Page MenuHomePhabricator

Issue in "show vpn ipsec/ike sa" output with ipsec encryption algorithm aes128gcm128/aes256gcm128/chacha etc
Open, HighPublic

Description

Hi,

When aes128gcm128/aes256gcm128/chacha etc AEAD encryption algorithms are used in ike-group / esp-group it shows wrong output though "sudo ipsec statusall" shows ike and ipsec sas are up.

This is happening because these encryption algorithms internally take care of integrity check also so don't expect extra hash algorithms along with them and so they are not seen in "sudo ipsec statusall" command output.
Ref link:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites#Encryption-Algorithms
look at the note given in section AEAD

But the perl script "/opt/vyatta/share/perl5/Vyatta/VPN/OPMode.pm" is always expecting hash algorithm to be present with encryption algorithm which is causing wrong output for "show vpn ipsec sa" and "show vpn ike sa"

vyos@vpn:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.95-amd64-vyos, x86_64):
  uptime: 82 seconds, since Oct 15 14:39:06 2019
  malloc: sbrk 1486848, mmap 0, used 364624, free 1122224
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown counters
Listening IP addresses:
  192.168.6.181
  100.64.0.1
Connections:
peer-192.168.6.185-tunnel-vti:  192.168.6.181...192.168.6.185  IKEv2, dpddelay=30s
peer-192.168.6.185-tunnel-vti:   local:  [100.64.0.1] uses pre-shared key authentication
peer-192.168.6.185-tunnel-vti:   remote: [100.64.0.2] uses pre-shared key authentication
peer-192.168.6.185-tunnel-vti:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
peer-192.168.6.185-tunnel-vti[3]: ESTABLISHED 45 seconds ago, 192.168.6.181[100.64.0.1]...192.168.6.185[100.64.0.2]
peer-192.168.6.185-tunnel-vti[3]: IKEv2 SPIs: 9a435320b39fb609_i 0063ab69a76ea212_r*, rekeying in 23 hours
peer-192.168.6.185-tunnel-vti[3]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024
peer-192.168.6.185-tunnel-vti{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cc5e989a_i c302213a_o
peer-192.168.6.185-tunnel-vti{2}:  AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 11 hours
peer-192.168.6.185-tunnel-vti{2}:   0.0.0.0/0 === 0.0.0.0/0
vyos@vpn:~$ sh vpn ipsec sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
192.168.6.185                           192.168.6.181                          

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    vti     down   n/a            n/a      n/a     no     0       43200   all
vyos@vpn:~$ sh vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
192.168.6.185                           192.168.6.181                          

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv2   n/a      n/a     n/a(n/a)       no     3600    86400

Correct parsing logic needs to be added for following lines

For IKE SA this is how the proposal line is:
peer-192.168.6.185-tunnel-vti[3]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024

For IPSec SA this is how the proposal line is:
peer-192.168.6.185-tunnel-vti{2}: AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 11 hours

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

pritamkharat10221 created this object in space S1 VyOS Public.
pritamkharat10221 triaged this task as High priority.

I have generated a PR for this fix https://github.com/vyos/vyatta-op-vpn/pull/24.
Please take a look at it.

pasik added a subscriber: pasik.Oct 16 2019, 9:00 PM
syncer reassigned this task from UnicronNL to Dmitry.Oct 19 2019, 1:57 AM
syncer added a project: VyOS 1.3 Equuleus.
syncer added a subscriber: UnicronNL.