ----------------  ----------------  -----------  ------------------------
peer_10-1-1-2_tunnel_0  up       17m3s     0B/0B           0B/0B             10.1.1.2          10.1.1.2     AES_CBC_256/HMAC_SHA1_96

vyos@VyOS-2:~$ cat /etc/swanctl/swanctl.conf
### Autogenerated by vpn_ipsec.py ###

connections {
    peer_10-1-1-2 {
        proposals = aes256-sha1-modp1024
        version = 2
        local_addrs = 10.1.2.2 # dhcp:no
        remote_addrs = 10.1.1.2
        rekey_time = 3600s
        mobike = yes
        keyingtries = 0
        local {
            auth = psk
        }
        remote {
            id = "10.1.1.2"
            auth = psk
        }
        children {
            peer_10-1-1-2_tunnel_0 {
                esp_proposals = aes256-sha1-modp1024
                life_time = 1800s
                local_ts = 192.168.2.0/24
                remote_ts = 192.168.1.0/24
                ipcomp = no
                mode = tunnel
                start_action = start
            }
        }
    }

}

pools {
}

secrets {
    ike_10-1-1-2 {
        id-local = 10.1.2.2 # dhcp:no
        id-remote = 10.1.1.2
        secret = "MySecretKey"
    }
}


Feb 28 11:46:07 VyOS-2 vyos-configd[542]: Received message: {"type": "init"}
Feb 28 11:46:07 VyOS-2 vyos-configd[542]: config session pid is 2282
Feb 28 11:46:07 VyOS-2 vyos-configd[542]: Received message: {"type": "node", "data": "/usr/libexec/vyos/conf_mode/vpn_ipsec.py"}
Feb 28 11:46:07 VyOS-2 vyos-configd[542]: Sending response 8
Feb 28 11:46:09 VyOS-2 charon: 00[DMN] SIGINT received, shutting down
Feb 28 11:46:09 VyOS-2 ipsec_starter[1770]: charon stopped after 200 ms
Feb 28 11:46:09 VyOS-2 ipsec_starter[1770]: ipsec starter stopped
Feb 28 11:46:11 VyOS-2 ipsec_starter[2384]: Starting strongSwan 5.9.1 IPsec [starter]...
Feb 28 11:46:11 VyOS-2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.101-amd64-vyos, x86_64)
Feb 28 11:46:11 VyOS-2 charon: 00[CFG] PKCS11 module '<name>' lacks library path
Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 28 11:46:11 VyOS-2 charon: 00[CFG] loaded 0 RADIUS server configurations
Feb 28 11:46:11 VyOS-2 charon: 00[CFG] HA config misses local/remote address
Feb 28 11:46:11 VyOS-2 charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Feb 28 11:46:11 VyOS-2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 28 11:46:11 VyOS-2 charon: 00[JOB] spawning 16 worker threads
Feb 28 11:46:11 VyOS-2 ipsec_starter[2397]: charon (2399) started after 60 ms
Feb 28 11:46:11 VyOS-2 charon: 05[CFG] loaded IKE shared key with id 'ike_10-1-1-2' for: '10.1.2.2', '10.1.1.2'
Feb 28 11:46:11 VyOS-2 charon: 10[CFG] added vici connection: peer_10-1-1-2
Feb 28 11:46:11 VyOS-2 charon: 10[CFG] initiating 'peer_10-1-1-2_tunnel_0'
Feb 28 11:46:11 VyOS-2 charon: 10[IKE] <peer_10-1-1-2|1> initiating IKE_SA peer_10-1-1-2[1] to 10.1.1.2
UP) ]
Feb 28 11:46:11 VyOS-2 charon: 10[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[500] to 10.1.1.2[500] (336 bytes)
