Introduction:
IPSec_SA/Child_SA is not establishing when route based vpn is configured.
How to reproduce the issue:
- Install two VyOS devices with version 1.4-rolling-202110240217
- Configure one peer with connection-type "initiate" and other as "respond"
Initiator:
set interfaces vti vti0 address '192.168.0.2/30' set protocols static route 172.16.0.0/24 interface vti0 set vpn ipsec esp-group esp1 compression 'disable' set vpn ipsec esp-group esp1 lifetime '27000' set vpn ipsec esp-group esp1 mode 'tunnel' set vpn ipsec esp-group esp1 pfs 'disable' set vpn ipsec esp-group esp1 proposal 1 encryption 'aes128' set vpn ipsec esp-group esp1 proposal 1 hash 'sha1' set vpn ipsec ike-group ike1 close-action 'none' set vpn ipsec ike-group ike1 dead-peer-detection action 'restart' set vpn ipsec ike-group ike1 dead-peer-detection interval '2' set vpn ipsec ike-group ike1 dead-peer-detection timeout '15' set vpn ipsec ike-group ike1 ikev2-reauth 'no' set vpn ipsec ike-group ike1 key-exchange 'ikev1' set vpn ipsec ike-group ike1 lifetime '27000' set vpn ipsec ike-group ike1 proposal 1 dh-group '2' set vpn ipsec ike-group ike1 proposal 1 encryption 'aes128' set vpn ipsec ike-group ike1 proposal 1 hash 'sha1' set vpn ipsec interface 'eth2' set vpn ipsec site-to-site peer 10.10.0.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 10.10.0.1 authentication pre-shared-secret 'secret' set vpn ipsec site-to-site peer 10.10.0.1 connection-type 'initiate' set vpn ipsec site-to-site peer 10.10.0.1 ike-group 'ike1' set vpn ipsec site-to-site peer 10.10.0.1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 10.10.0.1 local-address '10.10.0.2' set vpn ipsec site-to-site peer 10.10.0.1 vti bind 'vti0' set vpn ipsec site-to-site peer 10.10.0.1 vti esp-group 'esp1'
Responder:
set interfaces vti vti0 address '192.168.0.1/30' set protocols static route 10.2.0.0/24 interface vti0 set vpn ipsec esp-group esp1 compression 'disable' set vpn ipsec esp-group esp1 lifetime '27000' set vpn ipsec esp-group esp1 mode 'tunnel' set vpn ipsec esp-group esp1 pfs 'disable' set vpn ipsec esp-group esp1 proposal 1 encryption 'aes128' set vpn ipsec esp-group esp1 proposal 1 hash 'sha1' set vpn ipsec ike-group ike1 close-action 'none' set vpn ipsec ike-group ike1 dead-peer-detection action 'restart' set vpn ipsec ike-group ike1 dead-peer-detection interval '2' set vpn ipsec ike-group ike1 dead-peer-detection timeout '15' set vpn ipsec ike-group ike1 ikev2-reauth 'no' set vpn ipsec ike-group ike1 key-exchange 'ikev1' set vpn ipsec ike-group ike1 lifetime '27000' set vpn ipsec ike-group ike1 proposal 1 dh-group '2' set vpn ipsec ike-group ike1 proposal 1 encryption 'aes128' set vpn ipsec ike-group ike1 proposal 1 hash 'sha1' set vpn ipsec interface 'eth0' set vpn ipsec site-to-site peer 10.10.0.2 authentication mode 'pre-shared-secre' set vpn ipsec site-to-site peer 10.10.0.2 authentication pre-shared-secret 'sec' set vpn ipsec site-to-site peer 10.10.0.2 connection-type 'respond' set vpn ipsec site-to-site peer 10.10.0.2 ike-group 'ike1' set vpn ipsec site-to-site peer 10.10.0.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 10.10.0.2 local-address '10.10.0.1' set vpn ipsec site-to-site peer 10.10.0.2 vti bind 'vti0' set vpn ipsec site-to-site peer 10.10.0.2 vti esp-group 'esp1'
Logs:
Status:
vyos@vyos# run sh int Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 10.10.0.1/24 u/u eth1 172.16.0.1/24 u/u eth2 - u/u eth3 - u/u lo 127.0.0.1/8 u/u ::1/128 vti0 192.168.0.1/30 u/u [edit] vyos@vyos# run sh vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 10.10.0.2 10.10.0.2 10.10.0.1 10.10.0.1 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Te ----- ------ ------- ---- --------- ----- ------ ---- up IKEv1 AES_CBC_128 HMAC_SHA1_96 MODP_1024 no 3432 0 [edit] vyos@vyos# run sh vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remotel ------------------ ------- -------- -------------- ---------------- ------- peer_10-10-0-2_vti down N/A N/A N/A N/A A [edit] vyos@vyos# sudo ip a 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP