Page MenuHomeVyOS Platform

DMVPN is always listed as down in "show vpn ipsec sa"
Open, Requires assessmentPublicBUG

Description

When operating VyOS as DMVPN HUB the DMVPN tunnel is always down when issuing the show vpn ipsec sa command. The DMVPN configuration is from https://docs.vyos.io/en/latest/vpn/dmvpn.html

vyos@vyos:~$ show vpn ipsec sa
Connection                     State    Up          Bytes In/Out    Remote address    Remote ID    Proposal
-----------------------------  -------  ----------  --------------  ----------------  -----------  ------------------------------------------------
peer-172.18.203.10-tunnel-vti  up       52 seconds  252B/252B       172.18.203.10     N/A          AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
dmvpn-NHRPVPN-tun100           down     N/A         N/A             N/A               N/A          N/A

vyos@vyos:~$ show interfaces tunnel tun100
tun100@NONE: <MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1360 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre 172.18.201.10 brd 0.0.0.0
    inet 172.18.100.6/29 brd 172.18.100.7 scope global tun100
       valid_lft forever preferred_lft forever
    inet6 fe80::5efe:ac12:c90a/64 scope link
       valid_lft forever preferred_lft forever

    RX:  bytes    packets     errors    dropped    overrun      mcast
         99016        990          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
         95056        950          0          0          0          0

I do not know if this is intended or not...

Details

Difficulty level
Unknown (require assessment)
Version
1.2.2
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

c-po updated the task description. (Show Details)

Tested on VyOS 1.3.0-rc5

After reboot, it shows tunnels in up state.
192.0.2.1 - hub
100.64.2.11 - spoke2

vyos@spoke1:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
dmvpn         up       3m45s     1K/1K           17/17             100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn         up       8m54s     1K/1K           15/13             192.0.2.1         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024

After some time with next ping of spoke

vyos@spoke1:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
dmvpn         up       21s       276B/0B         3/0               100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn         up       21s       0B/0B           0/0               100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn         up       10m58s    2K/2K           21/20             192.0.2.1         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
vyos@spoke1:~$ 
vyos@spoke1:~$ 
vyos@spoke1:~$ 
vyos@spoke1:~$ sudo swanctl -l
dmvpn-NHRPVPN-tun100: #5, ESTABLISHED, IKEv1, 9711fa440410c7c9_i d133d28a6072a20a_r*
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '100.64.2.11' @ 100.64.2.11[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 45s ago, rekeying in 3248s
  dmvpn: #6, reqid 4, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 45s ago, rekeying in 1233s, expires in 1935s
    in  cf2d256a,    276 bytes,     3 packets,    36s ago
    out c06467d9,      0 bytes,     0 packets
    local  100.64.1.11/32[gre]
    remote 100.64.2.11/32[gre]
  dmvpn: #7, reqid 4, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 45s ago, rekeying in 1214s, expires in 1935s
    in  c4b3390b,      0 bytes,     0 packets
    out c0930e62,      0 bytes,     0 packets
    local  100.64.1.11/32[gre]
    remote 100.64.2.11/32[gre]
dmvpn-NHRPVPN-tun100: #1, ESTABLISHED, IKEv1, 2bc867b1ca327379_i* c85b15462b657b03_r
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '192.0.2.1' @ 192.0.2.1[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 682s ago, rekeying in 2719s
  dmvpn: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 682s ago, rekeying in 824s, expires in 1298s
    in  cb2b55ee,   2642 bytes,    21 packets,    37s ago
    out cb3647d6,   2132 bytes,    20 packets,    36s ago
    local  100.64.1.11/32[gre]
    remote 192.0.2.1/32[gre]
vyos@spoke1:~$

Not sure that it correct behavior, so I see 2 child SA's (for 100.64.2.11), expected 1.

SA only with hub, output correct

vyos@spoke1:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
dmvpn         up       16m24s    2K/2K           24/23             192.0.2.1         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
vyos@spoke1:~$ 
vyos@spoke1:~$ 
vyos@spoke1:~$ sudo swanctl -l
dmvpn-NHRPVPN-tun100: #1, ESTABLISHED, IKEv1, 2bc867b1ca327379_i* c85b15462b657b03_r
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '192.0.2.1' @ 192.0.2.1[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 1001s ago, rekeying in 2400s
  dmvpn: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 1001s ago, rekeying in 505s, expires in 979s
    in  cb2b55ee,   3044 bytes,    24 packets,    91s ago
    out cb3647d6,   2474 bytes,    23 packets,    91s ago
    local  100.64.1.11/32[gre]
    remote 192.0.2.1/32[gre]
vyos@spoke1:~$