Feb 28 11:46:11 VyOS-2 charon: 16[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[500] to 10.1.2.2[500] (344 bytes)
Feb 28 11:46:11 VyOS-2 charon: 16[ENC] <peer_10-1-1-2|1> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Feb 28 11:46:11 VyOS-2 charon: 16[CFG] <peer_10-1-1-2|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 28 11:46:11 VyOS-2 charon: 16[CFG] <peer_10-1-1-2|1> no IDi configured, fall back on IP address
Feb 28 11:46:11 VyOS-2 charon: 16[IKE] <peer_10-1-1-2|1> authentication of '10.1.2.2' (myself) with pre-shared key
Feb 28 11:46:11 VyOS-2 charon: 16[IKE] <peer_10-1-1-2|1> establishing CHILD_SA peer_10-1-1-2_tunnel_0{1}
Feb 28 11:46:11 VyOS-2 charon: 16[ENC] <peer_10-1-1-2|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 28 11:46:11 VyOS-2 charon: 16[NET] <peer_10-1-1-2|1> sending packet: from 10.1.2.2[4500] to 10.1.1.2[4500] (268 bytes)
Feb 28 11:46:11 VyOS-2 charon: 05[NET] <peer_10-1-1-2|1> received packet: from 10.1.1.2[4500] to 10.1.2.2[4500] (220 bytes)
Feb 28 11:46:11 VyOS-2 charon: 05[ENC] <peer_10-1-1-2|1> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Feb 28 11:46:11 VyOS-2 charon: 05[IKE] <peer_10-1-1-2|1> authentication of '10.1.1.2' with pre-shared key successful
Feb 28 11:46:11 VyOS-2 charon: 05[IKE] <peer_10-1-1-2|1> IKE_SA peer_10-1-1-2[1] established between 10.1.2.2[10.1.2.2]...10.1.1.2[10.1.1.2]
Feb 28 11:46:11 VyOS-2 charon: 05[IKE] <peer_10-1-1-2|1> scheduling rekeying in 3562s
Feb 28 11:46:11 VyOS-2 charon: 05[IKE] <peer_10-1-1-2|1> maximum IKE_SA lifetime 3922s
Feb 28 11:46:11 VyOS-2 charon: 05[CFG] <peer_10-1-1-2|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Feb 28 11:46:11 VyOS-2 charon: 05[IKE] <peer_10-1-1-2|1> CHILD_SA peer_10-1-1-2_tunnel_0{1} established with SPIs c8e1a207_i c391282f_o and TS 192.168.2.0/24 === 192.168.1.0/24
Feb 28 11:46:11 VyOS-2 charon: 05[IKE] <peer_10-1-1-2|1> peer supports MOBIKE
Feb 28 11:46:11 VyOS-2 systemd[2124]: opt-vyatta-config-tmp-new_config_2282.mount: Succeeded.
Feb 28 11:46:11 VyOS-2 systemd[1]: opt-vyatta-config-tmp-new_config_2282.mount: Succeeded.
Feb 28 11:46:12 VyOS-2 commit: Successful change to active configuration by user vyos on /dev/ttyS0
t: Succeeded.
Feb 28 11:46:13 VyOS-2 systemd[1]: opt-vyatta-config-tmp-new_config_2282.mount: Succeeded.

Summary

When IKEv1 is used and more than one proposal is configured, while pfs is enabled on the initiator side dh-group can’t be negotiated between peers leading to phase-2 stuck in a down state while phase-1 is up and running. The issue is resolved either manually editing swanctl.conf file or changing IKE to version 2.
Here we assume a possible change to the ESP group configuration part in VyOS – what if we’ll move pfs mode from the group config to the proposal configuration tree? Example:

vpn {
    ipsec {
        esp-group ESP-1 {
            compression disable
            lifetime 1800
            mode tunnel
---         pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
+++             pfs enable
            }
        }

