I there I've got a lot of problems putting a IKE2 point to point connection stable between OpenBSD/OpenIKED and VyOS/Strongswan.
Basically OpenBSD is a transport GRE in passive mode. Strongswan active GRE transport. Gre tunnel is builded above and keepalive work in all the two sides, because I've changed the beaviour of the tun interface in linux. This is the error that I've got also in the OpenBSD side: Feb 22 07:54:34 ganesha iked[26646]: spi=0x53365c1f26b25ca8: ikev2_ike_sa_rekey: busy, delaying rekey Feb 22 07:54:34 ganesha iked[26646]: spi=0xbbc576f1b7bbeff8: ikev2_ike_sa_rekey: busy, delaying rekey Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such process Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such process Feb 22 07:54:38 ganesha iked[26646]: spi=0xa74b9d54a7346659: ikev2_ike_sa_rekey: busy, delaying rekey Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such process Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such process Feb 22 07:54:39 ganesha iked[26646]: spi=0xb1cc5054712c2e6e: ikev2_ike_sa_rekey: busy, delaying rekey Feb 22 07:54:40 ganesha iked[26646]: spi=0x56465bd460d16d54: ikev2_ike_sa_rekey: busy, delaying rekey Feb 22 07:54:40 ganesha iked[26646]: pfkey_sa_lookup: message: No such process Here you are the Strongswan configuration: conn XXXX keyexchange=ikev2 type=transport auto=start reauth=no ikelifetime=1h dpdaction=restart dpddelay=15 dpdtimeout=1 closeaction=restart left=%defaultroute leftsourceip=%config4 leftauth=pubkey leftid=%indra@XXXX leftprotoport=gre leftupdown=/config/ipsec/ESJP-updown.sh right=XXXX rightsubnet=XXXX rightauth=pubkey rightid=%jXXXX rightcert=/etc/ipsec.d/certs/XXXX.crt rightprotoport=gre #!/bin/bash set -o nounset set -o errexit TUN_IFACE="tun2" case "${PLUTO_VERB}" in up-host) echo "Putting interface ${TUN_IFACE} up" ifconfig $TUN_IFACE up echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}" sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1" echo "Accepting gre keepalive" sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1" ;; down-host) ifconfig $TUN_IFACE down ;; esac IKE is checked with DPD SA is checked with te script above also a cron script acting in this way: #!/bin/bash ROUTER_IP=XXXX IPSEC="XXXX" GRE="tun2" PING_RESULT=$(fping -I$GRE $ROUTER_IP 2>&1) ALIVE="alive" STATUS=$(ipsec status $IPSEC) ESTABLISED="INSTALLED" if [[ "$PING_RESULT" != *"$ALIVE"* ]]; then if [[ "$STATUS" == *"$ESTABLISHED"* ]]; then ipsec stroke down-nb $IPSEC ipsec up $IPSEC else ipsec up $IPSEC fi fi In the OpenBSD side: set dpd_check_interval 15 ikev2 "XXXX" passive transport \ proto gre \ from XXXX to XXXX\ local jXXXXpeer any \ ikesa uth hmac-sha2-256 enc aes-256 group ecp256 \ childsa auth hmac-sha2-256 enc aes-256 group ecp256 \ srcid "shiva@XXXX" \ ikelifetime 86400 lifetime 3600 root@shiva:/etc# cat hostname.gre1 description "XXXX" keepalive 5 2 mtu 1392 !ifconfig gre1 XXXX4 XXXX netmask 0xfffffffc up !ifconfig gre1 tunnel XXXX XXXX root@shiva:/etc# And some ifstated to check keepalive status. Any suggestions? -- Name: Riccardo Giuntoli Email: tag...@gmail.com Location: sant Pere de Ribes, BCN, Spain PGP Key: 0x67123739 PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739 Key server: hkp://wwwkeys.eu.pgp.net