Introduction:
IPSec_SA/Child_SA is not establishing when route based vpn is configured.
How to reproduce the issue:
- Install two VyOS devices with version 1.4-rolling-202110240217
- Configure one peer with connection-type "initiate" and other as "respond"
Initiator:
set interfaces vti vti0 address '192.168.0.2/30' set protocols static route 172.16.0.0/24 interface vti0 set vpn ipsec esp-group esp1 compression 'disable' set vpn ipsec esp-group esp1 lifetime '27000' set vpn ipsec esp-group esp1 mode 'tunnel' set vpn ipsec esp-group esp1 pfs 'disable' set vpn ipsec esp-group esp1 proposal 1 encryption 'aes128' set vpn ipsec esp-group esp1 proposal 1 hash 'sha1' set vpn ipsec ike-group ike1 close-action 'none' set vpn ipsec ike-group ike1 dead-peer-detection action 'restart' set vpn ipsec ike-group ike1 dead-peer-detection interval '2' set vpn ipsec ike-group ike1 dead-peer-detection timeout '15' set vpn ipsec ike-group ike1 ikev2-reauth 'no' set vpn ipsec ike-group ike1 key-exchange 'ikev1' set vpn ipsec ike-group ike1 lifetime '27000' set vpn ipsec ike-group ike1 proposal 1 dh-group '2' set vpn ipsec ike-group ike1 proposal 1 encryption 'aes128' set vpn ipsec ike-group ike1 proposal 1 hash 'sha1' set vpn ipsec interface 'eth2' set vpn ipsec site-to-site peer 10.10.0.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 10.10.0.1 authentication pre-shared-secret 'secret' set vpn ipsec site-to-site peer 10.10.0.1 connection-type 'initiate' set vpn ipsec site-to-site peer 10.10.0.1 ike-group 'ike1' set vpn ipsec site-to-site peer 10.10.0.1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 10.10.0.1 local-address '10.10.0.2' set vpn ipsec site-to-site peer 10.10.0.1 vti bind 'vti0' set vpn ipsec site-to-site peer 10.10.0.1 vti esp-group 'esp1'
Responder:
set interfaces vti vti0 address '192.168.0.1/30' set protocols static route 10.2.0.0/24 interface vti0 set vpn ipsec esp-group esp1 compression 'disable' set vpn ipsec esp-group esp1 lifetime '27000' set vpn ipsec esp-group esp1 mode 'tunnel' set vpn ipsec esp-group esp1 pfs 'disable' set vpn ipsec esp-group esp1 proposal 1 encryption 'aes128' set vpn ipsec esp-group esp1 proposal 1 hash 'sha1' set vpn ipsec ike-group ike1 close-action 'none' set vpn ipsec ike-group ike1 dead-peer-detection action 'restart' set vpn ipsec ike-group ike1 dead-peer-detection interval '2' set vpn ipsec ike-group ike1 dead-peer-detection timeout '15' set vpn ipsec ike-group ike1 ikev2-reauth 'no' set vpn ipsec ike-group ike1 key-exchange 'ikev1' set vpn ipsec ike-group ike1 lifetime '27000' set vpn ipsec ike-group ike1 proposal 1 dh-group '2' set vpn ipsec ike-group ike1 proposal 1 encryption 'aes128' set vpn ipsec ike-group ike1 proposal 1 hash 'sha1' set vpn ipsec interface 'eth0' set vpn ipsec site-to-site peer 10.10.0.2 authentication mode 'pre-shared-secre' set vpn ipsec site-to-site peer 10.10.0.2 authentication pre-shared-secret 'sec' set vpn ipsec site-to-site peer 10.10.0.2 connection-type 'respond' set vpn ipsec site-to-site peer 10.10.0.2 ike-group 'ike1' set vpn ipsec site-to-site peer 10.10.0.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 10.10.0.2 local-address '10.10.0.1' set vpn ipsec site-to-site peer 10.10.0.2 vti bind 'vti0' set vpn ipsec site-to-site peer 10.10.0.2 vti esp-group 'esp1'
Logs:
Status:
vyos@vyos# run sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 10.10.0.1/24 u/u
eth1 172.16.0.1/24 u/u
eth2 - u/u
eth3 - u/u
lo 127.0.0.1/8 u/u
::1/128
vti0 192.168.0.1/30 u/u
[edit]
vyos@vyos# run sh vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.10.0.2 10.10.0.2 10.10.0.1 10.10.0.1
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Te
----- ------ ------- ---- --------- ----- ------ ----
up IKEv1 AES_CBC_128 HMAC_SHA1_96 MODP_1024 no 3432 0
[edit]
vyos@vyos# run sh vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remotel
------------------ ------- -------- -------------- ---------------- -------
peer_10-10-0-2_vti down N/A N/A N/A N/A A
[edit]
vyos@vyos# sudo ip a
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP g0
