Page MenuHomeVyOS Platform

"show vpn ike sa" command always show child-sas as down
Confirmed, LowPublicBUG

Description

When between two hosts exists two or more tunnels, which share the same IKE SA, all child-sas shows as down by the "show vpn ike sa" command, no matter of real state:

vyos@vyos02:~$ show vpn ipsec sa 
Connection                  State    Up          Bytes In/Out    Remote address    Remote ID    Proposal
--------------------------  -------  ----------  --------------  ----------------  -----------  ---------------------------------------------------------
peer-192.168.30.1-tunnel-1  up       20 seconds  0B/0B           192.168.30.1      N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
peer-192.168.30.1-tunnel-2  up       20 seconds  0B/0B           192.168.30.1      N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
peer-192.168.30.1-tunnel-3  up       20 seconds  0B/0B           192.168.30.1      N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
peer-192.168.30.1-tunnel-5  up       20 seconds  0B/0B           192.168.30.1      N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
vyos@vyos02:~$ show vpn ike sa 
Peer ID / IP                            Local ID / IP               
------------                            -------------
n/a                                     192.168.30.2                           

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
192.168.30.1                            192.168.30.2                           

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv1   aes256   sha256_128 15(MODP_3072)  no     3600    28800

Most likely, this is a parsing problem of sudo ipsec statusall output.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

zsdc created this task.Jan 29 2020, 5:49 PM
pasik added a subscriber: pasik.Jan 29 2020, 10:10 PM
syncer changed the task status from Open to Confirmed.Jan 30 2020, 12:00 PM
syncer triaged this task as Normal priority.
syncer assigned this task to c-po.Mar 28 2020, 11:58 AM
syncer lowered the priority of this task from Normal to Low.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
zakwan added a subscriber: zakwan.Apr 16 2020, 7:08 AM
c-po reassigned this task from c-po to Dmitry.Sun, Jun 21, 12:10 PM
c-po added a subscriber: c-po.

I feel @Dmitry has more experience here from past topics. I hope you do not mind the reassignment.