Page MenuHomePhabricator

site-to-site GRE IPSEC VPN fails
Closed, WontfixPublicBUG

Description

So I have 3 routers... 2 of them are VyOS and the 3rd is MT. Basic config..
bgp-a <---> nova <---> bgp-b

bgp-b is running 1.1.8
bgp-a is running 1.2.0-rc7

This config works fine on bgp-b / 1.1.8... but is failing on 1.2.0-rc7
Has the config changed..? or have I hit a bug ;)

vpn {
     ipsec {
         esp-group nova-esp {
             compression disable
             lifetime 3600
             mode tunnel
             pfs enable
             proposal 1 {
                 encryption aes256
                 hash sha256
             }
         }
         ike-group nova-ike {
             ikev2-reauth no
             key-exchange ikev1
             lifetime 28800
             proposal 1 {
                 dh-group 21
                 encryption aes256
                 hash sha256
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
             peer 2.2.2.2 {
                 authentication {
                     mode pre-shared-secret
                     pre-shared-secret longrandomdata
                 }
                 connection-type respond
                 default-esp-group nova-esp
                 ike-group nova-ike
                 local-address 1.1.1.1
                 tunnel 1 {
                     protocol gre
                 }
             }
         }
     }
 }

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0
Why the issue appeared?
Will be filled on close

Event Timeline

jakevis created this task.Nov 13 2018, 9:13 PM
jakevis updated the task description. (Show Details)Nov 13 2018, 9:20 PM
jakevis renamed this task from site-to-site IPSEC VPN fails to site-to-site GRE IPSEC VPN fails.Nov 13 2018, 9:24 PM

Is it working at start and fails after some time, or not connection not establishing at all?

syncer triaged this task as Low priority.Dec 1 2018, 5:39 PM

@begetan - it won't connect at all

@jakevis This exact config works for me in rc9. Could you update and re-test?

The initiator and the responder are both rc9 in this scenario:

vyos@vyos-test# show vpn ipsec 
 esp-group Foo {
     pfs enable
     proposal 1 {
         encryption aes256
         hash sha256
     }
 }
 ike-group Foo {
     proposal 1 {
         dh-group 21
         encryption aes256
         hash sha256
     }
 }
 ipsec-interfaces {
     interface eth1
 }
 site-to-site {
     peer 10.1.1.2 {
         authentication {
             mode pre-shared-secret
             pre-shared-secret qwerty
         }
         connection-type initiate
         default-esp-group Foo
         ike-group Foo
         local-address 10.1.1.1
         tunnel 1 {
             protocol gre
         }
     }
 }

vyos@vyos-test# run show vpn ipsec sa
Connection              State    Up          Bytes In/Out    Remote address    Remote ID    Proposal
----------------------  -------  ----------  --------------  ----------------  -----------  -------------------------------------
peer-10.1.1.2-tunnel-1  up       18 seconds  0/0             10.1.1.2          N/A          AES_CBC_256/HMAC_SHA2_256_128/ECP_521
peer-10.1.1.2-tunnel-1  up       18 seconds  0/0             10.1.1.2          N/A          AES_CBC_256/HMAC_SHA2_256_128/ECP_521

vyos@vyos-test# run show vpn ipsec sa verbose 
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.4-amd64-vyos, x86_64):
  uptime: 50 seconds, since Dec 03 00:03:51 2018
  malloc: sbrk 2838528, mmap 0, used 808192, free 2030336
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  10.1.1.1
Connections:
peer-10.1.1.2-tunnel-1:  10.1.1.1...10.1.1.2  IKEv1
peer-10.1.1.2-tunnel-1:   local:  [10.1.1.1] uses pre-shared key authentication
peer-10.1.1.2-tunnel-1:   remote: [10.1.1.2] uses pre-shared key authentication
peer-10.1.1.2-tunnel-1:   child:  dynamic[gre] === dynamic[gre] TUNNEL
Security Associations (1 up, 0 connecting):
peer-10.1.1.2-tunnel-1[1]: ESTABLISHED 50 seconds ago, 10.1.1.1[10.1.1.1]...10.1.1.2[10.1.1.2]
peer-10.1.1.2-tunnel-1[1]: IKEv1 SPIs: 1e9f789a78e29cfb_i* 72d920caaffc8cbf_r, pre-shared key reauthentication in 7 hours
peer-10.1.1.2-tunnel-1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
peer-10.1.1.2-tunnel-1{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2511be3_i c64336e2_o
peer-10.1.1.2-tunnel-1{1}:  AES_CBC_256/HMAC_SHA2_256_128/ECP_521, 0 bytes_i, 0 bytes_o, rekeying in 43 minutes
peer-10.1.1.2-tunnel-1{1}:   10.1.1.1/32[gre] === 10.1.1.2/32[gre]
dmbaturin changed the task status from Open to Needs testing.Dec 3 2018, 12:47 AM
pasik added a subscriber: pasik.Dec 16 2018, 11:23 AM
syncer closed this task as Wontfix.
syncer claimed this task.
syncer added a subscriber: syncer.

retest