Page MenuHomeVyOS Platform

IPSec 1.4 : "show vpn ike sa" does not show the correct default ike version
Open, Requires assessmentPublicBUG

Description

How to reproduce the issue:

Version: 1.4-rolling-202106271939

Basic Configuration:

Left:

set vpn ipsec esp-group espA proposal 1 encryption 'aes256'
set vpn ipsec esp-group espA proposal 1 hash 'sha1'
set vpn ipsec ike-group ikeA proposal 1 encryption 'aes256'
set vpn ipsec ike-group ikeA proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 22.22.22.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 22.22.22.2 authentication pre-shared-secret 'vyos'
set vpn ipsec site-to-site peer 22.22.22.2 ike-group 'ikeA'
set vpn ipsec site-to-site peer 22.22.22.2 local-address '22.22.22.1'
set vpn ipsec site-to-site peer 22.22.22.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 22.22.22.2 vti esp-group 'espA'

Right:

set vpn ipsec esp-group espA proposal 1 encryption 'aes256'
set vpn ipsec esp-group espA proposal 1 hash 'sha1'
set vpn ipsec ike-group ikeA proposal 1 encryption 'aes256'
set vpn ipsec ike-group ikeA proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 22.22.22.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 22.22.22.1 authentication pre-shared-secret 'vyos'
set vpn ipsec site-to-site peer 22.22.22.1 connection-type 'respond'
set vpn ipsec site-to-site peer 22.22.22.1 ike-group 'ikeA'
set vpn ipsec site-to-site peer 22.22.22.1 local-address '22.22.22.2'
set vpn ipsec site-to-site peer 22.22.22.1 vti bind 'vti0'
set vpn ipsec site-to-site peer 22.22.22.1 vti esp-group 'espA'

After I add the key-exchange parameter explicitly, then it shows the ikev1 version.

vyos@vyos# set vpn ipsec ike-group ikeA key-exchange
Possible completions:
   ikev1        Use IKEv1 for Key Exchange [DEFAULT]
   ikev2        Use IKEv2 for Key Exchange



[edit]
vyos@vyos# set vpn ipsec ike-group ikeA key-exchange ikev1
[edit]
vyos@vyos# compare
[edit vpn ipsec ike-group ikeA]
+key-exchange ikev1
[edit]
vyos@vyos# commit
[ vpn ipsec ]
loaded ike secret 'ike_22-22-22-2'
loaded connection 'peer_22-22-22-2'
successfully loaded 1 connections, 0 unloaded

[edit]
vyos@vyos# run sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
22.22.22.2 22.22.22.2                   22.22.22.1 22.22.22.1

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Te
    -----  ------  -------      ----          ---------      -----  ------  ----
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     33      0

But after the commit, "show vpn ipsec sa" is showing down.

vyos@vyos# run sh vpn ipsec sa
Connection           State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
peer_22-22-22-2_vti  down     N/A       N/A             N/A               N/A               N/A          N/A
[edit]
vyos@vyos# run sh vpn ipsec status
IPSec Process Running: 1450
Security Associations (1 up, 0 connecting):
peer_22-22-22-2[2]: ESTABLISHED 27 minutes ago, 22.22.22.1[22.22.22.1]...22.22.22.2[22.22.22.2]

vyos@vyos# sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.1, Linux 5.10.46-amd64-vyos, x86_64):
  uptime: 32 minutes, since Jun 28 10:49:03 2021
  malloc: sbrk 1994752, mmap 0, used 1105824, free 888928
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-radius eap-tls eap-ttls eap-tnc xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  22.22.22.1
Connections:
peer_22-22-22-2:  22.22.22.1...22.22.22.2  IKEv1
peer_22-22-22-2:   local:  uses pre-shared key authentication
peer_22-22-22-2:   remote: uses pre-shared key authentication
peer_22-22-22-2_vti:   child:  0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 TUNNEL
Security Associations (1 up, 0 connecting):
peer_22-22-22-2[2]: ESTABLISHED 27 minutes ago, 22.22.22.1[22.22.22.1]...22.22.22.2[22.22.22.2]
peer_22-22-22-2[2]: IKEv1 SPIs: e248d94d25bb952f_i* 07cfcc3cbff29312_r, rekeying in 3 hours
peer_22-22-22-2[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

