Page MenuHomeVyOS Platform
Create Task
Maniphest T1291

Under certain conditions the VTI will stay forever down
Closed, ResolvedPublic
Actions

Description

Under certain conditions the VTI will stay down forever. For example, when two VyOS are launched at the same time with the following.

` IKEv2
[vyos-v1] vti2 --- vti1 [vyos-v2]`

vyos-v1 log
`Mar 10 16:41:55 vyos-v1 charon: 13[IKE] IKE_SA peer-172.16.2.1-tunnel-vti[2] established between 172.16.1.1[172.16.1.1]...172.16.2.1[172.16.2.1]
Mar 10 16:41:55 vyos-v1 charon: 13[IKE] CHILD_SA peer-172.16.2.1-tunnel-vti{1} established with SPIs ccdf97c0_i cd4e74a2_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 10 16:41:56 vyos-v1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/ip link set vti2 up
Mar 10 16:41:57 vyos-v1 charon: 14[IKE] establishing CHILD_SA peer-172.16.2.1-tunnel-vti{2}
Mar 10 16:41:58 vyos-v1 charon: 15[IKE] IKE_SA peer-172.16.2.1-tunnel-vti[1] established between 172.16.1.1[172.16.1.1]...172.16.2.1[172.16.2.1]
Mar 10 16:41:58 vyos-v1 charon: 15[IKE] CHILD_SA peer-172.16.2.1-tunnel-vti{2} established with SPIs c7ac315b_i c07bc185_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 10 16:42:07 vyos-v1 charon: 08[IKE] deleting IKE_SA peer-172.16.2.1-tunnel-vti[2] between 172.16.1.1[172.16.1.1]...172.16.2.1[172.16.2.1]
Mar 10 16:42:07 vyos-v1 charon: 08[IKE] IKE_SA deleted
Mar 10 16:42:07 vyos-v1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/ip link set vti2 down
Mar 10 16:42:52 vyos-v1 charon: 05[IKE] inbound CHILD_SA peer-172.16.2.1-tunnel-vti{3} established with SPIs ce363725_i c316db57_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 10 16:42:52 vyos-v1 charon: 07[IKE] outbound CHILD_SA peer-172.16.2.1-tunnel-vti{3} established with SPIs ce363725_i c316db57_o and TS 0.0.0.0/0 === 0.0.0.0/0`

vyos-v2 log
`Mar 10 16:41:56 vyos-v2 charon: 13[IKE] IKE_SA peer-172.16.1.1-tunnel-vti[1] established between 172.16.2.1[172.16.2.1]...172.16.1.1[172.16.1.1]
Mar 10 16:41:56 vyos-v2 charon: 13[IKE] CHILD_SA peer-172.16.1.1-tunnel-vti{1} established with SPIs cd4e74a2_i ccdf97c0_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 10 16:41:56 vyos-v2 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/ip link set vti1 up
Mar 10 16:41:57 vyos-v2 charon: 14[IKE] schedule delete of duplicate IKE_SA for peer '172.16.1.1' due to uniqueness policy and suspected reauthentication
Mar 10 16:41:57 vyos-v2 charon: 14[IKE] IKE_SA peer-172.16.1.1-tunnel-vti[2] established between 172.16.2.1[172.16.2.1]...172.16.1.1[172.16.1.1]
Mar 10 16:41:57 vyos-v2 charon: 14[IKE] CHILD_SA peer-172.16.1.1-tunnel-vti{2} established with SPIs c07bc185_i c7ac315b_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 10 16:42:06 vyos-v2 charon: 07[IKE] deleting IKE_SA peer-172.16.1.1-tunnel-vti[1] between 172.16.2.1[172.16.2.1]...172.16.1.1[172.16.1.1]
Mar 10 16:42:07 vyos-v2 charon: 06[IKE] IKE_SA deleted
Mar 10 16:42:07 vyos-v2 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/ip link set vti1 down
Mar 10 16:42:51 vyos-v2 charon: 06[IKE] establishing CHILD_SA peer-172.16.1.1-tunnel-vti{3} reqid 1
Mar 10 16:42:51 vyos-v2 charon: 16[IKE] inbound CHILD_SA peer-172.16.1.1-tunnel-vti{3} established with SPIs c316db57_i ce363725_o and TS 0.0.0.0/0 === 0.0.0.0/0
Mar 10 16:42:51 vyos-v2 charon: 16[IKE] outbound CHILD_SA peer-172.16.1.1-tunnel-vti{3} established with SPIs c316db57_i ce363725_o and TS 0.0.0.0/0 === 0.0.0.0/0`

On the vyos-v2 side, first IKE_SA and CHILD_SA (cd4e74a2_i ccdf97c0_o) are established and vti1 has up, and seconds (c07bc185_i c7ac315b_o) are established too. Then, it (cd4e74a2_i ccdf97c0_o) is deleted by uniqueness policy. If true, because the other CHILD_SA (c07bc185_i c7ac315b_o) is alive, you should not go down VTI, but vti1 goes down.

On the vyos-v1 side, the same problem occurs.

You can correct this problem by making the following changes.

https://github.com/m-asama/vyatta-cfg-vpn/commit/d95c88d5ac1d4a1d42a7b6481d7129a756f0111c

The vti-up-down script do:

  • when executed with up: When the VTI interface is down and ipsec status is confirmed that the corresponding setting child_sa is installed, up the VTI interface.
  • when executed with down: When the VTI interface is up and ipsec status is confirmed and it is confirmed that child_sa of the corresponding setting is not installed, down the VTI interface.

I will pull-request after this.

Details

Difficulty level
Unknown (require assessment)
Version
crux(ISO image maked own)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects

Event Timeline

m-asama created this task.Mar 11 2019, 2:37 AM
m-asama created this object in space S1 VyOS Public.
m-asama added a comment.Mar 11 2019, 3:10 AM

I did a pull-request.

https://github.com/vyos/vyatta-cfg-vpn/pull/20

ljester added a subscriber: ljester.Oct 28 2019, 9:33 AM
syncer changed the task status from Open to In progress.Oct 29 2019, 10:01 PM
syncer assigned this task to dmbaturin.
syncer triaged this task as Normal priority.
syncer added a project: VyOS 1.3 Equuleus.
zsdc changed the task status from In progress to Backport candidate.May 4 2020, 4:07 PM
pasik added a subscriber: pasik.May 4 2020, 6:51 PM
zsdc mentioned this in T1876: IPSec VTI tunnels are deleted after rekey and dangling around as A/D.May 4 2020, 8:21 PM
zsdc moved this task from Need Triage to Backport Candidates on the VyOS 1.3 Equuleus board.May 12 2020, 10:14 AM
zsdc added a project: Ready for Crux (1.2.x).
c-po added a subscriber: c-po.EditedMay 12 2020, 7:26 PM

I have tested the fix in https://github.com/vyos/vyatta-cfg-vpn/pull/31 successfully on VyOS 1.2.5 with the hotfix mentiones. Happy to see this in 1.2.6

c-po closed this task as Resolved.May 28 2020, 9:30 PM
c-po edited projects, added VyOS 1.2 Crux (VyOS 1.2.6); removed Ready for Crux (1.2.x).
c-po set Is it a breaking change? to Unspecified (possibly destroys the router).
c-po moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.6) board.May 29 2020, 6:13 PM
c-po moved this task from Backport Candidates to Finished on the VyOS 1.3 Equuleus board.Jun 2 2020, 7:36 PM
olofl mentioned this in T2824: VPN tunnel is marked as up, even though vti0 is down..Aug 26 2020, 1:55 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 30 2022, 2:01 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.