Page MenuHomeVyOS Platform

"show vpn ike sa" command always show child-sas as down
Closed, ResolvedPublicBUG

Description

When between two hosts exists two or more tunnels, which share the same IKE SA, all child-sas shows as down by the "show vpn ike sa" command, no matter of real state:

vyos@vyos02:~$ show vpn ipsec sa 
Connection                  State    Up          Bytes In/Out    Remote address    Remote ID    Proposal
--------------------------  -------  ----------  --------------  ----------------  -----------  ---------------------------------------------------------
peer-192.168.30.1-tunnel-1  up       20 seconds  0B/0B           192.168.30.1      N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
peer-192.168.30.1-tunnel-2  up       20 seconds  0B/0B           192.168.30.1      N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
peer-192.168.30.1-tunnel-3  up       20 seconds  0B/0B           192.168.30.1      N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
peer-192.168.30.1-tunnel-5  up       20 seconds  0B/0B           192.168.30.1      N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
vyos@vyos02:~$ show vpn ike sa 
Peer ID / IP                            Local ID / IP               
------------                            -------------
n/a                                     192.168.30.2                           

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
192.168.30.1                            192.168.30.2                           

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv1   aes256   sha256_128 15(MODP_3072)  no     3600    28800

Most likely, this is a parsing problem of sudo ipsec statusall output.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

syncer changed the task status from Open to Confirmed.Jan 30 2020, 12:00 PM
syncer triaged this task as Normal priority.
syncer lowered the priority of this task from Normal to Low.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
c-po reassigned this task from c-po to Unknown Object (User).Jun 21 2020, 12:10 PM
c-po added a subscriber: c-po.

I feel @Dmitry has more experience here from past topics. I hope you do not mind the reassignment.

Viacheslav changed the task status from Confirmed to In progress.May 14 2021, 3:28 PM
Viacheslav claimed this task.
Viacheslav added a subscriber: Unknown Object (User).

PR https://github.com/vyos/vyatta-op-vpn/pull/27

Show ipsec sa

vyos@r6-roll:~$ show vpn ipsec sa
Connection                State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer-100.64.0.2-tunnel-1  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.2-tunnel-2  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.2-tunnel-3  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.2-tunnel-4  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.2-tunnel-5  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.2-tunnel-6  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.2-tunnel-7  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.5-tunnel-0  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-100.64.0.7-tunnel-0  down     N/A       N/A             N/A               N/A               N/A          N/A

Output without IKE fix:

vyos@r6-roll:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
n/a                                     100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
100.64.0.2                              100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv1   aes256   sha1_96 2(MODP_1024)   no     1080    3600   

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
100.64.0.5                              100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   IKEv1   n/a      n/a     n/a(n/a)       no     0       n/a    

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
100.64.0.7                              100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   IKEv2   n/a      n/a     n/a(n/a)       no     0       n/a

Fixed Show IKE sa

vyos@r6-roll:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
100.64.0.2                              100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv1   aes256   sha1_96 2(MODP_1024)   no     2700    3600   

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
100.64.0.5                              100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   IKEv1   n/a      n/a     n/a(n/a)       no     0       n/a    

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
100.64.0.7                              100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   IKEv2   n/a      n/a     n/a(n/a)       no     0       n/a
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 5:49 PM
erkin changed Issue type from Bug (incorrect behavior) to Unspecified (please specify).