There is no config in this location, I am not sure if the file has been changed:

vyos@vyos# sudo cat /etc/ipsec.conf
# Created by VyOS - manual changes will be overwritten

config setup
    charondebug = ""
    uniqueids = yes
NOTE: In previous versions, the default values are shown in the running configuration after the vpn settings are applied.

Details

Difficulty level
Unknown (require assessment)
Version
vyos 1.4-rolling-202106271939
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

I have tried one more scenario:

Initially, I setup R1 and R2 with in 1.2.7 version and then upgraded R1 first to the latest 1.4 rolling version and then R2 server. As R2 is configured with respond type the vpn connection did not come up immediately.
In 1.2.7 or older 1.4 versions, if I restart the vpn service or reboot the R1 (initiator), the vpn connection goes back to normal but here the ipsec connection is not working.
Configuration:
R1: (connection-type initiate)

set vpn ipsec esp-group espA compression 'disable'
set vpn ipsec esp-group espA lifetime '3600'
set vpn ipsec esp-group espA mode 'tunnel'
set vpn ipsec esp-group espA pfs 'enable'
set vpn ipsec esp-group espA proposal 1 encryption 'aes256'
set vpn ipsec esp-group espA proposal 1 hash 'sha1'
set vpn ipsec ike-group ikeA close-action 'none'
set vpn ipsec ike-group ikeA ikev2-reauth 'no'
set vpn ipsec ike-group ikeA key-exchange 'ikev1'
set vpn ipsec ike-group ikeA lifetime '28800'
set vpn ipsec ike-group ikeA proposal 1 dh-group '2'
set vpn ipsec ike-group ikeA proposal 1 encryption 'aes256'
set vpn ipsec ike-group ikeA proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.30.0.2 authentication mode 'pre-shared-secre'
set vpn ipsec site-to-site peer 10.30.0.2 authentication pre-shared-secret 'vyo'
set vpn ipsec site-to-site peer 10.30.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.30.0.2 ike-group 'ikeA'
set vpn ipsec site-to-site peer 10.30.0.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 10.30.0.2 local-address '10.30.0.1'
set vpn ipsec site-to-site peer 10.30.0.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 10.30.0.2 vti esp-group 'espA'

R2: (connection-type respond)

set vpn ipsec esp-group espA compression 'disable'
set vpn ipsec esp-group espA lifetime '3600'
set vpn ipsec esp-group espA mode 'tunnel'
set vpn ipsec esp-group espA pfs 'enable'
set vpn ipsec esp-group espA proposal 1 encryption 'aes256'
set vpn ipsec esp-group espA proposal 1 hash 'sha1'
set vpn ipsec ike-group ikeA close-action 'none'
set vpn ipsec ike-group ikeA ikev2-reauth 'no'
set vpn ipsec ike-group ikeA key-exchange 'ikev1'
set vpn ipsec ike-group ikeA lifetime '28800'
set vpn ipsec ike-group ikeA proposal 1 dh-group '2'
set vpn ipsec ike-group ikeA proposal 1 encryption 'aes256'
set vpn ipsec ike-group ikeA proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.30.0.1 authentication mode 'pre-shared-secre'
set vpn ipsec site-to-site peer 10.30.0.1 authentication pre-shared-secret 'vyo'
set vpn ipsec site-to-site peer 10.30.0.1 connection-type 'respond'
set vpn ipsec site-to-site peer 10.30.0.1 ike-group 'ikeA'
set vpn ipsec site-to-site peer 10.30.0.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 10.30.0.1 local-address '10.30.0.2'
set vpn ipsec site-to-site peer 10.30.0.1 vti bind 'vti0'
set vpn ipsec site-to-site peer 10.30.0.1 vti esp-group 'espA'

