Page MenuHomeVyOS Platform

ipsec generates false warning on commit when local prefix is sourced from loopback
Open, Requires assessmentPublic

Description

site to site configuration. Local prefix is sourced from loopback interface.

set vpn ipsec site-to-site peer @remote_cpe authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer @remote_cpe authentication pre-shared-secret 'xxx'
set vpn ipsec site-to-site peer @remote_cpe authentication remote-id 'remote_cpe'
set vpn ipsec site-to-site peer @remote_cpe connection-type 'respond'
set vpn ipsec site-to-site peer @remote_cpe default-esp-group 'remote_esp'
set vpn ipsec site-to-site peer @remote_cpe ike-group 'home_IKE'
set vpn ipsec site-to-site peer @remote_cpe ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer @remote_cpe local-address '111.11.111.47'
set vpn ipsec site-to-site peer @remote_cpe tunnel 1 local prefix '172.18.255.26/32'
set vpn ipsec site-to-site peer @remote_cpe tunnel 1 remote prefix '172.24.32.54/32'
vyos@vyos# run show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             -                                 u/u  
eth0.42          111.11.111.47/27                  u/u  
eth1             172.16.179.1/24                   u/u  
eth2             192.168.122.69/24                 u/u  
lo               127.0.0.1/8                       u/u  
                 172.18.255.26/32
                 ::1/128

...
vyos@vyos# set vpn ipsec site-to-site peer @remote_cpe tunnel 1 local prefix '172.18.255.26/32'
...
vyos@vyos# commit
[ vpn ]
Warning: local prefix 172.18.255.26/32 specified for peer "@remote_cpe"
is not configured on any interfaces

If I source prefix from eth1 172.16.179.0/24 I do not get any warnings.


It seems like this line is the problem:
https://github.com/vyos/vyatta-cfg-vpn/blob/ce56258f8dd52c5a14482a1055e4f23b89e462f6/scripts/vpn-config.pl#L673
from this commit
https://github.com/vyos/vyatta-cfg-vpn/commit/600e35bbae36ed5482c0816d077c86ab1a84c2ec#diff-5fb21a764744171f7a59a73133e0b844

It checks for routes in ip route show table 254 which doesn't show loopback routes.
To see loopback routes, one must check in ip route show table local

Details

Difficulty level
Unknown (require assessment)
Version
1.2.6-epa1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Stricter validation

Event Timeline

lundgrenolof created this object in space S1 VyOS Public.
olofl added a subscriber: olofl.Aug 17 2020, 10:48 AM
pasik added a subscriber: pasik.Aug 18 2020, 6:49 AM
lundgrenolof updated the task description. (Show Details)Aug 18 2020, 8:39 PM
Viacheslav added a subscriber: Viacheslav.EditedSep 18 2020, 6:21 PM

Let's check and table "local"
PR for rolling https://github.com/vyos/vyatta-cfg-vpn/pull/37

olofl added a comment.Sep 21 2020, 9:27 AM

@Viacheslav does that PR check for x.x.x.x/32 ? Because the ip route show table local does not contain the netmask /32. While ip route show table 254 actually shows the prefixes with /cidr notation.

@olofl it checks ip addresses assigned to the loopback interface which located in the table "local"

For example

vyos@r1-client# set interfaces loopback lo address 203.0.113.1/24
[edit]
vyos@r1-client# commit

Check routes

vyos@r1-client# sudo ip route show table 254
default via 192.168.3.254 dev eth0 proto static metric 20 
192.168.3.0/24 dev eth0 proto kernel scope link src 192.168.3.100 
[edit]
vyos@r1-client# 


vyos@r1-client# sudo ip route show table local | grep "203.0.113.1"
broadcast 203.0.113.0 dev lo proto kernel scope link src 203.0.113.1 
local 203.0.113.0/24 dev lo proto kernel scope host src 203.0.113.1 
local 203.0.113.1 dev lo proto kernel scope host src 203.0.113.1 
broadcast 203.0.113.255 dev lo proto kernel scope link src 203.0.113.1 
[edit]
vyos@r1-client#
olofl added a comment.Sep 21 2020, 1:22 PM

Notice how my loopback interface with mask /32 does *not* show /32 in route table local.

olof@o6-80003:~$ show interfaces loopback 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
lo               127.0.0.1/8                       u/u  
                 172.18.255.26/32
                 ::1/128


olof@o6-80003:~$ sudo ip route show table 254 | grep '172.18.255.26/32'
olof@o6-80003:~$ sudo ip route show table local | grep '172.18.255.26/32'
olof@o6-80003:~$ sudo ip route show table local | grep '172.18.255.26'
local 172.18.255.26 dev lo proto kernel scope host src 172.18.255.26

@olofl if was an example with grep, I didn't want to show the complete routing table.
If you want to check the route, this commit exactly check 2 tables. Table 254 and table local
In your case it will be 2 checks:

sudo ip route show table 254 172.18.255.26 && sudo ip route show table local 172.18.255.26