show vpn ipsec sa doesn't show tunnels in "down" state
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	Viacheslav
	Jun 21 2021, 8:46 PM

Description

Step to reproduce:
Configure vpn with multiple tunnels but with incorrect (not matching) local/remote subnets.
Show sa

Config LeftSite 1.4, config RighSite 1.2.7

vpn-Left-site.txt5 KBDownload

vpn-Right-site.txt8 KBDownload

1.4

vyos@r1-roll:~$ show vpn ipsec sa
Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
peer_192-0-2-2  down     N/A       N/A             N/A               N/A               N/A          N/A
vyos@r1-roll:~$

vyos@r1-roll:~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
vyos@r1-roll:~$ 
vyos@r1-roll:~$ 
vyos@r1-roll:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
vyos@r1-roll:~$

Expected output, as in 1.2.7

vyos@r2-lts:~$ show vpn ipsec sa
Connection                State    Up    Bytes In/Out    Remote address    Remote ID    Proposal
------------------------  -------  ----  --------------  ----------------  -----------  ----------
peer-192.0.2.1-tunnel-20  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-4   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-5   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-16  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-7   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-6   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-9   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-3   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-10  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-11  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-2   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-13  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-12  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-1   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-14  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-15  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-19  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-8   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-18  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-17  down     N/A   N/A             N/A               N/A          N/A

Maybe another bug, needs to clarify.
Before ipsec restart 1.4, show sa's

vyos@r1-roll:~$ sudo swanctl -l -P
list-sa event {
  peer_192-0-2-2 {
    uniqueid = 1
    version = 1
    state = ESTABLISHED
    local-host = 192.0.2.1
    local-port = 500
    local-id = 192.0.2.1
    remote-host = 192.0.2.2
    remote-port = 500
    remote-id = 192.0.2.2
    initiator = yes
    initiator-spi = 45f77d7342584e6b
    responder-spi = afdc10256fef76b5
    encr-alg = AES_CBC
    encr-keysize = 256
    integ-alg = HMAC_SHA1_96
    prf-alg = PRF_HMAC_SHA1
    dh-group = MODP_1024
    established = 48
    rekey-time = 13179
    child-sas {
    }
  }
}
list-sas reply {
}
vyos@r1-roll:~$

SA's after restart

vyos@r1-roll:~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
vyos@r1-roll:~$ 
vyos@r1-roll:~$ sudo swanctl -l -P
list-sas reply {
}
vyos@r1-roll:~$ 
vyos@r1-roll:~$ sudo swanctl -L
vyos@r1-roll:~$

Details

Difficulty level: Normal (likely a few hours)
Version: VyOS 1.4-rolling-202106190417
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		sarthurdev	T2816 Rewrite IPsec scripts with the new XML/Python approach
		Resolved	BUG	sarthurdev	T3643 show vpn ipsec sa doesn't show tunnels in "down" state

Event Timeline

Viacheslav renamed this task from show vpn ipsec sa doesn't show tunnel in "down" state to show vpn ipsec sa doesn't show tunnels in "down" state.Jun 21 2021, 8:46 PM

Viacheslav created this task.

Viacheslav updated the task description. (Show Details)Jun 21 2021, 8:56 PM

Viacheslav added a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.

pasik added a subscriber: pasik.Jun 22 2021, 6:25 AM

PR: https://github.com/vyos/vyos-1x/pull/894

Different format

vyos@r1-roll:~$ show vpn ipsec sa
Connection                State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
peer_192-0-2-2_tunnel_1   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_10  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_11  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_12  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_13  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_14  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_15  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_16  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_17  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_18  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_19  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_2   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_20  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_3   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_4   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_5   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_6   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_7   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_8   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_9   down     N/A       N/A             N/A               N/A               N/A          N/A
vyos@r1-roll:~$

Try to reset

vyos@r1-roll:~$ reset vpn ipsec-peer 192.0.2.2 tunnel 1
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 203, in <module>
    reset_peer(args.name, args.tunnel)
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 119, in reset_peer
    conns = get_peer_connections(peer, tunnel, return_all = (not tunnel or tunnel == 'all'))
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 105, in get_peer_connections
    with open(SWANCTL_CONF, 'r') as f:
FileNotFoundError: [Errno 2] No such file or directory: '/etc/swanctl.conf'
vyos@r1-roll:~$ 

vyos@r1-roll:~$ reset vpn ipsec-peer 192.0.2.2
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 203, in <module>
    reset_peer(args.name, args.tunnel)
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 119, in reset_peer
    conns = get_peer_connections(peer, tunnel, return_all = (not tunnel or tunnel == 'all'))
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 105, in get_peer_connections
    with open(SWANCTL_CONF, 'r') as f:
FileNotFoundError: [Errno 2] No such file or directory: '/etc/swanctl.conf'
vyos@r1-roll:~$

File swanctl

vyos@r1-roll:~$ 
vyos@r1-roll:~$ file /etc/swanctl.conf 
/etc/swanctl.conf: cannot open `/etc/swanctl.conf' (No such file or directory)
vyos@r1-roll:~$ 
vyos@r1-roll:~$ file /etc/swanctl/swanctl.conf 
/etc/swanctl/swanctl.conf: ASCII text
vyos@r1-roll:~$

Viacheslav assigned this task to sarthurdev.Jun 22 2021, 10:59 AM

SrividyaA added a subscriber: SrividyaA.Jun 23 2021, 11:07 AM

PR https://github.com/vyos/vyos-1x/pull/897
Fix path for swanctl.conf file

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Sep 6 2021, 9:18 AM

syncer changed the task status from Open to In progress.Oct 17 2021, 3:00 PM

syncer triaged this task as Normal priority.

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1052

vyos@r4-epa2:~$ show vpn ipsec sa
Connection                  State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------------------  -------  --------  --------------  ----------------  ----------------  -----------  --------------
peer-100.64.0.1-tunnel-vti  up       26m18s    0B/0B           0/0               100.64.0.1        N/A          AES_GCM_16_256
peer-192.0.2.2-tunnel-1     down     N/A       N/A             N/A               N/A               N/A          N/A
peer-192.0.2.2-tunnel-2     down     N/A       N/A             N/A               N/A               N/A          N/A
peer-192.0.2.2-tunnel-3     down     N/A       N/A             N/A               N/A               N/A          N/A
vyos@r4-epa2:~$

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:24 AM

Viacheslav closed this task as Resolved.Feb 3 2022, 5:35 PM

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.

show vpn ipsec sa doesn't show tunnels in "down" stateClosed, ResolvedPublicBUGActions

Description

Details

Related ObjectsSearch...

Event Timeline

show vpn ipsec sa doesn't show tunnels in "down" state
Closed, ResolvedPublicBUG
Actions

Related Objects
Search...