IPSec site-to-site generates unexpected passthrough option, after [[ https://github.com/vyos/vyos-1x/commit/e8a637eec0cc398f78a877ece6b9c7cdca418970 | commit ]]
As result tunnel not working
```
set interfaces dummy dum0 address '10.10.0.2/32'
set interfaces ethernet eth2 address '192.0.2.2/30'
set interfaces tunnel tun0 address '10.0.0.2/30'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 multicast 'disable'
set interfaces tunnel tun0 remote '10.10.0.1'
set interfaces tunnel tun0 source-address '10.10.0.2'
set vpn ipsec esp-group ESP-GRP compression 'disable'
set vpn ipsec esp-group ESP-GRP lifetime '3600'
set vpn ipsec esp-group ESP-GRP mode 'tunnel'
set vpn ipsec esp-group ESP-GRP pfs 'dh-group14'
set vpn ipsec esp-group ESP-GRP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GRP proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-GRP close-action 'none'
set vpn ipsec ike-group IKE-GRP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GRP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GRP dead-peer-detection timeout '120'
set vpn ipsec ike-group IKE-GRP ikev2-reauth 'no'
set vpn ipsec ike-group IKE-GRP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GRP lifetime '28800'
set vpn ipsec ike-group IKE-GRP proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-GRP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GRP proposal 1 hash 'sha256'
set vpn ipsec interface 'eth2'
set vpn ipsec site-to-site peer 192.0.2.1 authentication id '192.0.2.2'
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'SuperPA$$swd'
set vpn ipsec site-to-site peer 192.0.2.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'IKE-GRP'
set vpn ipsec site-to-site peer 192.0.2.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2'
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group 'ESP-GRP'
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix '10.10.0.2/32'
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix '10.10.0.1/32'
```
Generated configuration:
```
vyos@tstrtr2# sudo cat /etc/swanctl/swanctl.conf | grep children -A 20
children {
peer_192-0-2-1_tunnel_1 {
esp_proposals = aes256-sha256-modp2048
life_time = 3600s
local_ts = 10.10.0.2/32
remote_ts = 10.10.0.1/32
ipcomp = no
mode = tunnel
start_action = start
dpd_action = restart
close_action = none
}
peer_192-0-2-1_tunnel_1_passthough {
local_ts =
remote_ts =
start_action = trap
mode = pass
}
}
}
```
As result we don't see outbound packets:
```
peer_192-0-2-1: #1, ESTABLISHED, IKEv2, be2a04e3a6e22022_i* 6b07c0ef01f6c28e_r
local '192.0.2.2' @ 192.0.2.2[4500]
remote '192.0.2.1' @ 192.0.2.1[4500]
AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 304s ago, rekeying in 26719s
peer_192-0-2-1_tunnel_1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
installed 304s ago, rekeying in 3296s, expires in 3296s
in c35c85cf, 546 bytes, 4 packets
out ce0b767f, 0 bytes, 0 packets
local 10.10.0.2/32
remote 10.10.0.1/32
```