Hi,
When aes128gcm128/aes256gcm128/chacha etc AEAD encryption algorithms are used in ike-group / esp-group it shows wrong output though "sudo ipsec statusall" shows ike and ipsec sas are up.
This is happening because these encryption algorithms internally take care of integrity check also so don't expect extra hash algorithms along with them and so they are not seen in "sudo ipsec statusall" command output.
Ref link:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites#Encryption-Algorithms
look at the note given in section AEAD
But the perl script "/opt/vyatta/share/perl5/Vyatta/VPN/OPMode.pm" is always expecting hash algorithm to be present with encryption algorithm which is causing wrong output for "show vpn ipsec sa" and "show vpn ike sa"
vyos@vpn:~$ sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.95-amd64-vyos, x86_64): uptime: 82 seconds, since Oct 15 14:39:06 2019 malloc: sbrk 1486848, mmap 0, used 364624, free 1122224 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown counters Listening IP addresses: 192.168.6.181 100.64.0.1 Connections: peer-192.168.6.185-tunnel-vti: 192.168.6.181...192.168.6.185 IKEv2, dpddelay=30s peer-192.168.6.185-tunnel-vti: local: [100.64.0.1] uses pre-shared key authentication peer-192.168.6.185-tunnel-vti: remote: [100.64.0.2] uses pre-shared key authentication peer-192.168.6.185-tunnel-vti: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): peer-192.168.6.185-tunnel-vti[3]: ESTABLISHED 45 seconds ago, 192.168.6.181[100.64.0.1]...192.168.6.185[100.64.0.2] peer-192.168.6.185-tunnel-vti[3]: IKEv2 SPIs: 9a435320b39fb609_i 0063ab69a76ea212_r*, rekeying in 23 hours peer-192.168.6.185-tunnel-vti[3]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024 peer-192.168.6.185-tunnel-vti{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cc5e989a_i c302213a_o peer-192.168.6.185-tunnel-vti{2}: AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 11 hours peer-192.168.6.185-tunnel-vti{2}: 0.0.0.0/0 === 0.0.0.0/0
vyos@vpn:~$ sh vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- 192.168.6.185 192.168.6.181 Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----- vti down n/a n/a n/a no 0 43200 all
vyos@vpn:~$ sh vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 192.168.6.185 192.168.6.181 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv2 n/a n/a n/a(n/a) no 3600 86400
Correct parsing logic needs to be added for following lines
For IKE SA this is how the proposal line is:
peer-192.168.6.185-tunnel-vti[3]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024
For IPSec SA this is how the proposal line is:
peer-192.168.6.185-tunnel-vti{2}: AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 11 hours