Page MenuHomeVyOS Platform

"show vpn ipsec sa" reports ESP tunnels to be up when they are not.
Closed, ResolvedPublicBUG

Description

Problem Description:

"show vpn ipsec sa" reports ESP tunnels to be up when they are not.

To reproduce the issue, try the following configuration:

Mismatched esp settings:

VyOS1:

set vpn ipsec esp-group espA compression 'disable'
set vpn ipsec esp-group espA lifetime '1500'
set vpn ipsec esp-group espA mode 'tunnel'
set vpn ipsec esp-group espA pfs 'disable'
set vpn ipsec esp-group espA proposal 1 encryption 'aes128'
set vpn ipsec esp-group espA proposal 1 hash 'sha512'

VyOS2:

set vpn ipsec esp-group espA compression 'disable'
set vpn ipsec esp-group espA lifetime '1500'
set vpn ipsec esp-group espA mode 'tunnel'
set vpn ipsec esp-group espA pfs 'dh-group14'
set vpn ipsec esp-group espA proposal 1 encryption 'aes256'
set vpn ipsec esp-group espA proposal 1 hash 'sha512'

Output commands:

[email protected]:~$ sh vpn ipsec sa
Connection                   State    Up         Bytes In/Out    Remote address    Remote ID    Proposal
---------------------------  -------  ---------  --------------  ----------------  -----------  ---------------------------------------------------------
peer-200.200.200.2-tunnel-2  up       4 minutes  N/A             200.200.200.2     N/A          AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048

[email protected]:~$ sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
200.200.200.2                           100.100.100.2

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv2   aes256   sha512_256 14(MODP_2048)  no     840     1800

In the ipsec logs, it shows that CHILD_SA was failed to established.

Feb 17 17:02:57 vyos charon[14173]: 10[CFG] received stroke: add connection 'peer-200.200.200.2-tunnel-2'
Feb 17 17:02:57 vyos charon[14173]: 10[CFG] added configuration 'peer-200.200.200.2-tunnel-2'
Feb 17 17:02:57 vyos charon[14173]: 11[CFG] received stroke: initiate 'peer-200.200.200.2-tunnel-2'
Feb 17 17:02:57 vyos charon[14173]: 11[IKE] establishing CHILD_SA peer-200.200.200.2-tunnel-2{2}
Feb 17 17:02:57 vyos charon[14173]: 11[ENC] generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
Feb 17 17:02:57 vyos charon[14173]: 11[NET] sending packet: from 100.100.100.2[4500] to 200.200.200.2[4500] (224 bytes)
Feb 17 17:02:57 vyos charon[14173]: 13[NET] received packet: from 200.200.200.2[4500] to 100.100.100.2[4500] (96 bytes)
Feb 17 17:02:57 vyos charon[14173]: 13[ENC] parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Feb 17 17:02:57 vyos charon[14173]: 13[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Feb 17 17:02:57 vyos charon[14173]: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA

Output of ipsec commands

[email protected]:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.142-amd64-vyos, x86_64):
  uptime: 28 hours, since Feb 16 12:25:27 2021
  malloc: sbrk 1867776, mmap 0, used 784144, free 1083632
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  100.100.100.2
Connections:
peer-200.200.200.2-tunnel-2:  100.100.100.2...200.200.200.2  IKEv2, dpddelay=10s
peer-200.200.200.2-tunnel-2:   local:  [100.100.100.2] uses pre-shared key authentication
peer-200.200.200.2-tunnel-2:   remote: [200.200.200.2] uses pre-shared key authentication
peer-200.200.200.2-tunnel-2:   child:  10.2.0.0/16 === 10.1.0.0/16 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
peer-200.200.200.2-tunnel-2[2]: ESTABLISHED 9 minutes ago, 100.100.100.2[100.100.100.2]...200.200.200.2[200.200.200.2]
peer-200.200.200.2-tunnel-2[2]: IKEv2 SPIs: 308292afcb26a966_i* f9e8bfbf18630454_r, rekeying in 11 minutes
peer-200.200.200.2-tunnel-2[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048

[email protected]:~$ sudo ipsec up peer-200.200.200.2-tunnel-2
establishing CHILD_SA peer-200.200.200.2-tunnel-2{3}
generating CREATE_CHILD_SA request 7 [ SA No TSi TSr ]
sending packet: from 100.100.100.2[4500] to 200.200.200.2[4500] (224 bytes)
received packet: from 200.200.200.2[4500] to 100.100.100.2[4500] (96 bytes)
parsed CREATE_CHILD_SA response 7 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'peer-200.200.200.2-tunnel-2' failed

The script "/usr/libexec/vyos/op_mode/show_ipsec_sa.py" verifies with the established parameter for IKE_SA not for CHILD_SA(ESP_SA)

Details

Difficulty level
Hard (possibly days)
Version
1.2.7
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Viacheslav changed Difficulty level from Unknown (require assessment) to Hard (possibly days).

