Page MenuHomeVyOS Platform
Create Task
Maniphest T1256

Execute "show ipsec vpn ipsec sa" returns incorrect results
Closed, ResolvedPublic
Actions

Description

Executing the following statement returns incorrect results
Connection State Up Bytes In/Out Remote address Remote ID Proposal

peer-tun14-tunnel-1 down N/A N/A N/A N/A N/A
peer-tun11-tunnel-1 down N/A N/A N/A N/A N/A
peer-tun16-tunnel-1 down N/A N/A N/A N/A N/A
peer-tun13-tunnel-1 down N/A N/A N/A N/A N/A
peer-tun15-tunnel-1 down N/A N/A N/A N/A N/A

The peer-tun11-tunnel-1 tunnel is up
Connections:
peer-tun14-tunnel-1: %any...%any IKEv1, dpddelay=30s
peer-tun14-tunnel-1: local: [218.60.3.206] uses public key authentication
peer-tun14-tunnel-1: remote: [tun14] uses public key authentication
peer-tun14-tunnel-1: cert: "tun14"
peer-tun14-tunnel-1: child: 100.100.0.3/32 === 100.100.0.7/32 TUNNEL, dpdaction=restart
Security Associations (1 up, 5 connecting):
peer-tun14-tunnel-1[28]: CONNECTING, 172.21.12.2[%any]...175.148.226.27[%any]
peer-tun14-tunnel-1[28]: IKEv1 SPIs: d5f81ab2d704a994_i* 0000000000000000_r
peer-tun14-tunnel-1[28]: Tasks queued: QUICK_MODE
peer-tun14-tunnel-1[28]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
peer-tun14-tunnel-1[30]: ESTABLISHED 7 hours ago, 172.21.12.2[218.60.3.206]...42.178.185.120[tun14]
peer-tun14-tunnel-1[30]: IKEv1 SPIs: 0ea140a91adb7ecb_i d7d0c38e68784fb2_r*, rekeying disabled
peer-tun14-tunnel-1[30]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-tun14-tunnel-1{164}: REKEYED, TUNNEL, reqid 10, expires in 7 days
peer-tun14-tunnel-1{164}: 100.100.0.3/32 === 100.100.0.7/32
peer-tun14-tunnel-1{165}: INSTALLED, TUNNEL, reqid 10, ESP in UDP SPIs: cd095b9e_i cb4048e7_o
peer-tun14-tunnel-1{165}: AES_CBC_128/HMAC_SHA1_96/MODP_1024, 168 bytes_i (2 pkts, 464s ago), 168 bytes_o (2 pkts, 464s ago), rekeying disabled
peer-tun14-tunnel-1{165}: 100.100.0.3/32 === 100.100.0.7/32

resion:
Because line 70 does not satisfy all the conditions, in the above result, if there are multiple records, as long as one is in the connection, it is considered to be completely invalid.

//for conn in connections:

status = subprocess.check_output("ipsec statusall {0}".format(conn), shell=True).decode()
if re.search(r'no match|CONNECTING', status):
    status_line = [conn, "down", None, None, None, None, None]
else:

//

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

windflag triaged this task as Normal priority.Feb 20 2019, 4:15 PM
windflag created this task.
windflag created this object in space S1 VyOS Public.
dmbaturin closed this task as Resolved.Aug 20 2020, 3:50 PM
dmbaturin claimed this task.