To reproduce
Configure any IPv4 or IPv6 configuration
IPv6 configuration for IPv6 peers:
Lefts site:
set interfaces dummy dum0 address '2001:db8:1111::1/64' set interfaces ethernet eth1 address '192.0.2.1/24' set interfaces ethernet eth1 address '2001:db8::1/64' set vpn ipsec esp-group grp-ESP compression 'disable' set vpn ipsec esp-group grp-ESP lifetime '28800' set vpn ipsec esp-group grp-ESP mode 'tunnel' set vpn ipsec esp-group grp-ESP pfs 'dh-group14' set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256' set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold' set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30' set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120' set vpn ipsec ike-group grp-IKE ikev2-reauth 'no' set vpn ipsec ike-group grp-IKE key-exchange 'ikev2' set vpn ipsec ike-group grp-IKE lifetime '86400' set vpn ipsec ike-group grp-IKE mobike 'disable' set vpn ipsec ike-group grp-IKE proposal 10 dh-group '14' set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256' set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer 2001:db8::2 authentication id '2001:db8::1' set vpn ipsec site-to-site peer 2001:db8::2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 2001:db8::2 authentication pre-shared-secret 'SSSeeccRetT' set vpn ipsec site-to-site peer 2001:db8::2 authentication remote-id '2001:db8::2' set vpn ipsec site-to-site peer 2001:db8::2 connection-type 'initiate' set vpn ipsec site-to-site peer 2001:db8::2 ike-group 'grp-IKE' set vpn ipsec site-to-site peer 2001:db8::2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 2001:db8::2 local-address '2001:db8::1' set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 esp-group 'grp-ESP' set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 local prefix '2001:db8:1111::/64' set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 remote prefix '2001:db8:2222::/64
Right site:
set interfaces bridge br1 member interface dum1 set interfaces dummy dum0 address '2001:db8:2222::1/64' set interfaces ethernet eth1 address '192.0.2.2/24' set interfaces ethernet eth1 address '2001:db8::2/64' set system flow-accounting interface 'eth1' set vpn ipsec esp-group grp-ESP compression 'disable' set vpn ipsec esp-group grp-ESP lifetime '28800' set vpn ipsec esp-group grp-ESP mode 'tunnel' set vpn ipsec esp-group grp-ESP pfs 'dh-group14' set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256' set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold' set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30' set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120' set vpn ipsec ike-group grp-IKE ikev2-reauth 'no' set vpn ipsec ike-group grp-IKE key-exchange 'ikev2' set vpn ipsec ike-group grp-IKE lifetime '86400' set vpn ipsec ike-group grp-IKE mobike 'disable' set vpn ipsec ike-group grp-IKE proposal 10 dh-group '14' set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256' set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer 2001:db8::1 authentication id '2001:db8::2' set vpn ipsec site-to-site peer 2001:db8::1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 2001:db8::1 authentication pre-shared-secret 'SSSeeccRetT' set vpn ipsec site-to-site peer 2001:db8::1 authentication remote-id '2001:db8::1' set vpn ipsec site-to-site peer 2001:db8::1 connection-type 'none' set vpn ipsec site-to-site peer 2001:db8::1 ike-group 'grp-IKE' set vpn ipsec site-to-site peer 2001:db8::1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 2001:db8::1 local-address '2001:db8::2' set vpn ipsec site-to-site peer 2001:db8::1 tunnel 0 esp-group 'grp-ESP' set vpn ipsec site-to-site peer 2001:db8::1 tunnel 0 local prefix '2001:db8:2222::/64' set vpn ipsec site-to-site peer 2001:db8::1 tunnel 0 remote prefix '2001:db8:1111::/64'
Show SA
