Page MenuHomeVyOS Platform

"show vpn ipsec sa" reports ESP tunnels to be up when they are not.
Open, NormalPublicBUG

Description

Problem Description:

"show vpn ipsec sa" reports ESP tunnels to be up when they are not.

To reproduce the issue, try the following configuration:

Mismatched esp settings:

VyOS1:

set vpn ipsec esp-group espA compression 'disable'
set vpn ipsec esp-group espA lifetime '1500'
set vpn ipsec esp-group espA mode 'tunnel'
set vpn ipsec esp-group espA pfs 'disable'
set vpn ipsec esp-group espA proposal 1 encryption 'aes128'
set vpn ipsec esp-group espA proposal 1 hash 'sha512'

VyOS2:

set vpn ipsec esp-group espA compression 'disable'
set vpn ipsec esp-group espA lifetime '1500'
set vpn ipsec esp-group espA mode 'tunnel'
set vpn ipsec esp-group espA pfs 'dh-group14'
set vpn ipsec esp-group espA proposal 1 encryption 'aes256'
set vpn ipsec esp-group espA proposal 1 hash 'sha512'

Output commands:

vyos@vyos:~$ sh vpn ipsec sa
Connection                   State    Up         Bytes In/Out    Remote address    Remote ID    Proposal
---------------------------  -------  ---------  --------------  ----------------  -----------  ---------------------------------------------------------
peer-200.200.200.2-tunnel-2  up       4 minutes  N/A             200.200.200.2     N/A          AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048

vyos@vyos:~$ sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
200.200.200.2                           100.100.100.2

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv2   aes256   sha512_256 14(MODP_2048)  no     840     1800

In the ipsec logs, it shows that CHILD_SA was failed to established.

Feb 17 17:02:57 vyos charon[14173]: 10[CFG] received stroke: add connection 'peer-200.200.200.2-tunnel-2'
Feb 17 17:02:57 vyos charon[14173]: 10[CFG] added configuration 'peer-200.200.200.2-tunnel-2'
Feb 17 17:02:57 vyos charon[14173]: 11[CFG] received stroke: initiate 'peer-200.200.200.2-tunnel-2'
Feb 17 17:02:57 vyos charon[14173]: 11[IKE] establishing CHILD_SA peer-200.200.200.2-tunnel-2{2}
Feb 17 17:02:57 vyos charon[14173]: 11[ENC] generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
Feb 17 17:02:57 vyos charon[14173]: 11[NET] sending packet: from 100.100.100.2[4500] to 200.200.200.2[4500] (224 bytes)
Feb 17 17:02:57 vyos charon[14173]: 13[NET] received packet: from 200.200.200.2[4500] to 100.100.100.2[4500] (96 bytes)
Feb 17 17:02:57 vyos charon[14173]: 13[ENC] parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Feb 17 17:02:57 vyos charon[14173]: 13[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Feb 17 17:02:57 vyos charon[14173]: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA

Output of ipsec commands

vyos@vyos:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.142-amd64-vyos, x86_64):
  uptime: 28 hours, since Feb 16 12:25:27 2021
  malloc: sbrk 1867776, mmap 0, used 784144, free 1083632
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  100.100.100.2
Connections:
peer-200.200.200.2-tunnel-2:  100.100.100.2...200.200.200.2  IKEv2, dpddelay=10s
peer-200.200.200.2-tunnel-2:   local:  [100.100.100.2] uses pre-shared key authentication
peer-200.200.200.2-tunnel-2:   remote: [200.200.200.2] uses pre-shared key authentication
peer-200.200.200.2-tunnel-2:   child:  10.2.0.0/16 === 10.1.0.0/16 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
peer-200.200.200.2-tunnel-2[2]: ESTABLISHED 9 minutes ago, 100.100.100.2[100.100.100.2]...200.200.200.2[200.200.200.2]
peer-200.200.200.2-tunnel-2[2]: IKEv2 SPIs: 308292afcb26a966_i* f9e8bfbf18630454_r, rekeying in 11 minutes
peer-200.200.200.2-tunnel-2[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048

vyos@vyos:~$ sudo ipsec up peer-200.200.200.2-tunnel-2
establishing CHILD_SA peer-200.200.200.2-tunnel-2{3}
generating CREATE_CHILD_SA request 7 [ SA No TSi TSr ]
sending packet: from 100.100.100.2[4500] to 200.200.200.2[4500] (224 bytes)
received packet: from 200.200.200.2[4500] to 100.100.100.2[4500] (96 bytes)
parsed CREATE_CHILD_SA response 7 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'peer-200.200.200.2-tunnel-2' failed

The script "/usr/libexec/vyos/op_mode/show_ipsec_sa.py" verifies with the established parameter for IKE_SA not for CHILD_SA(ESP_SA)

Details

Difficulty level
Hard (possibly days)
Version
1.2.6-S1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Viacheslav changed Difficulty level from Unknown (require assessment) to Hard (possibly days).