Page MenuHomeVyOS Platform

Wrong behavior of the "reset vpn ipsec-peer XXX tunnel XXX" command
Open, Requires assessmentPublicBUG

Description

The CLI command reset vpn ipsec-peer XXX tunnel XXX internally turns into the:

ipsec down XXX
ipsec up XXX

https://github.com/vyos/vyatta-op-vpn/blob/6f591c7b909cac87e1914fa644b3f3f3bd7ed763/scripts/vyatta-vpn-op.pl#L50-L53

This makes it wrong. According to CLI description, it should "Reset a specific tunnel for given peer", but it actually trying to reset IKE session that may even drop other tunnels between peers.

Most likely, the proper syntax should be:

ipsec down XXX{*}
ipsec up XXX

The first command closes all the CHILD_SA instances of the connection name, and the second reestablish a tunnel.

Details

Difficulty level
Normal (likely a few hours)
Version
1.4-rolling-202102060218, 1.3, 1.2.6-S1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

I believe this is the behavior in 1.2.6 aswell?
And I think its not even possible to reset one peer?
So, reset vpn ipsec-peer XXX is broken
as well as reset vpn ipsec-peer XXX tunnel YYY

I can confirm it is broken for

reset vpn ipsec-peer XXX

too when you run policy-based VPNs.
Peer reset log:

Feb 19 11:21:29 adm-fw3-p sudo[3729]: vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/sbin/ipsec down peer-x.x.92.1-tunnel-1
Feb 19 11:21:29 adm-fw3-p sudo[3735]: vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/sbin/ipsec up peer-x.x.92.1-tunnel-1
Feb 19 11:21:29 adm-fw3-p sudo[3740]: vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/sbin/ipsec down peer-x.x.92.1-tunnel-2
Feb 19 11:21:29 adm-fw3-p sudo[3745]: vyos : TTY=pts/0 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/sbin/ipsec up peer-x.x.92.1-tunnel-2

The peer reset should probably first reset the IKE connection name, something like

ipsec down XXXi

and then iterate through all the defined tunnels:

ipsec down XXXn{*}

XXXi = connection name for IKE SA
XXXn = connection name for CHILD SAs

Note:
If you delete tunnel 1 in a policy-based VPN, the connection name for the IKE tunnel will no longer be tunnel-1, but tunnel-2.

Happy to see a fix in 1.2.x.