Page MenuHomeVyOS Platform

"show vpn ike sa" shows state "down" when tunnel is up
Open, Requires assessmentPublicBUG

Description

ajg@vyos:~$ show vpn ike sa

Peer ID / IP                            Local ID / IP
------------                            -------------
1.1.1.1                                  2.2.2.2

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   IKEv2   aes16_128 n/a     14(MODP_2048)  no     -900
ajg@vyos:~$ show vpn ipsec sa

Connection                             State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID                Proposal
-------------------------------------  -------  --------  --------------  ----------------  ----------------  -----------------------  ------------------------
peer-host.example.org-tunnel-0         up       14m31s    372B/132B       7/3               1.1.1.1           remote-host.example.net  AES_GCM_16_128/MODP_2048
peer remote-host.example.net {
                authentication {
                    id host.example.org-tunnel
                    mode pre-shared-secret
                    pre-shared-secret ****************
                    remote-id remote-host.example.net
                }
                connection-type initiate
                dhcp-interface eth2
                ike-group local-vpn-ike
                ikev2-reauth inherit
                tunnel 0 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group local-vpn-esp
                    local {
                        prefix 10.0.0.0/16
                    }
                    remote {
                        prefix 10.10.0.0/24
                    }
                }
            }
ipsec {
        auto-update 30
        esp-group local-vpn-esp {
            compression disable
            lifetime 1800
            mode tunnel
            pfs dh-group14
            proposal 1 {
                encryption aes128gcm128
                hash sha1
            }
            proposal 2 {
                encryption aes256gcm128
                hash sha1
            }
        }
        ike-group local-vpn-ike {
            close-action none
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev2
            lifetime 3600
            proposal 1 {
                dh-group 14
                encryption aes128gcm128
                hash aesxcbc
            }
            proposal 2 {
                dh-group 14
                encryption aes256gcm128
                hash aesxcbc
            }
        }
        ipsec-interfaces {
            interface eth0
            interface eth1
            interface eth2
        }

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.3-rolling-202007300117
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

ajgnet created this task.Jul 31 2020, 1:55 AM
pasik added a subscriber: pasik.Jul 31 2020, 7:45 AM
zsdc assigned this task to ronie.Jul 31 2020, 12:24 PM
ronie added a comment.EditedAug 5 2020, 4:58 PM

I´ve configured a simple P-2P IPsec/GRE Tunnel and the command shows IKE and IPsec SAs UP:

vyos@HUB-2:~$ show vpn ike sa
Peer ID / IP Local ID / IP


169.254.100.1 169.254.100.6

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
up     IKEv1   aes256   md5_96  2(MODP_1024)   no     3600    28800

vyos@HUB-2:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Pro
posal



peer-169.254.100.1-tunnel-20 up 5m36s 0B/0B 0/0 169.254.100.1 N/A AES
_CBC_256/HMAC_MD5_96/MODP_1024

vyos@SPK-1:~$ show vpn ike sa
Peer ID / IP Local ID / IP


169.254.100.6 169.254.100.1

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
up     IKEv1   aes256   md5_96  2(MODP_1024)   no     3600    28800

vyos@SPK-1:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Pro
posal



peer-169.254.100.6-tunnel-20 up 6m42s 0B/0B 0/0 169.254.100.6 N/A AES
_CBC_256/HMAC_MD5_96/MODP_1024

ronie added a comment.Aug 5 2020, 4:59 PM

Router (1) Configuration:

vyos@HUB-2# sh vpn
ipsec {

esp-group MyESPGroup {
    proposal 1 {
        encryption aes256
        hash md5
    }
}
ike-group MyIKEGroup {
    proposal 1 {
        dh-group 2
        encryption aes256
        hash md5
    }
}
ipsec-interfaces {
    interface eth0.100
}
site-to-site {
    peer 169.254.100.1 {
        authentication {
            mode pre-shared-secret
            pre-shared-secret MYSECRETKEY
        }
        default-esp-group MyESPGroup
        ike-group MyIKEGroup
        local-address 169.254.100.6
        tunnel 20 {
            protocol gre
        }
    }
}

}
[edit]

ajgnet added a comment.Aug 5 2020, 5:02 PM

The IKE SA appears down in your second example?