g0 link/ether 50:0c:00:07:00:02 brd ff:ff:ff:ff:ff:ff inet6 fe80::520c:ff:fe07:2/64 scope link valid_lft forever preferred_lft forever 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP g0 link/ether 50:0c:00:07:00:03 brd ff:ff:ff:ff:ff:ff inet6 fe80::520c:ff:fe07:3/64 scope link valid_lft forever preferred_lft forever 6: vti0@NONE: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group de0 link/none inet 192.168.0.1/30 brd 192.168.0.3 scope global vti0 valid_lft forever preferred_lft forever [edit] vyos@vyos# sudo swanctl -l peer_10-10-0-2: #1, ESTABLISHED, IKEv1, e8bc3160191055c1_i e3f01992d0d7a06b_r* local '10.10.0.1' @ 10.10.0.1[500] remote '10.10.0.2' @ 10.10.0.2[500] AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 established 3457s ago, rekeying in 22708s [edit] vyos@vyos# sudo swanctl -P peer_10-10-0-2/peer_10-10-0-2_vti, TUNNEL local: 0.0.0.0/0 ::/0 remote: 0.0.0.0/0 ::/0
charon logs from the responder:
Oct 27 19:31:29 vyos charon[2720]: 05[NET] <peer_10-10-0-2|1> received packet: f rom 10.10.0.2[500] to 10.10.0.1[500] (60 bytes) Oct 27 19:31:29 vyos charon[2720]: 05[ENC] <peer_10-10-0-2|1> parsed QUICK_MODE request 2738380529 [ HASH ] Oct 27 19:31:29 vyos charon[2720]: 05[CFG] <peer_10-10-0-2|1> unable to install policy 0.0.0.0/0 === 0.0.0.0/0 in for reqid 2, the same policy for reqid 1 exist s Oct 27 19:31:29 vyos charon[2720]: 05[CFG] <peer_10-10-0-2|1> unable to install policy 0.0.0.0/0 === 0.0.0.0/0 fwd for reqid 2, the same policy for reqid 1 exis ts Oct 27 19:31:29 vyos charon[2720]: 05[CFG] <peer_10-10-0-2|1> unable to install policy 0.0.0.0/0 === 0.0.0.0/0 out for reqid 2, the same policy for reqid 1 exis ts Oct 27 17:31:29 vyos charon[2720]: 05[IKE] <peer_10-10-0-2|1> unable to install IPsec policies (SPD) in kernel Oct 27 17:31:29 vyos charon[2720]: 05[IKE] <peer_10-10-0-2|1> sending DELETE for ESP CHILD_SA with SPI ccb2d616
Initiator:
Oct 27 19:31:28 vyos charon[1838]: 05[NET] <peer_10-10-0-1|1> received packet: f rom 10.10.0.1[500] to 10.10.0.2[500] (76 bytes) Oct 27 19:31:28 vyos charon[1838]: 05[ENC] <peer_10-10-0-1|1> parsed INFORMATION AL_V1 request 1505458366 [ HASH D ] Oct 27 19:31:28 vyos charon[1838]: 05[IKE] <peer_10-10-0-1|1> received DELETE fo r ESP CHILD_SA with SPI ca0bb8a1 Oct 27 19:31:28 vyos charon[1838]: 05[IKE] <peer_10-10-0-1|1> closing CHILD_SA p eer_10-10-0-1_vti{2} with SPIs ca0bb8a1_i (0 bytes) c49ec57f_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
Initiator:
vyos@vyos# cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_10-10-0-1 { proposals = aes128-sha1-modp1024 version = 1 local_addrs = 10.10.0.2 # dhcp:no remote_addrs = 10.10.0.1 dpd_timeout = 15 dpd_delay = 2 rekey_time = 27000s mobike = yes keyingtries = 0 local { auth = psk } remote { id = "10.10.0.1" auth = psk } children { peer_10-10-0-1_vti { esp_proposals = aes128-sha1 life_time = 27000s local_ts = 0.0.0.0/0,::/0 remote_ts = 0.0.0.0/0,::/0 updown = "/etc/ipsec.d/vti-up-down vti0" if_id_in = 1 if_id_out = 1 ipcomp = no mode = tunnel start_action = start dpd_action = start } } } } pools { } secrets { ike_10-10-0-1 { id-local = 10.10.0.2 # dhcp:no id-remote = 10.10.0.1 secret = "secret" } }
Responder:
vyos@vyos# cat /etc/swanctl/swanctl.conf ### Autogenerated by vpn_ipsec.py ### connections { peer_10-10-0-2 { proposals = aes128-sha1-modp1024 version = 1 local_addrs = 10.10.0.1 # dhcp:no remote_addrs = 10.10.0.2 dpd_timeout = 15 dpd_delay = 2 rekey_time = 27000s mobike = yes keyingtries = 1 local { auth = psk } remote { id = "10.10.0.2" auth = psk } children { peer_10-10-0-2_vti { esp_proposals = aes128-sha1 life_time = 27000s local_ts = 0.0.0.0/0,::/0 remote_ts = 0.0.0.0/0,::/0 updown = "/etc/ipsec.d/vti-up-down vti0" if_id_in = 1 if_id_out = 1 ipcomp = no mode = tunnel start_action = trap dpd_action = start } } } } pools { } secrets { ike_10-10-0-2 { id-local = 10.10.0.1 # dhcp:no id-remote = 10.10.0.2 secret = "secret" } }
This is a fresh installation, so no previous policy configured
This option set vpn ipsec options disable-route-autoinstall does not help.