Page MenuHomeVyOS Platform

"show vpn ipsec sa" shows established time of parent SA not child SA's
Closed, ResolvedPublicBUG

Description

Op-mode command show vpn ipsec sa shows established time from parent SA
Expected time - from child SA

vyos@r4-epa2:~$ show vpn ipsec sa
Connection               State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer-192.0.2.2-tunnel-0  up       3m11s     0B/0B           0/0               192.0.2.2         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-192.0.2.2-tunnel-1  up       3m11s     0B/0B           0/0               192.0.2.2         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-192.0.2.2-tunnel-2  up       3m11s     0B/0B           0/0               192.0.2.2         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
vyos@r4-epa2:~$ 
vyos@r4-epa2:~$ 
vyos@r4-epa2:~$ reset vpn ipsec-peer 192.0.2.2 tunnel 2
Resetting tunnel 2 with peer 192.0.2.2...
vyos@r4-epa2:~$ 
vyos@r4-epa2:~$ show vpn ipsec sa
Connection               State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer-192.0.2.2-tunnel-0  up       3m27s     0B/0B           0/0               192.0.2.2         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-192.0.2.2-tunnel-1  up       3m27s     0B/0B           0/0               192.0.2.2         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-192.0.2.2-tunnel-2  up       3m27s     0B/0B           0/0               192.0.2.2         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024

Check swanctl:

vyos@r4-epa2:~$ sudo swanctl -l
peer-192.0.2.2-tunnel-0: #1, ESTABLISHED, IKEv1, fa77b2204b9f7ea4_i* b1e373702370e3fc_r
  local  '192.0.2.1' @ 192.0.2.1[500]
  remote '192.0.2.2' @ 192.0.2.2[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 212s ago, reauth in 2348s
...
...
  peer-192.0.2.2-tunnel-2: #5, reqid 3, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 8s ago, rekeying in 860s, expires in 1792s
    in  c60e0588,      0 bytes,     0 packets
    out cc251e07,      0 bytes,     0 packets
    local  10.1.3.0/24
    remote 10.2.3.0/24

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3.0-epa2, VyOS 1.2.8
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)