Page MenuHomeVyOS Platform

op-mode incorrect naming for ipsec policy-based tunnels
Closed, ResolvedPublicBUG

Description

In configuration was declared 2 tunnels - "tunnel 0" and "tunnel 1"

In operational mode, we see all names with "tunnel 0"

Config

set vpn ipsec esp-group grp-ESP compression 'disable'
set vpn ipsec esp-group grp-ESP lifetime '28800'
set vpn ipsec esp-group grp-ESP mode 'tunnel'
set vpn ipsec esp-group grp-ESP pfs 'dh-group19'
set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold'
set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30'
set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120'
set vpn ipsec ike-group grp-IKE ikev2-reauth 'no'
set vpn ipsec ike-group grp-IKE key-exchange 'ikev2'
set vpn ipsec ike-group grp-IKE lifetime '86400'
set vpn ipsec ike-group grp-IKE mobike 'disable'
set vpn ipsec ike-group grp-IKE proposal 10 dh-group '19'
set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 100.64.0.2 authentication id '100.64.0.1'
set vpn ipsec site-to-site peer 100.64.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 100.64.0.2 authentication pre-shared-secret 'SSSeeccRetT'
set vpn ipsec site-to-site peer 100.64.0.2 authentication remote-id '100.64.0.2'
set vpn ipsec site-to-site peer 100.64.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 100.64.0.2 ike-group 'grp-IKE'
set vpn ipsec site-to-site peer 100.64.0.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 100.64.0.2 local-address '100.64.0.1'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 esp-group 'grp-ESP'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 local prefix '10.11.10.0/24'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 remote prefix '10.21.20.0/24'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 1 esp-group 'grp-ESP'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 1 local prefix '10.10.10.0/24'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 1 remote prefix '10.20.20.0/24'

Op mode

vyos@r4-roll:~$ show vpn ipsec sa
Connection                State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------
peer-100.64.0.2-tunnel-0  up       9m4s      0B/0B           0/0               100.64.0.2        N/A          AES_GCM_16_256
peer-100.64.0.2-tunnel-0  up       9m4s      0B/0B           0/0               100.64.0.2        N/A          AES_GCM_16_256/ECP_256
vyos@r4-roll:~$

Vici shows correct tunnel names

OrderedDict([('uniqueid', b'1'),
             ('version', b'2'),
             ('state', b'ESTABLISHED'),
             ('local-host', b'100.64.0.1'),
             ('local-port', b'500'),
             ('local-id', b'100.64.0.1'),
             ('remote-host', b'100.64.0.2'),
             ('remote-port', b'500'),
             ('remote-id', b'100.64.0.2'),
             ('initiator', b'yes'),
             ('initiator-spi', b'b84053a6c941bbca'),
             ('responder-spi', b'a458ce49ad061a1d'),
             ('encr-alg', b'AES_GCM_16'),
             ('encr-keysize', b'256'),
             ('prf-alg', b'PRF_HMAC_SHA2_256'),
             ('dh-group', b'ECP_256'),
             ('established', b'1110'),
             ('rekey-time', b'84631'),
             ('child-sas',
              OrderedDict([('peer-100.64.0.2-tunnel-0-1',
                            OrderedDict([('name', b'peer-100.64.0.2-tunnel-0'),
                                         ('uniqueid', b'1'),
                                         ('reqid', b'1'),
                                         ('state', b'INSTALLED'),
                                         ('mode', b'TUNNEL'),
                                         ('protocol', b'ESP'),
                                         ('spi-in', b'ce364934'),
                                         ('spi-out', b'c226de16'),
                                         ('encr-alg', b'AES_GCM_16'),
                                         ('encr-keysize', b'256'),
                                         ('bytes-in', b'0'),
                                         ('packets-in', b'0'),
                                         ('bytes-out', b'0'),
                                         ('packets-out', b'0'),
                                         ('rekey-time', b'26631'),
                                         ('life-time', b'27690'),
                                         ('install-time', b'1110'),
                                         ('local-ts', [b'10.11.10.0/24']),
                                         ('remote-ts', [b'10.21.20.0/24'])])),
                           ('peer-100.64.0.2-tunnel-1-2',
                            OrderedDict([('name', b'peer-100.64.0.2-tunnel-1'),
                                         ('uniqueid', b'2'),
                                         ('reqid', b'2'),
                                         ('state', b'INSTALLED'),
                                         ('mode', b'TUNNEL'),
                                         ('protocol', b'ESP'),
                                         ('spi-in', b'c1a60ea8'),
                                         ('spi-out', b'c86a7a4a'),
                                         ('encr-alg', b'AES_GCM_16'),
                                         ('encr-keysize', b'256'),
                                         ('dh-group', b'ECP_256'),
                                         ('bytes-in', b'0'),
                                         ('packets-in', b'0'),
                                         ('bytes-out', b'0'),
                                         ('packets-out', b'0'),
                                         ('rekey-time', b'26733'),
                                         ('life-time', b'27690'),
                                         ('install-time', b'1110'),
                                         ('local-ts', [b'10.10.10.0/24']),
                                         ('remote-ts',
                                          [b'10.20.20.0/24'])]))]))])

https://github.com/vyos/vyos-1x/blob/current/src/op_mode/show_ipsec_sa.py

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.3-rolling-202011080217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav added a project: VyOS 1.4 Sagitta.
Viacheslav changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
Viacheslav changed the subtype of this task from "Task" to "Bug".
Viacheslav changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
Viacheslav changed the task status from Open to Needs testing.Mar 29 2021, 7:31 PM
Viacheslav assigned this task to jack9603301.
erkin renamed this task from op-mode incorrect naming fo ipsec policy-based tunnels to op-mode incorrect naming for ipsec policy-based tunnels .Sun, Aug 29, 12:19 PM
erkin set Issue type to Bug (incorrect behavior).
erkin removed a subscriber: Active contributors.