Page MenuHomePhabricator

VTI tunnel SA is incorrectly displayed as down when it's in fact up
Closed, ResolvedPublic

Description

I have heard about the IPSec VTI problem at VyOS meeting in Japan.

Mr. Asama said that this problem might solve with this patch.
http://bugzilla.vyos.net/show_bug.cgi?id=183

But currently, this patch was reverted.
http://bugzilla.vyos.net/show_bug.cgi?id=183#c3

It seems that this problem occurs when another vendor IPSec client (IE Yamaha RTX Series) connect to VyOS IPSec server.

We'll update about the problem later.

Details

Difficulty level
Easy (less than an hour)
Version
1.1.7

Event Timeline

syncer triaged this task as Normal priority.Aug 1 2017, 4:24 AM
syncer changed the edit policy from "Task Author" to "Custom Policy".
syncer added a project: VyOS 1.2 Crux.

@hiroyuki-sato is this applies to 1.2.x series?

@syncer Sorry late reply.

The patch is here
https://github.com/vyos/vyatta-cfg-vpn/commit/bdf73b3e470ea69332d69e67a757792ce5af3dbd

The original script made for Pluto.

I heard that Strongswan 5.x doesn't use Pluto. So I suppose that the patch can't apply to VyOS 1.2.X as is.

Reference
http://www.freeswan.org/freeswan_trees/CURRENT-TREE/doc/manpage.d/ipsec_pluto.8.html
https://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1

@hiroyuki-sato maybe 1.2 is not affected with that issue,
i will check with @dmbaturin

syncer reassigned this task from syncer to dmbaturin.Oct 11 2017, 9:36 PM
syncer added a subscriber: syncer.

@dmbaturin now as we have bugzilla back, can you check this one ?

pasik added a subscriber: pasik.Oct 27 2017, 10:03 PM
Merijn added a subscriber: Merijn.May 7 2018, 1:11 PM

Tested on 1.2.0-rolling

show version
Version:          VyOS 1.2.0-rolling+201804260337
show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
remoteip                              localip

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    vti     down   0.0/192.0      aes256   sha1_96 no     -25200          all
sudo ipsec status
Routed Connections:
peer-remoteip-tunnel-vti{1}:  ROUTED, TUNNEL, reqid 1
peer-remoteip-tunnel-vti{1}:   0.0.0.0/0 === 0.0.0.0/0
Security Associations (1 up, 0 connecting):
peer-remoteip-tunnel-vti[1]: ESTABLISHED 6 minutes ago, localip[localid]...remoteip[remoteid]
peer-remoteip-tunnel-vti{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cea088f2_i e0267f52_o
peer-remoteip-tunnel-vti{2}:   0.0.0.0/0 === 0.0.0.0/0

Remote site believes the tunnel is connected. But as you can see the vti interface is shows as down.

syncer changed the task status from Open to On hold.Oct 13 2018, 9:19 AM

This is cosmetic, please retest on latest rolling

I'm seeing the same thing using a newer rolling version. My tunnels are up and can pass traffic.

vyos@cni-lima-iptv-vpn-1:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
remote                                  local

    Description: AWS Tunnel 1

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    vti     down   14.6K/0.0      aes128   sha1_96/modp_1024 no     -1920           all
vyos@cni-lima-iptv-vpn-1:~$ show version
Version:          VyOS 1.2.0-rolling+201810141404
Built by:         autobuild@vyos.net
Built on:         Sun 14 Oct 2018 14:04 UTC
syncer reassigned this task from dmbaturin to JulesT.Oct 16 2018, 2:41 PM
syncer added a subscriber: JulesT.

@JulesT want to look into that?

syncer reassigned this task from JulesT to c-po.Nov 2 2018, 5:33 PM
dmbaturin closed this task as Resolved.Nov 25 2018, 8:34 PM

This should have been resolved by T956, but if it reappears or the fix turns out incomplete, feel free to reopen.

dmbaturin renamed this task from [Revise] Bug 183 - VTI will not be up automatic when IPsec SA up. to VTI tunnel SA is incorrectly displayed as down when it's in fact up.Nov 25 2018, 8:34 PM