Page MenuHomePhabricator

Under certain conditions the VTI will stay forever down
Open, Requires assessmentPublic

Description

Under certain conditions the VTI will stay down forever. For example, when two VyOS are launched at the same time with the following.

` IKEv2
[vyos-v1] vti2 --- vti1 [vyos-v2]`

vyos-v1 log
`Mar 10 16:41:55 vyos-v1 charon: 13[IKE] IKE_SA peer-172.16.2.1-tunnel-vti[2] established between 172.16.1.1[172.16.1.1]...172.16.2.1[172.16.2.1]
Mar 10 16:41:55 vyos-v1 charon: 13[IKE] CHILD_SA peer-172.16.2.1-tunnel-vti{1} established with SPIs ccdf97c0_i cd4e74a2_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 10 16:41:56 vyos-v1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/ip link set vti2 up
Mar 10 16:41:57 vyos-v1 charon: 14[IKE] establishing CHILD_SA peer-172.16.2.1-tunnel-vti{2}
Mar 10 16:41:58 vyos-v1 charon: 15[IKE] IKE_SA peer-172.16.2.1-tunnel-vti[1] established between 172.16.1.1[172.16.1.1]...172.16.2.1[172.16.2.1]
Mar 10 16:41:58 vyos-v1 charon: 15[IKE] CHILD_SA peer-172.16.2.1-tunnel-vti{2} established with SPIs c7ac315b_i c07bc185_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 10 16:42:07 vyos-v1 charon: 08[IKE] deleting IKE_SA peer-172.16.2.1-tunnel-vti[2] between 172.16.1.1[172.16.1.1]...172.16.2.1[172.16.2.1]
Mar 10 16:42:07 vyos-v1 charon: 08[IKE] IKE_SA deleted
Mar 10 16:42:07 vyos-v1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/ip link set vti2 down
Mar 10 16:42:52 vyos-v1 charon: 05[IKE] inbound CHILD_SA peer-172.16.2.1-tunnel-vti{3} established with SPIs ce363725_i c316db57_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 10 16:42:52 vyos-v1 charon: 07[IKE] outbound CHILD_SA peer-172.16.2.1-tunnel-vti{3} established with SPIs ce363725_i c316db57_o and TS 0.0.0.0/0 === 0.0.0.0/0`

vyos-v2 log
`Mar 10 16:41:56 vyos-v2 charon: 13[IKE] IKE_SA peer-172.16.1.1-tunnel-vti[1] established between 172.16.2.1[172.16.2.1]...172.16.1.1[172.16.1.1]
Mar 10 16:41:56 vyos-v2 charon: 13[IKE] CHILD_SA peer-172.16.1.1-tunnel-vti{1} established with SPIs cd4e74a2_i ccdf97c0_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 10 16:41:56 vyos-v2 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/ip link set vti1 up
Mar 10 16:41:57 vyos-v2 charon: 14[IKE] schedule delete of duplicate IKE_SA for peer '172.16.1.1' due to uniqueness policy and suspected reauthentication
Mar 10 16:41:57 vyos-v2 charon: 14[IKE] IKE_SA peer-172.16.1.1-tunnel-vti[2] established between 172.16.2.1[172.16.2.1]...172.16.1.1[172.16.1.1]
Mar 10 16:41:57 vyos-v2 charon: 14[IKE] CHILD_SA peer-172.16.1.1-tunnel-vti{2} established with SPIs c07bc185_i c7ac315b_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 10 16:42:06 vyos-v2 charon: 07[IKE] deleting IKE_SA peer-172.16.1.1-tunnel-vti[1] between 172.16.2.1[172.16.2.1]...172.16.1.1[172.16.1.1]
Mar 10 16:42:07 vyos-v2 charon: 06[IKE] IKE_SA deleted
Mar 10 16:42:07 vyos-v2 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/ip link set vti1 down
Mar 10 16:42:51 vyos-v2 charon: 06[IKE] establishing CHILD_SA peer-172.16.1.1-tunnel-vti{3} reqid 1
Mar 10 16:42:51 vyos-v2 charon: 16[IKE] inbound CHILD_SA peer-172.16.1.1-tunnel-vti{3} established with SPIs c316db57_i ce363725_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 10 16:42:51 vyos-v2 charon: 16[IKE] outbound CHILD_SA peer-172.16.1.1-tunnel-vti{3} established with SPIs c316db57_i ce363725_o and TS 0.0.0.0/0 === 0.0.0.0/0`

On the vyos-v2 side, first IKE_SA and CHILD_SA (cd4e74a2_i ccdf97c0_o) are established and vti1 has up, and seconds (c07bc185_i c7ac315b_o) are established too. Then, it (cd4e74a2_i ccdf97c0_o) is deleted by uniqueness policy. If true, because the other CHILD_SA (c07bc185_i c7ac315b_o) is alive, you should not go down VTI, but vti1 goes down.

On the vyos-v1 side, the same problem occurs.

You can correct this problem by making the following changes.

https://github.com/m-asama/vyatta-cfg-vpn/commit/d95c88d5ac1d4a1d42a7b6481d7129a756f0111c

The vti-up-down script do:

  • when executed with up: When the VTI interface is down and ipsec status is confirmed that the corresponding setting child_sa is installed, up the VTI interface.
  • when executed with down: When the VTI interface is up and ipsec status is confirmed and it is confirmed that child_sa of the corresponding setting is not installed, down the VTI interface.

I will pull-request after this.

Details

Difficulty level
Unknown (require assessment)
Version
crux(ISO image maked own)
Why the issue appeared?
Will be filled on close

Event Timeline

m-asama created this task.Mar 11 2019, 2:37 AM
m-asama created this object in space S1 VyOS Public.