Page MenuHomeVyOS Platform

op-mode IPSec show vpn ike sa always shows L-TIME 0
Closed, ResolvedPublicBUG

Description

IKE configuration:

set vpn ipsec ike-group IKE-GRP-VTI ikev2-reauth 'no'
set vpn ipsec ike-group IKE-GRP-VTI key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GRP-VTI lifetime '3600'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 hash 'sha1'

Output

vyos@r1-roll:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
192.0.2.1 192.0.2.1                     192.0.2.2 192.0.2.2                    

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     607     0

Expected L-TIME 3600

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.4-rolling-202107280117
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Unspecified (please specify)

Event Timeline

LEFT router configuration

set interfaces dummy dum0 address '10.0.11.1/24'
set interfaces ethernet eth0 address '172.18.201.10/24'


set protocols static route 10.0.12.0/24 next-hop 172.18.201.254
set protocols static route 172.18.202.0/24 next-hop 172.18.201.254

set system host-name 'LEFT-R'

set vpn ipsec authentication psk OFFICE-B id '172.18.201.10'
set vpn ipsec authentication psk OFFICE-B id '172.18.202.10'
set vpn ipsec authentication psk OFFICE-B secret 'SomePreSharedKey'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-B local-address '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '10.0.11.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.12.0/24'

RIGHT router configuration

set interfaces dummy dum0 address '10.0.12.1/24'
set interfaces ethernet eth0 address '172.18.202.10/24'

set protocols static route 10.0.11.0/24 next-hop 172.18.202.254
set protocols static route 172.18.201.0/24 next-hop 172.18.202.254

set system host-name 'RIGHT-R'

set vpn ipsec authentication psk OFFICE-A id '172.18.202.10'
set vpn ipsec authentication psk OFFICE-A id '172.18.201.10'
set vpn ipsec authentication psk OFFICE-A secret 'SomePreSharedKey'
set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-A ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-A local-address '172.18.202.10'
set vpn ipsec site-to-site peer OFFICE-A remote-address '172.18.201.10'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 local prefix '10.0.12.0/24'
set vpn ipsec site-to-site peer OFFICE-A tunnel 0 remote prefix '10.0.11.0/24'

Outputs:

vyos@LEFT-R:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
172.18.202.10 172.18.202.10             172.18.201.10 172.18.201.10

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     3169    0
vyos@RIGHT-R:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
172.18.201.10 172.18.201.10             172.18.202.10 172.18.202.10

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     2614    0
vyos@RIGHT-R:~$ show version
Version:          VyOS 1.4-rolling-202310030309

Behavour same as VyOS 1.4-rolling-202107280117

dmbaturin set Issue type to Unspecified (please specify).
a.apostoliuk changed the task status from Open to Needs testing.Feb 19 2024, 8:25 AM
a.apostoliuk closed this task as Resolved.
a.apostoliuk moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa1) board.
a.apostoliuk moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.