Page MenuHomeVyOS Platform

Invalid passthrough routes installing by strongSwan into table 220
Confirmed, NormalPublicBUG

Description

Description
When strongSwan installing passthrough routes into table 220, it may use a wrong next-hop address. This leads to a situation when a router losing connectivity to local subnets.

How to reproduce
Configuration:

set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address '10.10.200.1/24'
set vpn ipsec esp-group ESP1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP1 proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE1 proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 192.168.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.2.2 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 192.168.2.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.168.2.2 default-esp-group 'ESP1'
set vpn ipsec site-to-site peer 192.168.2.2 ike-group 'IKE1'
set vpn ipsec site-to-site peer 192.168.2.2 local-address 'any'
set vpn ipsec site-to-site peer 192.168.2.2 tunnel 1 local prefix '10.10.200.0/24'
set vpn ipsec site-to-site peer 192.168.2.2 tunnel 1 remote prefix '0.0.0.0/0'

Routing table 220 after IPSec connection:

Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued route, r - rejected route

VRF default table 220:
K>* 0.0.0.0/0 [0/0] via 192.168.1.254, eth0, src 10.10.200.1, 00:04:52
K>* 10.10.200.0/24 [0/0] via 192.168.1.254, eth0, src 10.10.200.1, 00:04:52

Because this table has priority over the main table, a router cannot communicate with 10.10.200.0/24.

How to fix
The issue was fixed in strongSwan 5.8.3 (commit bbedad7). Instead of simple route newer versions create throw routes:

vyos@vyos:~$ sudo ip r show type throw table 220
throw 10.10.200.0/24 proto static

And traffic to the local network goes using the main route table.

Details

Difficulty level
Unknown (require assessment)
Version
rolling-202008301444, 1.2.5
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

zsdc changed the task status from Open to Confirmed.Sep 1 2020, 4:40 PM
zsdc triaged this task as Normal priority.
zsdc created this task.

I get the same issue in 1.2.8.

Interface IP Address S/L Description


eth0 192.168.50.221/24 u/u
eth1 xxx.xxx.xxx.49/30 u/u

$ show vpn ipsec sa
Connection State Up Bytes In/Out Remote address Remote ID Proposal


passthrough-peer-xxx.xxx.xxx.1-tunnel-3 down N/A N/A N/A N/A N/A
peer-xxx.xxx.xxx.1-tunnel-3 up 16 minutes 18K/7K xxx.xxx.xxx.1 N/A AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

#show ip route show table 220
default via 192.168.50.1 dev eth0 proto static src xxx.xxx.xxx.49
xxx.xxx.xxx.48/30 via 192.168.50.1 dev eth0 proto static src xxx.xxx.xxx.49

#show ip route
S>* 0.0.0.0/0 [1/0] via 192.168.50.1, eth0, 00:25:43
C>* 192.168.50.0/24 is directly connected, eth0, 00:25:43
C>* xxx.xxx.xxx.48/30 is directly connected, eth1, 00:25:08

As a workaround it can help in such cases:

sudo ip rule add prio 219 from 192.0.2.48/30 to 192.0.2.48/30 lookup main
sudo ip rule add prio 219 from 192.0.2.48/30 to 192.0.2.48/30 lookup main
}

i try to add it , but tunnel cannot up .

i try to add it , but tunnel cannot up .

The initial bug is different, and does not cause the tunnel down.
The problem which described it louse local communication between host in LAN network and VyOS LAN interface
So it finds policy routes in table 220, in that case, we added rule 219 (as in the above example), before IPSec with table main.


I have patched packages for 1.2.8. It works on my routers in the virtual environment.
Instruction:

  1. Upload package to the router
  2. Unarchiv it
sudo tar -xvf strongswan.tar
  1. Install packages
sudo dpkg -i *.deb
  1. Reboot router or reconfigure IPSec

@Dmitry

Setting up libstrongswan (5.7.2-1) ...
Setting up libstrongswan-extra-plugins (5.7.2-1) ...
dpkg: dependency problems prevent configuration of libstrongswan-standard-plugins:
 libstrongswan-standard-plugins depends on libssl1.0.0 (>= 1.0.2~beta3); however:
  Version of libssl1.0.0:amd64 on system is 1.0.1t-1+deb8u14.

dpkg: error processing package libstrongswan-standard-plugins (--install):
 dependency problems - leaving unconfigured
Setting up strongswan-libcharon (5.7.2-1) ...
Setting up strongswan-pki (5.7.2-1) ...
Setting up strongswan-scepclient (5.7.2-1) ...
Setting up strongswan-starter (5.7.2-1) ...
Disabling opportunistic encryption (OE) in config file ... already disabled
Setting up strongswan-swanctl (5.7.2-1) ...
Setting up charon-cmd (5.7.2-1) ...
Setting up charon-systemd (5.7.2-1) ...
Setting up libcharon-extra-plugins (5.7.2-1) ...
Setting up strongswan-charon (5.7.2-1) ...
Setting up strongswan (5.7.2-1) ...
Processing triggers for systemd (215-17+deb8u13) ...
Errors were encountered while processing:
 libstrongswan-standard-plugins
[edit]

cannot install

It is not critical, please test without this package "libstrongswan-standard-plugins"
All necessary data is already installed.

ipsec start error ..

erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 1:13 PM
erkin removed a subscriber: Active contributors.