vyos@r14:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ------------------------ peer_2001-db8--2_tunnel_0 down 2s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 2s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 2s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 2s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 2s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 2s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 3s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 3s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 3s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 3s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 3s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 3s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 4s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 4s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 4s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 5s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 5s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 5s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 5s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 down 6s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 up 1s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 up 1s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 peer_2001-db8--2_tunnel_0 up 1s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_GCM_16_256/MODP_2048 vyos@r14:~$
SA phase 2 reking and deleting every second
Jul 21 13:19:41 r14 charon[7908]: 05[IKE] <peer_2001-db8--2|1> sending DELETE for ESP CHILD_SA with SPI cff66eee Jul 21 13:19:41 r14 charon[7908]: 05[ENC] <peer_2001-db8--2|1> generating INFORMATIONAL request 693 [ D ] Jul 21 13:19:41 r14 charon[7908]: 05[NET] <peer_2001-db8--2|1> sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (69 bytes) Jul 21 13:19:41 r14 charon[7908]: 08[NET] <peer_2001-db8--2|1> received packet: from 2001:db8::2[500] to 2001:db8::1[500] (69 bytes) Jul 21 13:19:41 r14 charon[7908]: 08[ENC] <peer_2001-db8--2|1> parsed INFORMATIONAL request 717 [ D ] Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> received DELETE for ESP CHILD_SA with SPI c3e0cd0d Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> closing CHILD_SA peer_2001-db8--2_tunnel_0{702} with SPIs c91d96a0_i (0 bytes) c3e0cd0d_o (0 bytes) and TS 2001:db8:1111::/64 === 2001:db8:2222::/64 Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> sending DELETE for ESP CHILD_SA with SPI c91d96a0 Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> CHILD_SA closed Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> outbound CHILD_SA peer_2001-db8--2_tunnel_0{708} established with SPIs cedff8b5_i c9f2a668_o and TS 2001:db8:1111::/64 === 2001:db8:2222::/64 Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> detected CHILD_REKEY collision with CHILD_DELETE Jul 21 13:19:41 r14 charon[7908]: 08[ENC] <peer_2001-db8--2|1> generating INFORMATIONAL response 717 [ D ] Jul 21 13:19:41 r14 charon[7908]: 08[NET] <peer_2001-db8--2|1> sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (69 bytes) Jul 21 13:19:41 r14 charon[7908]: 08[NET] <peer_2001-db8--2|1> received packet: from 2001:db8::2[500] to 2001:db8::1[500] (69 bytes) Jul 21 13:19:41 r14 charon[7908]: 08[ENC] <peer_2001-db8--2|1> parsed INFORMATIONAL response 693 [ D ] Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> received DELETE for ESP CHILD_SA with SPI c356fe91 Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> CHILD_SA closed Jul 21 13:19:41 r14 charon[7908]: 08[IKE] <peer_2001-db8--2|1> establishing CHILD_SA peer_2001-db8--2_tunnel_0{709} reqid 1 Jul 21 13:19:41 r14 charon[7908]: 08[ENC] <peer_2001-db8--2|1> generating CREATE_CHILD_SA request 694 [ N(REKEY_SA) SA No KE TSi TSr ] Jul 21 13:19:41 r14 charon[7908]: 08[NET] <peer_2001-db8--2|1> sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (509 bytes) Jul 21 13:19:41 r14 charon[7908]: 07[NET] <peer_2001-db8--2|1> received packet: from 2001:db8::2[500] to 2001:db8::1[500] (509 bytes) Jul 21 13:19:41 r14 charon[7908]: 07[ENC] <peer_2001-db8--2|1> parsed CREATE_CHILD_SA request 718 [ N(REKEY_SA) SA No KE TSi TSr ] Jul 21 13:19:41 r14 charon[7908]: 07[CFG] <peer_2001-db8--2|1> selected proposal: ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ Jul 21 13:19:41 r14 charon[7908]: 07[IKE] <peer_2001-db8--2|1> inbound CHILD_SA peer_2001-db8--2_tunnel_0{710} established with SPIs c5f6d139_i c6f292e9_o and TS 2001:db8:1111::/64 === 