Page MenuHomeVyOS Platform

show vpn ipsec sa doesn't show tunnels in "down" state
In progress, NormalPublicBUG

Description

Step to reproduce:
Configure vpn with multiple tunnels but with incorrect (not matching) local/remote subnets.
Show sa

Config LeftSite 1.4, config RighSite 1.2.7


1.4

vyos@r1-roll:~$ show vpn ipsec sa
Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
peer_192-0-2-2  down     N/A       N/A             N/A               N/A               N/A          N/A
vyos@r1-roll:~$

vyos@r1-roll:~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
vyos@r1-roll:~$ 
vyos@r1-roll:~$ 
vyos@r1-roll:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
vyos@r1-roll:~$

Expected output, as in 1.2.7

vyos@r2-lts:~$ show vpn ipsec sa
Connection                State    Up    Bytes In/Out    Remote address    Remote ID    Proposal
------------------------  -------  ----  --------------  ----------------  -----------  ----------
peer-192.0.2.1-tunnel-20  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-4   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-5   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-16  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-7   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-6   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-9   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-3   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-10  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-11  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-2   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-13  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-12  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-1   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-14  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-15  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-19  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-8   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-18  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-17  down     N/A   N/A             N/A               N/A          N/A

Maybe another bug, needs to clarify.
Before ipsec restart 1.4, show sa's

vyos@r1-roll:~$ sudo swanctl -l -P
list-sa event {
  peer_192-0-2-2 {
    uniqueid = 1
    version = 1
    state = ESTABLISHED
    local-host = 192.0.2.1
    local-port = 500
    local-id = 192.0.2.1
    remote-host = 192.0.2.2
    remote-port = 500
    remote-id = 192.0.2.2
    initiator = yes
    initiator-spi = 45f77d7342584e6b
    responder-spi = afdc10256fef76b5
    encr-alg = AES_CBC
    encr-keysize = 256
    integ-alg = HMAC_SHA1_96
    prf-alg = PRF_HMAC_SHA1
    dh-group = MODP_1024
    established = 48
    rekey-time = 13179
    child-sas {
    }
  }
}
list-sas reply {
}
vyos@r1-roll:~$

SA's after restart

vyos@r1-roll:~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
vyos@r1-roll:~$ 
vyos@r1-roll:~$ sudo swanctl -l -P
list-sas reply {
}
vyos@r1-roll:~$ 
vyos@r1-roll:~$ sudo swanctl -L
vyos@r1-roll:~$

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202106190417
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Viacheslav renamed this task from show vpn ipsec sa doesn't show tunnel in "down" state to show vpn ipsec sa doesn't show tunnels in "down" state.Jun 21 2021, 8:46 PM
Viacheslav created this task.

Different format

vyos@r1-roll:~$ show vpn ipsec sa
Connection                State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
peer_192-0-2-2_tunnel_1   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_10  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_11  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_12  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_13  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_14  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_15  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_16  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_17  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_18  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_19  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_2   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_20  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_3   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_4   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_5   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_6   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_7   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_8   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_9   down     N/A       N/A             N/A               N/A               N/A          N/A
vyos@r1-roll:~$

Try to reset

vyos@r1-roll:~$ reset vpn ipsec-peer 192.0.2.2 tunnel 1
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 203, in <module>
    reset_peer(args.name, args.tunnel)
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 119, in reset_peer
    conns = get_peer_connections(peer, tunnel, return_all = (not tunnel or tunnel == 'all'))
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 105, in get_peer_connections
    with open(SWANCTL_CONF, 'r') as f:
FileNotFoundError: [Errno 2] No such file or directory: '/etc/swanctl.conf'
vyos@r1-roll:~$ 

vyos@r1-roll:~$ reset vpn ipsec-peer 192.0.2.2
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 203, in <module>
    reset_peer(args.name, args.tunnel)
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 119, in reset_peer
    conns = get_peer_connections(peer, tunnel, return_all = (not tunnel or tunnel == 'all'))
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 105, in get_peer_connections
    with open(SWANCTL_CONF, 'r') as f:
FileNotFoundError: [Errno 2] No such file or directory: '/etc/swanctl.conf'
vyos@r1-roll:~$

File swanctl

vyos@r1-roll:~$ 
vyos@r1-roll:~$ file /etc/swanctl.conf 
/etc/swanctl.conf: cannot open `/etc/swanctl.conf' (No such file or directory)
vyos@r1-roll:~$ 
vyos@r1-roll:~$ file /etc/swanctl/swanctl.conf 
/etc/swanctl/swanctl.conf: ASCII text
vyos@r1-roll:~$
syncer changed the task status from Open to In progress.Sun, Oct 17, 3:00 PM
syncer triaged this task as Normal priority.