PR https://github.com/vyos/vyos-1x/pull/805

Add checks state for child ESP child sa.

IKE up but ESP down.

[email protected]:~$ show vpn ipsec sa
Connection                State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
peer-100.64.0.2-tunnel-0  down     N/A       N/A             N/A               N/A               N/A          N/A
[email protected]:~$ 
[email protected]:~$ 
[email protected]:~$ sudo swanctl -l
peer-100.64.0.2-tunnel-0: #3, ESTABLISHED, IKEv1, 95f37f353ad3ad72_i 8e6cdd7bc264fe23_r*
  local  '100.64.0.1' @ 100.64.0.1[500]
  remote '100.64.0.2' @ 100.64.0.2[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 879s ago, reauth in 1682s
[email protected]:~$
Viacheslav changed the task status from Open to Needs testing.Apr 15 2021, 7:24 AM

It seems to show the output correctly when single tunnel is present not with multiple tunnels.
Ref Task: https://phabricator.vyos.net/T3473

Viacheslav changed Version from 1.2.6-S1 to 1.2.7.

For crux we use parser of " ipsec statusall {peer}"
Output if IKE established and esp SA not installed

[email protected]:~$ sudo ipsec statusall peer-192.0.2.1-tunnel-vti | grep Connections -A 50
Connections:
peer-192.0.2.1-tunnel-vti:  192.0.2.2...192.0.2.1  IKEv1
peer-192.0.2.1-tunnel-vti:   local:  [192.0.2.2] uses pre-shared key authentication
peer-192.0.2.1-tunnel-vti:   remote: [192.0.2.1] uses pre-shared key authentication
peer-192.0.2.1-tunnel-vti:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL
Security Associations (2 up, 0 connecting):
peer-192.0.2.1-tunnel-vti[3]: ESTABLISHED 12 minutes ago, 192.0.2.2[192.0.2.2]...192.0.2.1[192.0.2.1]
peer-192.0.2.1-tunnel-vti[3]: IKEv1 SPIs: 0ab8c2ee5815350e_i 271fba46aab245da_r*, pre-shared key reauthentication in 29 minutes
peer-192.0.2.1-tunnel-vti[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

Output if IKE established and esp SA is installed

[email protected]:~$ sudo ipsec statusall peer-203.0.113.1-tunnel-vti | grep Connections -A 50
Connections:
peer-203.0.113.1-tunnel-vti:  203.0.113.2...203.0.113.1  IKEv1
peer-203.0.113.1-tunnel-vti:   local:  [203.0.113.2] uses pre-shared key authentication
peer-203.0.113.1-tunnel-vti:   remote: [203.0.113.1] uses pre-shared key authentication
peer-203.0.113.1-tunnel-vti:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL
Security Associations (2 up, 0 connecting):
peer-203.0.113.1-tunnel-vti[4]: ESTABLISHED 13 minutes ago, 203.0.113.2[203.0.113.2]...203.0.113.1[203.0.113.1]
peer-203.0.113.1-tunnel-vti[4]: IKEv1 SPIs: fb693e19705fabcd_i* 4bd11cb911e81fe8_r, pre-shared key reauthentication in 34 minutes
peer-203.0.113.1-tunnel-vti[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-203.0.113.1-tunnel-vti{5}:  REKEYED, TUNNEL, reqid 1, expires in 12 minutes
peer-203.0.113.1-tunnel-vti{5}:   0.0.0.0/0 === 0.0.0.0/0
peer-203.0.113.1-tunnel-vti{6}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cba6651d_i c95ed0b0_o
peer-203.0.113.1-tunnel-vti{6}:  AES_CBC_256/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 6 minutes
peer-203.0.113.1-tunnel-vti{6}:   0.0.0.0/0 === 0.0.0.0/0

As we check only IKE ESTABLISHED status, it shows that tunnel in up state even if ESP settings are different

PR for crux https://github.com/vyos/vyos-1x/pull/824