2001:db8:2222::/64 Jul 21 13:19:41 r14 charon[7908]: 07[IKE] <peer_2001-db8--2|1> detected CHILD_REKEY collision with CHILD_REKEY Jul 21 13:19:41 r14 charon[7908]: 07[ENC] <peer_2001-db8--2|1> generating CREATE_CHILD_SA response 718 [ SA No KE TSi TSr ] Jul 21 13:19:41 r14 charon[7908]: 07[NET] <peer_2001-db8--2|1> sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (497 bytes) Jul 21 13:19:41 r14 charon[7908]: 16[NET] <peer_2001-db8--2|1> received packet: from 2001:db8::2[500] to 2001:db8::1[500] (497 bytes) Jul 21 13:19:41 r14 charon[7908]: 16[ENC] <peer_2001-db8--2|1> parsed CREATE_CHILD_SA response 694 [ SA No KE TSi TSr ] Jul 21 13:19:41 r14 charon[7908]: 16[CFG] <peer_2001-db8--2|1> selected proposal: ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ Jul 21 13:19:41 r14 charon[7908]: 16[IKE] <peer_2001-db8--2|1> inbound CHILD_SA peer_2001-db8--2_tunnel_0{709} established with SPIs c6a3d7ba_i cd7b9fd1_o and TS 2001:db8:1111::/64 === 2001:db8:2222::/64 Jul 21 13:19:41 r14 charon[7908]: 16[IKE] <peer_2001-db8--2|1> CHILD_SA rekey collision won, deleting old child peer_2001-db8--2_tunnel_0{703} Jul 21 13:19:41 r14 charon[7908]: 16[IKE] <peer_2001-db8--2|1> outbound CHILD_SA peer_2001-db8--2_tunnel_0{709} established with SPIs c6a3d7ba_i cd7b9fd1_o and TS 2001:db8:1111::/64 === 2001:db8:2222::/64 Jul 21 13:19:41 r14 charon[7908]: 16[IKE] <peer_2001-db8--2|1> closing CHILD_SA peer_2001-db8--2_tunnel_0{703} with SPIs ca1e824c_i (0 bytes) cf8c8ff0_o (0 bytes) and TS 2001:db8:1111::/64 === 2001:db8:2222::/64 Jul 21 13:19:41 r14 charon[7908]: 16[IKE] <peer_2001-db8--2|1> sending DELETE for ESP CHILD_SA with SPI ca1e824c Jul 21 13:19:41 r14 charon[7908]: 16[ENC] <peer_2001-db8--2|1> generating INFORMATIONAL request 695 [ D ] Jul 21 13:19:41 r14 charon[7908]: 16[NET] <peer_2001-db8--2|1> sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (69 bytes) Jul 21 13:19:41 r14 charon[7908]: 12[NET] <peer_2001-db8--2|1> received packet: from 2001:db8::2[500] to 2001:db8::1[500] (69 bytes) Jul 21 13:19:41 r14 charon[7908]: 12[ENC] <peer_2001-db8--2|1> parsed INFORMATIONAL request 719 [ D ] Jul 21 13:19:41 r14 charon[7908]: 12[IKE] <peer_2001-db8--2|1> received DELETE for ESP CHILD_SA with SPI c6f292e9 Jul 21 13:19:41 r14 charon[7908]: 12[IKE] <peer_2001-db8--2|1> closing CHILD_SA peer_2001-db8--2_tunnel_0{710} with SPIs c5f6d139_i (0 bytes) c6f292e9_o (0 bytes) and TS 2001:db8:1111::/64 === 2001:db8:2222::/64 Jul 21 13:19:41 r14 charon[7908]: 12[IKE] <peer_2001-db8--2|1> sending DELETE for ESP CHILD_SA with SPI c5f6d139 Jul 21 13:19:41 r14 charon[7908]: 12[IKE] <peer_2001-db8--2|1> CHILD_SA closed Jul 21 13:19:41 r14 charon[7908]: 12[ENC] <peer_2001-db8--2|1> generating INFORMATIONAL response 719 [ D ] Jul 21 13:19:41 r14 charon[7908]: 12[NET] <peer_2001-db8--2|1> sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (69 bytes) Jul 21 13:19:41 r14 charon[7908]: 13[NET] <peer_2001-db8--2|1> received packet: from 2001:db8::2[500] to 2001:db8::1[500] (69 bytes) Jul 21 13:19:41 r14 charon[7908]: 13[ENC] <peer_2001-db8--2|1> parsed INFORMATIONAL response 695 [ D ] Jul 21 13:19:41 r14 charon[7908]: 13[IKE] <peer_2001-db8--2|1> received DELETE for ESP CHILD_SA with SPI cf8c8ff0 Jul 21 13:19:41 r14 charon[7908]: 13[IKE] <peer_2001-db8--2|1> CHILD_SA closed
detected CHILD_REKEY collision with CHILD_DELETE
Swanctl.conf:
vyos@r14:~$ sudo cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_2001-db8--2 { proposals = aes256gcm128-sha256-modp2048 version = 2 local_addrs = 2001:db8::1 # dhcp:no remote_addrs = 2001:db8::2 dpd_timeout = 120 dpd_delay = 30 rekey_time = 86400s mobike = no keyingtries = 0 local { id = "2001:db8::1" auth = psk } remote { id = "2001:db8::2" auth = psk } children { peer_2001-db8--2_tunnel_0 { esp_proposals = aes256gcm128-sha256-modp2048 life_time = 28800s local_ts = 2001:db8:1111::/64 remote_ts = 2001:db8:2222::/64 ipcomp = no mode = tunnel start_action = start dpd_action = trap close_action = } } } } pools { } secrets { ike_2001-db8--2 { id-local = 2001:db8::1 # dhcp:no id-remote = 2001:db8::2 id-localid = 2001:db8::1 id-remoteid = 2001:db8::2 secret = "SSSeeccRetT" } }