Page MenuHomeVyOS Platform
Create Task
Maniphest T1865

IPSec (IKEv2) connections to AZURE are dying
Closed, InvalidPublicBUG
Actions

Description

I'm using two VyOS instances both having an Active-Active configuration to AZURE.

I run 4 AZURE Active-Active VPN gateways and 3 out of 4 perform as expected.
Once a day one of the connections hand and the BGP session running over that VTI is dead afterwards.

After calling reset vpn ipsec-peer x.x.x.x on BOTH active-active peers the link returns. It does not return if the command is issued only on one peer.

Both VyOS machines run the configuration below, it was retrived initially from the Azure "Config Generator" for an EdgeOS device but adopted to VyOS. Funny thing is - the generated configs in terms of concept differs much from the generated Cisco IOS config (there we have two IPSec peers as required per active-active whereas the EdgeOS config only listed one).

set interfaces vti vti21 description 'Azure - Active-Active'
set interfaces vti vti22 description 'Azure - Active-Active'
set interfaces vti vti31 description 'Azure - Active-Active'
set interfaces vti vti32 description 'Azure - Active-Active'
set interfaces vti vti41 description 'Azure - Active-Active'
set interfaces vti vti42 description 'Azure - Active-Active'
set interfaces vti vti51 description 'Azure - Active-Active'
set interfaces vti vti52 description 'Azure - Active-Active'

set vpn ipsec esp-group ESP-AZURE compression 'disable'
set vpn ipsec esp-group ESP-AZURE lifetime '27000'
set vpn ipsec esp-group ESP-AZURE mode 'tunnel'
set vpn ipsec esp-group ESP-AZURE pfs 'disable'
set vpn ipsec esp-group ESP-AZURE proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-AZURE proposal 1 hash 'sha1'

set vpn ipsec ike-group IKE-AZURE dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-AZURE dead-peer-detection interval '10'
set vpn ipsec ike-group IKE-AZURE dead-peer-detection timeout '2'
set vpn ipsec ike-group IKE-AZURE ikev2-reauth 'no'
set vpn ipsec ike-group IKE-AZURE key-exchange 'ikev2'
set vpn ipsec ike-group IKE-AZURE lifetime '27000'
set vpn ipsec ike-group IKE-AZURE proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-AZURE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-AZURE proposal 1 hash 'sha1'

set vpn ipsec ipsec-interfaces interface 'eth0'

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.2.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.2.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.2.1 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.2.1 vti bind 'vti51'
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group 'ESP-AZURE'

set vpn ipsec site-to-site peer 192.0.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.2 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.2.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.2.2 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.2.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.2.2 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.2.2 vti bind 'vti52'
set vpn ipsec site-to-site peer 192.0.2.2 vti esp-group 'ESP-AZURE'

set vpn ipsec site-to-site peer 192.0.3.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.3.1 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.3.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.3.1 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.3.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.3.1 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.3.1 vti bind 'vti32'
set vpn ipsec site-to-site peer 192.0.3.1 vti esp-group 'ESP-AZURE'

set vpn ipsec site-to-site peer 192.0.3.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.3.2 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.3.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.3.2 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.3.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.3.2 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.3.2 vti bind 'vti31'
set vpn ipsec site-to-site peer 192.0.3.2 vti esp-group 'ESP-AZURE'

set vpn ipsec site-to-site peer 192.0.4.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.4.1 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.4.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.4.1 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.4.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.4.1 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.4.1 vti bind 'vti42'
set vpn ipsec site-to-site peer 192.0.4.1 vti esp-group 'ESP-AZURE'

set vpn ipsec site-to-site peer 192.0.4.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.4.2 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.4.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.4.2 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.4.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.4.2 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.4.2 vti bind 'vti41'
set vpn ipsec site-to-site peer 192.0.4.2 vti esp-group 'ESP-AZURE'

set vpn ipsec site-to-site peer 192.0.5.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.5.1 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.5.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.5.1 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.5.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.5.1 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.5.1 vti bind 'vti22'
set vpn ipsec site-to-site peer 192.0.5.1 vti esp-group 'ESP-AZURE'

set vpn ipsec site-to-site peer 192.0.5.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.5.2 authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer 192.0.5.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.5.2 ike-group 'IKE-AZURE'
set vpn ipsec site-to-site peer 192.0.5.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.5.2 local-address 'xxx.xxx.32.189'
set vpn ipsec site-to-site peer 192.0.5.2 vti bind 'vti21'
set vpn ipsec site-to-site peer 192.0.5.2 vti esp-group 'ESP-AZURE'

Details

Difficulty level
Unknown (require assessment)
Version
1.2.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

c-po created this task.Dec 8 2019, 12:14 PM
c-po updated the task description. (Show Details)Dec 8 2019, 12:17 PM
c-po updated the task description. (Show Details)
pasik added a subscriber: pasik.Dec 8 2019, 6:59 PM
c-po added a comment.Dec 12 2019, 11:33 AM

Problem was in the wrong IKEv2 definition, set vpn ipsec ike-group IKE-AZURE ikev2-reauth must be yes

c-po closed this task as Invalid.Dec 12 2019, 11:33 AM
c-po claimed this task.
syncer edited projects, added Rejected; removed VyOS 1.2 Crux.Jan 1 2020, 2:06 PM