Page MenuHomeVyOS Platform

Issue in "show vpn ipsec/ike sa" output with ipsec encryption algorithm aes128gcm128/aes256gcm128/chacha etc
Closed, ResolvedPublicBUG



When aes128gcm128/aes256gcm128/chacha etc AEAD encryption algorithms are used in ike-group / esp-group it shows wrong output though "sudo ipsec statusall" shows ike and ipsec sas are up.

This is happening because these encryption algorithms internally take care of integrity check also so don't expect extra hash algorithms along with them and so they are not seen in "sudo ipsec statusall" command output.
Ref link:
look at the note given in section AEAD

But the perl script "/opt/vyatta/share/perl5/Vyatta/VPN/" is always expecting hash algorithm to be present with encryption algorithm which is causing wrong output for "show vpn ipsec sa" and "show vpn ike sa"

vyos@vpn:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.95-amd64-vyos, x86_64):
  uptime: 82 seconds, since Oct 15 14:39:06 2019
  malloc: sbrk 1486848, mmap 0, used 364624, free 1122224
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown counters
Listening IP addresses:
peer-  IKEv2, dpddelay=30s
peer-   local:  [] uses pre-shared key authentication
peer-   remote: [] uses pre-shared key authentication
peer-   child: === TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
peer-[3]: ESTABLISHED 45 seconds ago,[]...[]
peer-[3]: IKEv2 SPIs: 9a435320b39fb609_i 0063ab69a76ea212_r*, rekeying in 23 hours
peer-[3]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024
peer-{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cc5e989a_i c302213a_o
peer-{2}:  AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 11 hours
peer-{2}: ===
vyos@vpn:~$ sh vpn ipsec sa
Peer ID / IP                            Local ID / IP               
------------                            -------------                                           

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    vti     down   n/a            n/a      n/a     no     0       43200   all
vyos@vpn:~$ sh vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------                                           

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv2   n/a      n/a     n/a(n/a)       no     3600    86400

Correct parsing logic needs to be added for following lines

For IKE SA this is how the proposal line is:
peer-[3]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA1/MODP_1024

For IPSec SA this is how the proposal line is:
peer-{2}: AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 11 hours


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)