Output:

R1:

vyos@vyos:~$ sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             10.30.0.1/30                      u/u
eth1             192.168.255.217/24                u/u
eth2             -                                 u/u
eth3             -                                 u/u
lo               127.0.0.1/8                       u/u
                 ::1/128
vti0             172.16.0.1/30                     u/u
vyos@vyos:~$ sh vpn ike sa
vyos@vyos:~$ restart vpn
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
vyos@vyos:~$ sh vpn ike sa
vyos@vyos:~$ sh vpn ipsec sa
An error occured: name 'conn' is not defined

After reboot:

vyos@vyos:~$ sh vpn ipsec sa
Connection          State    Uptime    Bytes In/Out    Packets In/Out    Remotel
------------------  -------  --------  --------------  ----------------  -------
peer_10-30-0-2_vti  down     N/A       N/A             N/A               N/A   A
vyos@vyos:~$ sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.30.0.2 10.30.0.2                     10.30.0.1 10.30.0.1

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Te
    -----  ------  -------      ----          ---------      -----  ------  ----
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     60      0

After attempting reset vpn command:

vyos@vyos:~$ reset vpn ipsec-peer 10.30.0.2
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 26, in <module>
    from Crypto.PublicKey.RSA import importKey
ModuleNotFoundError: No module named 'Crypto'

vyos@vyos:~$ sh vpn ipsec sa
An error occured: name 'conn' is not defined

R2:

vyos@vyos:~$ sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             10.30.0.2/30                      u/u
eth1             -                                 u/u
eth2             -                                 u/u
eth3             -                                 u/u
lo               127.0.0.1/8                       u/u
                 ::1/128
vti0             172.16.0.2/30                     A/D

vyos@vyos:~$ sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.30.0.1 10.30.0.1                     10.30.0.2 10.30.0.2

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Te
    -----  ------  -------      ----          ---------      -----  ------  ----
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     44      0

vyos@vyos:~$ sh vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote addrel
------------  -------  --------  --------------  ----------------  -------------

Works properly where both sides is configured with initiate as connection type.

Should be resolved in PR: https://github.com/vyos/vyos-1x/pull/903

The default IKE version behaviour has changed however in Strongswan and swanctl. We set default IKE version to 0 now, which allows the connection to be IKEv1 or IKEv2.

@sdev , Thank you. I will test and confirm, once the new rolling version is released.

@sdev It still shows the ikev2 as the default version in the output.
I agree with your point that strongswan has changed the default version. A quote from their documentation: "Since 5.0.0 both protocols are handled by Charon and connections marked with ike will use IKEv2 when initiating, but accept any protocol version when responding."

 vyos@vyos# run restart vpn
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
opening directory '/etc/swanctl/x509ocsp' failed: No such file or directory
opening directory '/etc/swanctl/x509aa' failed: No such file or directory
opening directory '/etc/swanctl/x509ac' failed: No such file or directory
opening directory '/etc/swanctl/rsa' failed: No such file or directory
opening directory '/etc/swanctl/ecdsa' failed: No such file or directory
opening directory '/etc/swanctl/bliss' failed: No such file or directory
opening directory '/etc/swanctl/pkcs8' failed: No such file or directory
opening directory '/etc/swanctl/pkcs12' failed: No such file or directory
loaded ike secret 'ike_10-30-0-1'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'peer_10-30-0-1'
successfully loaded 1 connections, 0 unloaded

My only thought is as the default setup has been changed, then the following suggestion should not be reflected:

vyos@vyos# set vpn ipsec ike-group ikeA key-exchange
Possible completions:
   ikev1        Use IKEv1 for Key Exchange [DEFAULT]
   ikev2        Use IKEv2 for Key Exchange