Page MenuHomeVyOS Platform

strongSwan does not install routes to table 220 in certain cases
Backport candidate, HighPublicBUG

Description

When in a system does not exist IP address from network configured as a local prefix in IPSec tunnel, strongSwan does not install route into table 220.
An example:

set interfaces ethernet eth0 address '192.168.50.1/24'
set vpn ipsec esp-group ESP1 pfs 'dh-group14'
set vpn ipsec esp-group ESP1 proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP1 proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE1 key-exchange 'ikev2'
set vpn ipsec ike-group IKE1 proposal 10 dh-group '2'
set vpn ipsec ike-group IKE1 proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE1 proposal 10 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 192.168.50.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.50.2 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 192.168.50.2 default-esp-group 'ESP1'
set vpn ipsec site-to-site peer 192.168.50.2 ike-group 'IKE1'
set vpn ipsec site-to-site peer 192.168.50.2 local-address '192.168.50.1'
set vpn ipsec site-to-site peer 192.168.50.2 tunnel 1 local prefix '192.168.34.0/24'
set vpn ipsec site-to-site peer 192.168.50.2 tunnel 1 remote prefix '192.168.35.0/24'

vyos@vyos01:~$ show ip route table 220
vyos@vyos01:~$

Now add IP address from 192.168.34.0/24 to any interface and reboot:

set interfaces dummy dum1 address 192.168.34.1/24

vyos@vyos01:~$ show ip route table 220
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued route, r - rejected route

VRF default table 220:
K>* 192.168.35.0/24 [0/0] via 192.168.50.2, eth0, src 192.168.34.1, 00:00:07

This can lead to uncontrolled encrypted data path flows.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

zsdc created this task.Jan 30 2020, 2:50 PM
pasik added a subscriber: pasik.Feb 1 2020, 2:04 PM
syncer changed the task status from Open to Confirmed.Mar 28 2020, 11:57 AM
syncer assigned this task to Dmitry.
syncer triaged this task as High priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
syncer added a subscriber: syncer.
data

Without source ip address from local prefix strongswan can't create route in table 220. I'm not sure that we need to check and decline a commit. But we can show warning message.
Interfaces on boot have more priority and it can guarantee that if in router exist ip address from local prefix, strongswan will create the route,
When interface configured after IPSec, need run restart vpn for add routes.
I propose to add the following code to https://github.com/vyos/vyatta-cfg-vpn/blob/current/scripts/vpn-config.pl#L670

my $check_local_route = qx(ip route show table 254 $ocalsubnet_object);
if (!$check_local_route){
    print "Warning: local prefix $localsubnet_object specified for peer \"$peer\"\n";
    print "is not configured on any interfaces\n";
}
zakwan added a subscriber: zakwan.Apr 22 2020, 4:22 AM
This comment was removed by zakwan.

PR added https://github.com/vyos/vyatta-cfg-vpn/pull/33.

vyos@vyos# commit
[ vpn ]
Warning: local prefix 192.168.34.0/24 specified for peer "192.168.50.2"
is not configured on any interfaces

[edit]
vyos@vyos#
Dmitry changed the task status from Confirmed to In progress.May 28 2020, 11:57 AM
Dmitry changed the task status from In progress to Needs testing.May 29 2020, 6:21 PM
Dmitry changed the task status from Needs testing to Backport candidate.Fri, Jun 12, 9:50 AM
Dmitry added a project: Ready for Crux (1.2.x).

Successfully tested on rolling 1.3-rolling-202006120643