Or maybe we need to add all configured dh-groups under the ESP within the swanctl.conf like this:

vyos@VyOS-1:~$ cat /etc/swanctl/swanctl.conf
### Autogenerated by vpn_ipsec.py ###

connections {
    peer_10-1-2-2 {
        proposals = aes256-sha1-modp1536,aes256-sha1-modp1024
        version = 2
        local_addrs = 10.1.1.2 # dhcp:no
        remote_addrs = 10.1.2.2
        rekey_time = 3600s
        mobike = yes
        keyingtries = 0
        local {
            auth = psk
        }
        remote {
            id = "10.1.2.2"
            auth = psk
        }
        children {
            peer_10-1-2-2_tunnel_0 {
---             esp_proposals = aes256-sha1-modp1536
+++             esp_proposals = aes256-sha1-modp1536, aes256-sha1-modp1024
                life_time = 1800s
                local_ts = 192.168.1.0/24
                remote_ts = 192.168.2.0/24
                ipcomp = no
                mode = tunnel
                start_action = start
            }
        }
    }

}

pools {
}

secrets {
    ike_10-1-2-2 {
        id-local = 10.1.1.2 # dhcp:no
        id-remote = 10.1.2.2
        secret = "MySecretKey"

Anyway, it seems strange that the same configuration has different behaviour with IKEv1 and IKEv2.

Details

Difficulty level: Unknown (require assessment)
Version: VyOS 1.4-rolling-202202230317
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Event Timeline

e.khudiyev created this task.Mar 1 2022, 9:07 AM

e.khudiyev added a subscriber: m.korobeinikov.

pasik added a subscriber: pasik.Mar 1 2022, 10:18 AM

Tested on VyOS 1.4-rolling-202311100309

IKEv1
2 proposals
the pfs is enabled

R-01(VyOS) <---IPSEC---> R-02(VyOS)

Configurations:
R-01

set vpn ipsec authentication psk OFFICE-B id '10.0.2.1'
set vpn ipsec authentication psk OFFICE-B id '10.0.2.2'
set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike close-action 'none'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 dh-group '5'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike proposal 2 dh-group '2'
set vpn ipsec ike-group office-srv-ike proposal 2 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 2 hash 'sha1'
set vpn ipsec interface 'bond0'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '10.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '10.0.2.2'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-B local-address '10.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B remote-address '10.0.2.2'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.1.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '192.168.2.0/24'

R-02

set vpn ipsec authentication psk OFFICE-A id '10.0.2.2'
set vpn ipsec authentication psk OFFICE-A id '10.0.2.1'
set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike close-action 'none'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 dh-group '5'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike proposal 2 dh-group '2'
set vpn ipsec ike-group office-srv-ike proposal 2 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 2 hash 'sha1'
set vpn ipsec interface 'bond0'
set vpn ipsec site-to-site peer OFFICE-A authentication local-id '10.0.2.2'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '10.0.2.1'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-A local-address '10.0.2.2'
set vpn ipsec site-to-site peer OFFICE-A remote-address '10.0.2.1'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '192.168.2.0/24'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '192.168.1.0/24'

Checking:

vyos@R-01:~$ ping 192.168.2.1 source-address 192.168.1.1 count 3
PING 192.168.2.1 (192.168.2.1) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=1.29 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=1.33 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=3.99 ms

--- 192.168.2.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 1.287/2.201/3.991/1.265 ms
vyos@R-01:~$

vyos@R-01:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.0.2.2 10.0.2.2                       10.0.2.1 10.0.2.1

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1536      no     1214    0

vyos@R-01:~$ show vpn ipsec sa
Connection         State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
OFFICE-B-tunnel-0  up       1m7s      504B/504B       6/6               10.0.2.2          10.0.2.2     AES_CBC_256/HMAC_SHA1_96/MODP_1536

a.hajiyev closed this task as Resolved.Nov 28 2023, 8:50 AM

IPsec peers dh-group negotiation issue with pfs enabled and multiple proposals configured with IKEv1Closed, ResolvedPublicBUGActions