link/ether 50:0c:00:07:00:02 brd ff:ff:ff:ff:ff:ff
inet6 fe80::520c:ff:fe07:2/64 scope link
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP g0
link/ether 50:0c:00:07:00:03 brd ff:ff:ff:ff:ff:ff
inet6 fe80::520c:ff:fe07:3/64 scope link
valid_lft forever preferred_lft forever
6: vti0@NONE: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group de0
link/none
inet 192.168.0.1/30 brd 192.168.0.3 scope global vti0
valid_lft forever preferred_lft forever
[edit]
vyos@vyos# sudo swanctl -l
peer_10-10-0-2: #1, ESTABLISHED, IKEv1, e8bc3160191055c1_i e3f01992d0d7a06b_r*
local '10.10.0.1' @ 10.10.0.1[500]
remote '10.10.0.2' @ 10.10.0.2[500]
AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 3457s ago, rekeying in 22708s
[edit]
vyos@vyos# sudo swanctl -P
peer_10-10-0-2/peer_10-10-0-2_vti, TUNNEL
local: 0.0.0.0/0 ::/0
remote: 0.0.0.0/0 ::/0charon logs from the responder:
Oct 27 19:31:29 vyos charon[2720]: 05[NET] <peer_10-10-0-2|1> received packet: f rom 10.10.0.2[500] to 10.10.0.1[500] (60 bytes) Oct 27 19:31:29 vyos charon[2720]: 05[ENC] <peer_10-10-0-2|1> parsed QUICK_MODE request 2738380529 [ HASH ] Oct 27 19:31:29 vyos charon[2720]: 05[CFG] <peer_10-10-0-2|1> unable to install policy 0.0.0.0/0 === 0.0.0.0/0 in for reqid 2, the same policy for reqid 1 exist s Oct 27 19:31:29 vyos charon[2720]: 05[CFG] <peer_10-10-0-2|1> unable to install policy 0.0.0.0/0 === 0.0.0.0/0 fwd for reqid 2, the same policy for reqid 1 exis ts Oct 27 19:31:29 vyos charon[2720]: 05[CFG] <peer_10-10-0-2|1> unable to install policy 0.0.0.0/0 === 0.0.0.0/0 out for reqid 2, the same policy for reqid 1 exis ts Oct 27 17:31:29 vyos charon[2720]: 05[IKE] <peer_10-10-0-2|1> unable to install IPsec policies (SPD) in kernel Oct 27 17:31:29 vyos charon[2720]: 05[IKE] <peer_10-10-0-2|1> sending DELETE for ESP CHILD_SA with SPI ccb2d616
Initiator:
Oct 27 19:31:28 vyos charon[1838]: 05[NET] <peer_10-10-0-1|1> received packet: f
rom 10.10.0.1[500] to 10.10.0.2[500] (76 bytes)
Oct 27 19:31:28 vyos charon[1838]: 05[ENC] <peer_10-10-0-1|1> parsed INFORMATION
AL_V1 request 1505458366 [ HASH D ]
Oct 27 19:31:28 vyos charon[1838]: 05[IKE] <peer_10-10-0-1|1> received DELETE fo
r ESP CHILD_SA with SPI ca0bb8a1
Oct 27 19:31:28 vyos charon[1838]: 05[IKE] <peer_10-10-0-1|1> closing CHILD_SA p
eer_10-10-0-1_vti{2} with SPIs ca0bb8a1_i (0 bytes) c49ec57f_o (0 bytes) and TS
0.0.0.0/0 === 0.0.0.0/0Initiator:
vyos@vyos# cat /etc/swanctl/swanctl.conf
### Autogenerated by vpn_ipsec.py ###
connections {
peer_10-10-0-1 {
proposals = aes128-sha1-modp1024
version = 1
local_addrs = 10.10.0.2 # dhcp:no
remote_addrs = 10.10.0.1
dpd_timeout = 15
dpd_delay = 2
rekey_time = 27000s
mobike = yes
keyingtries = 0
local {
auth = psk
}
remote {
id = "10.10.0.1"
auth = psk
}
children {
peer_10-10-0-1_vti {
esp_proposals = aes128-sha1
life_time = 27000s
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
updown = "/etc/ipsec.d/vti-up-down vti0"
if_id_in = 1
if_id_out = 1
ipcomp = no
mode = tunnel
start_action = start
dpd_action = start
}
}
}
}
pools {
}
secrets {
ike_10-10-0-1 {
id-local = 10.10.0.2 # dhcp:no
id-remote = 10.10.0.1
secret = "secret"
}
}Responder:
vyos@vyos# cat /etc/swanctl/swanctl.conf
### Autogenerated by vpn_ipsec.py ###
connections {
peer_10-10-0-2 {
proposals = aes128-sha1-modp1024
version = 1
local_addrs = 10.10.0.1 # dhcp:no
remote_addrs = 10.10.0.2
dpd_timeout = 15
dpd_delay = 2
rekey_time = 27000s
mobike = yes
keyingtries = 1
local {
auth = psk
}
remote {
id = "10.10.0.2"
auth = psk
}
children {
peer_10-10-0-2_vti {
esp_proposals = aes128-sha1
life_time = 27000s
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
updown = "/etc/ipsec.d/vti-up-down vti0"
if_id_in = 1
if_id_out = 1
ipcomp = no
mode = tunnel
start_action = trap
dpd_action = start
}
}
}
}
pools {
}
secrets {
ike_10-10-0-2 {
id-local = 10.10.0.1 # dhcp:no
id-remote = 10.10.0.2
secret = "secret"
}
}This is a fresh installation, so no previous policy configured
This option set vpn ipsec options disable-route-autoinstall does not help.