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
down   IKEv1   aes128   sha1_96 2(MODP_1024)   no     0       n/a
ajgnet added a comment.Aug 5 2020, 5:38 PM

I suspect this could be related to displaying a peer with a hostname that contains a dash, such as, "abc-peer12.dyndns.org." Or, possibly a string matching error getting thrown off by "AES_GCM_16_128/MODP_2048"

I just re-confirmed and am experiencing this bug from a second box running 1.3-rolling-202008040823

vyos@gw01office:~$ sh vpn ipsec sa
Connection                           State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID              Proposal
-----------------------------------  -------  --------  --------------  ----------------  ----------------  ---------------------  ------------------------
peer-abc-site12.dyndns.org-tunnel-0  up       33m13s    364B/672B       7/7               1.2.3.4      abc-site12.dyndns.org  AES_GCM_16_128/MODP_2048
peer-abc-site12.dyndns.org-tunnel-0  up       33m13s    0B/0B           0/0               1.2.3.4      abc-site12.dyndns.org  AES_GCM_16_128/MODP_2048
peer-abc-site45.dyndns.org-tunnel-0  up       36m40s    3K/4K           74/74             2.3.4.5     abc-site45.dyndns.org  AES_GCM_16_128/MODP_2048
peer-abc-site45.dyndns.org-tunnel-0  up       36m40s    14K/17K         211/166           2.3.4.5     abc-site45.dyndns.org  AES_GCM_16_128/MODP_2048

vyos@gw01office:~$ sh vpn ike sa

Peer ID / IP                             Local ID / IP
------------                            -------------
2.3.4.5                                 9.8.7.6

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   IKEv2   aes16_128 n/a     14(MODP_2048)  no     -780


Peer ID / IP                             Local ID / IP
------------                            -------------
1.2.3.4                                 9.8.7.6

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   IKEv2   aes16_128 n/a     14(MODP_2048)  no     -840
ronie added a comment.EditedAug 5 2020, 11:35 PM

I´ve used the version of the software: VyOS 1.3-rolling-202007300117.
As I´ve used GRE tunnels it does not simulates the same scenario reported, which uses pure IPsec. I will configure IPsec tunnels over physical interfaces and log the results here again.

ronie added a comment.EditedAug 10 2020, 3:45 PM

When the configuration provided is reproduced, the problem occurs: show ike sa is "down" while show ipsec sa is "up".

vyos@remote-host.example.net# sh vpn
ipsec {

auto-update 30
esp-group local-vpn-esp {
    compression disable
    lifetime 1800
    mode tunnel
    pfs dh-group14
    proposal 1 {
        encryption aes128gcm128
        hash sha1
    }
    proposal 2 {
        encryption aes256gcm128
        hash sha1
    }
}
ike-group local-vpn-ike {
    close-action none
    dead-peer-detection {
        action restart
        interval 30
        timeout 120
    }
    ikev2-reauth no
    key-exchange ikev2
    lifetime 3600
    proposal 1 {
        dh-group 14
        encryption aes128gcm128
        hash aesxcbc
    }
    proposal 2 {
        dh-group 14
        encryption aes256gcm128
        hash aesxcbc
    }
}
ipsec-interfaces {
    interface eth0
}
site-to-site {
    peer host.example.org-tunnel {
        authentication {
            id remote-host.example.net
            mode pre-shared-secret
            pre-shared-secret SECRET
            remote-id host.example.org-tunnel
        }
        connection-type initiate
        ike-group local-vpn-ike
        ikev2-reauth inherit
        local-address 192.168.12.3
        tunnel 0 {
            allow-nat-networks disable
            allow-public-networks disable
            esp-group local-vpn-esp
            local {
                prefix 10.10.0.0/24
            }
            remote {
                prefix 10.0.0.0/16
            }
        }
    }
}

}

vyos@remote-host.example.net:~$ show vpn ike sa
Peer ID / IP Local ID / IP


192.168.12.2 192.168.12.3

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
down   IKEv2   aes16_128 n/a     14(MODP_2048)  no     -1740

vyos@remote-host.example.net:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote
ID Proposal



peer-host.example.org-tunnel-tunnel-0 up 13m43s 0B/0B 0/0 192.168.12.2 host.ex
ample.org-tunnel AES_GCM_16_128
peer-host.example.org-tunnel-tunnel-0 up 13m43s 0B/0B 0/0 192.168.12.2 host.ex
ample.org-tunnel AES_GCM_16_128/MODP_2048
vyos@remote-host.example.net:~$

Additionally, sometimes the Peer ID and Local ID are not correctly formatted. for example:

Peer ID / IP                             Local ID / IP
------------                            -------------
host                                    name.dyndns.org