Ping spoke2 to establish sa

vyos@spoke1:~$ ping 172.16.253.132
PING 172.16.253.132 (172.16.253.132) 56(84) bytes of data.
64 bytes from 172.16.253.132: icmp_seq=1 ttl=63 time=11.3 ms
64 bytes from 172.16.253.132: icmp_seq=2 ttl=64 time=3.36 ms

After ping we see 2 parent SA (with remote 100.64.2.11) and one of them with 2 child SA's

vyos@spoke1:~$ show vpn ipsec sa
Connection            State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
dmvpn                 up       4s        92B/0B          1/0               100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn                 up       4s        0B/0B           0/0               100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn                 up       17m35s    3K/2K           29/28             192.0.2.1         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn-NHRPVPN-tun100  down     N/A       N/A             N/A               N/A               N/A          N/A
vyos@spoke1:~$ 
vyos@spoke1:~$ sudo swanctl -l
dmvpn-NHRPVPN-tun100: #7, ESTABLISHED, IKEv1, 5721c95fa48413c4_i eb1ff264b01a4cbd_r*
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '100.64.2.11' @ 100.64.2.11[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 9s ago, rekeying in 3281s
  dmvpn: #9, reqid 5, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 9s ago, rekeying in 1585s, expires in 1971s
    in  c2b077b9,     92 bytes,     1 packets,     8s ago
    out ca17555e,      0 bytes,     0 packets
    local  100.64.1.11/32[gre]
    remote 100.64.2.11/32[gre]
  dmvpn: #10, reqid 5, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 9s ago, rekeying in 1554s, expires in 1971s
    in  cb0e55f7,      0 bytes,     0 packets
    out c66cac10,      0 bytes,     0 packets
    local  100.64.1.11/32[gre]
    remote 100.64.2.11/32[gre]
dmvpn-NHRPVPN-tun100: #6, ESTABLISHED, IKEv1, 209e50e93ab75799_i* 0c98a1483e954736_r
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '100.64.2.11' @ 100.64.2.11[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 9s ago, rekeying in 3253s
dmvpn-NHRPVPN-tun100: #1, ESTABLISHED, IKEv1, 2bc867b1ca327379_i* c85b15462b657b03_r
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '192.0.2.1' @ 192.0.2.1[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 1060s ago, rekeying in 2341s
  dmvpn: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 1060s ago, rekeying in 446s, expires in 920s
    in  cb2b55ee,   3684 bytes,    29 packets,     9s ago
    out cb3647d6,   3008 bytes,    28 packets,     8s ago
    local  100.64.1.11/32[gre]
    remote 192.0.2.1/32[gre]
vyos@spoke1:~$

After some time, we see 2 parents SA to spoke2 (expected 1) each with own child SA.
Both child SA's INSTALLED but active only one.

vyos@spoke1:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
dmvpn         up       8m26s     1M/1M           15K/15K           100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn         up       8m26s     0B/0B           0/0               100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn         up       42m42s    2K/1K           17/16             192.0.2.1         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
vyos@spoke1:~$ 
vyos@spoke1:~$ 
vyos@spoke1:~$ sudo swanctl -l
dmvpn-NHRPVPN-tun100: #9, ESTABLISHED, IKEv1, a66064db86399b11_i 1f22ff1aea548ee9_r*
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '100.64.2.11' @ 100.64.2.11[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 509s ago, rekeying in 2847s
  dmvpn: #13, reqid 6, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 509s ago, rekeying in 906s, expires in 1471s
    in  cbf92021, 1411740 bytes, 15345 packets,    74s ago
    out c41ce29d, 1411740 bytes, 15345 packets,    74s ago
    local  100.64.1.11/32[gre]
    remote 100.64.2.11/32[gre]
dmvpn-NHRPVPN-tun100: #8, ESTABLISHED, IKEv1, 55e84f0f1530ea25_i* cda4df2e3308632e_r
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '100.64.2.11' @ 100.64.2.11[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 509s ago, rekeying in 2816s
  dmvpn: #12, reqid 6, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 509s ago, rekeying in 1073s, expires in 1471s
    in  c16a349e,      0 bytes,     0 packets
    out cd9f584c,      0 bytes,     0 packets
    local  100.64.1.11/32[gre]
    remote 100.64.2.11/32[gre]
dmvpn-NHRPVPN-tun100: #1, ESTABLISHED, IKEv1, 2bc867b1ca327379_i* c85b15462b657b03_r
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '192.0.2.1' @ 192.0.2.1[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 2565s ago, rekeying in 836s
  dmvpn: #11, reqid 1, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 1106s ago, rekeying in 449s, expires in 874s
    in  c8f6fa85,   2256 bytes,    17 packets,    39s ago
    out ce135cb2,   1818 bytes,    16 packets,    39s ago
    local  100.64.1.11/32[gre]
    remote 192.0.2.1/32[gre]
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 5:58 PM