When a VTI interface is just created, it is in UP state by default, even if an IPSec peer is not connected. After the peer is disconnected the interface goes to DOWN state as expected.
This breaks routing logic - for example, static routes through VTI interfaces will be active even if a peer is not connected.
To reproduce:
set interfaces vti vti10 set vpn ipsec authentication psk PEER01 id 'PEER02' set vpn ipsec authentication psk PEER01 id 'PEER01' set vpn ipsec authentication psk PEER01 secret 'SECRET123' set vpn ipsec esp-group ESP_01 lifetime '3600' set vpn ipsec esp-group ESP_01 mode 'tunnel' set vpn ipsec esp-group ESP_01 pfs 'dh-group14' set vpn ipsec esp-group ESP_01 proposal 10 encryption 'aes256' set vpn ipsec esp-group ESP_01 proposal 10 hash 'sha256' set vpn ipsec ike-group IKE_01 close-action 'none' set vpn ipsec ike-group IKE_01 dead-peer-detection action 'clear' set vpn ipsec ike-group IKE_01 dead-peer-detection interval '30' set vpn ipsec ike-group IKE_01 dead-peer-detection timeout '120' set vpn ipsec ike-group IKE_01 key-exchange 'ikev2' set vpn ipsec ike-group IKE_01 lifetime '28800' set vpn ipsec ike-group IKE_01 proposal 10 dh-group '14' set vpn ipsec ike-group IKE_01 proposal 10 encryption 'aes256' set vpn ipsec ike-group IKE_01 proposal 10 hash 'sha256' set vpn ipsec interface 'eth0' set vpn ipsec options disable-route-autoinstall set vpn ipsec site-to-site peer peer1 authentication local-id 'PEER01' set vpn ipsec site-to-site peer peer1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer peer1 authentication remote-id 'PEER02' set vpn ipsec site-to-site peer peer1 connection-type 'none' set vpn ipsec site-to-site peer peer1 default-esp-group 'ESP_01' set vpn ipsec site-to-site peer peer1 ike-group 'IKE_01' set vpn ipsec site-to-site peer peer1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer peer1 local-address '192.0.2.1' set vpn ipsec site-to-site peer peer1 remote-address 'any' set vpn ipsec site-to-site peer peer1 vti bind 'vti10'
Check interfaces:
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address MAC VRF MTU S/L Description
----------- ------------ ----------------- ------- ----- ----- -------------
eth0 - 0c:7d:ec:ff:00:00 default 1500 u/D
eth1 - 0c:7d:ec:ff:00:01 default 1500 u/D
eth2 - 0c:7d:ec:ff:00:02 default 1500 u/D
eth3 - 0c:7d:ec:ff:00:03 default 1500 u/D
lo 127.0.0.1/8 00:00:00:00:00:00 default 65536 u/u
::1/128
vti10 - n/a default 1500 u/u