IPSec shows only one IKE for the same peer, but sometimes it can be more than 1 connection in Phase1
It is difficult to reproduce, but sometimes it happens
There are 2 SA's of Phase1 with same peer, but in show vpn ike sa we see only one
vyos@r14:~$ sudo swanctl -l peer_2001-db8--2: #3, ESTABLISHED, IKEv2, dae368231f55fcec_i 7a6eeb20639cef4e_r* local '2001:db8::1' @ 2001:db8::1[500] remote '2001:db8::2' @ 2001:db8::2[500] AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 721s ago, rekeying in 80568s peer_2001-db8--2_tunnel_0: #165, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048 installed 606s ago, rekeying in 684s, expires in 28194s in c50bbf4f, 0 bytes, 0 packets out c4fc9576, 0 bytes, 0 packets local 2001:db8:1111::/64 remote 2001:db8:2222::/64 peer_2001-db8--2_tunnel_0: #183, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048 installed 353s ago, rekeying in 1173s, expires in 28447s in c96e2e2b, 0 bytes, 0 packets out c135bac8, 0 bytes, 0 packets local 2001:db8:1111::/64 remote 2001:db8:2222::/64 peer_2001-db8--2: #1, ESTABLISHED, IKEv2, d18f16027ae188f9_i* 9bcc6b23c607b349_r local '2001:db8::1' @ 2001:db8::1[500] remote '2001:db8::2' @ 2001:db8::2[500] AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 744s ago, rekeying in 79691s peer_2001-db8--2_tunnel_0: #273, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048 installed 124s ago, rekeying in 148s, expires in 28676s in c0d25317, 0 bytes, 0 packets out c39b0881, 0 bytes, 0 packets local 2001:db8:1111::/64 remote 2001:db8:2222::/64 vyos@r14:~$
Show IKE:
vyos@r14:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 2001:db8::2 2001:db8::2 2001:db8::1 2001:db8::1 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv2 AES_CBC_256 HMAC_SHA2_256_128 MODP_2048 no 742 0 vyos@r14:~$
Show SA
vyos@r14:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------------------- ------- -------- -------------- ---------------- ---------------- ----------- --------------------------------------- peer_2001-db8--2_tunnel_0 up 2m36s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 peer_2001-db8--2_tunnel_0 up 6m25s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 peer_2001-db8--2_tunnel_0 up 10m38s 0B/0B 0B/0B 2001:db8::2 2001:db8::2 AES_CBC_256/HMAC_SHA2_256_128/MODP_2048 vyos@r14:~$
Example of configuration:
set vpn ipsec esp-group grp-ESPv4 compression 'disable' set vpn ipsec esp-group grp-ESPv4 lifetime '28800' set vpn ipsec esp-group grp-ESPv4 mode 'tunnel' set vpn ipsec esp-group grp-ESPv4 pfs 'dh-group14' set vpn ipsec esp-group grp-ESPv4 proposal 10 encryption 'aes256' set vpn ipsec esp-group grp-ESPv4 proposal 10 hash 'sha256' set vpn ipsec ike-group grp-IKEv4 dead-peer-detection action 'hold' set vpn ipsec ike-group grp-IKEv4 dead-peer-detection interval '30' set vpn ipsec ike-group grp-IKEv4 dead-peer-detection timeout '120' set vpn ipsec ike-group grp-IKEv4 ikev2-reauth 'no' set vpn ipsec ike-group grp-IKEv4 key-exchange 'ikev2' set vpn ipsec ike-group grp-IKEv4 lifetime '86400' set vpn ipsec ike-group grp-IKEv4 mobike 'disable' set vpn ipsec ike-group grp-IKEv4 proposal 10 dh-group '14' set vpn ipsec ike-group grp-IKEv4 proposal 10 encryption 'aes256' set vpn ipsec ike-group grp-IKEv4 proposal 10 hash 'sha256' set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer @foo authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer @foo authentication pre-shared-secret 'FoFoF' set vpn ipsec site-to-site peer @foo ike-group 'grp-IKEv4' set vpn ipsec site-to-site peer @foo local-address 'any' set vpn ipsec site-to-site peer @foo tunnel 0 esp-group 'grp-ESPv4' set vpn ipsec site-to-site peer @foo tunnel 0 local prefix '100.64.0.0/24' set vpn ipsec site-to-site peer @foo tunnel 0 remote prefix '10.50.60.0/24' set vpn ipsec site-to-site peer 2001:db8::2 authentication id '2001:db8::1' set vpn ipsec site-to-site peer 2001:db8::2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 2001:db8::2 authentication pre-shared-secret 'SSSeeccRetT' set vpn ipsec site-to-site peer 2001:db8::2 authentication remote-id '2001:db8::2' set vpn ipsec site-to-site peer 2001:db8::2 connection-type 'initiate' set vpn ipsec site-to-site peer 2001:db8::2 ike-group 'grp-IKEv4' set vpn ipsec site-to-site peer 2001:db8::2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 2001:db8::2 local-address '2001:db8::1' set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 esp-group 'grp-ESPv4' set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 local prefix '2001:db8:1111::/64' set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 remote prefix '2001:db8:2222::/64'