Page MenuHomeVyOS Platform

After resetting vti ipsec tunnel old child SA still active
Closed, ResolvedPublicBUG

Description

To reproduce, configure vti ipsec tunnel and reset it.
VyOS configuration:

set interfaces ethernet eth1 address '100.64.0.1/30'
set interfaces vti vti1 address '10.0.102.1/30'
set interfaces vti vti1 description 'Tunnel to 100.64.0.2'
set vpn ipsec esp-group group-ESP compression 'disable'
set vpn ipsec esp-group group-ESP lifetime '3600'
set vpn ipsec esp-group group-ESP mode 'tunnel'
set vpn ipsec esp-group group-ESP pfs 'dh-group19'
set vpn ipsec esp-group group-ESP proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group group-ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group group-IKE dead-peer-detection action 'hold'
set vpn ipsec ike-group group-IKE dead-peer-detection interval '30'
set vpn ipsec ike-group group-IKE dead-peer-detection timeout '120'
set vpn ipsec ike-group group-IKE ikev2-reauth 'no'
set vpn ipsec ike-group group-IKE key-exchange 'ikev2'
set vpn ipsec ike-group group-IKE lifetime '28000'
set vpn ipsec ike-group group-IKE mobike 'disable'
set vpn ipsec ike-group group-IKE proposal 10 dh-group '19'
set vpn ipsec ike-group group-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group group-IKE proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer 100.64.0.2 authentication id '100.64.0.1'
set vpn ipsec site-to-site peer 100.64.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 100.64.0.2 authentication pre-shared-secret 'SSSecccRetT'
set vpn ipsec site-to-site peer 100.64.0.2 authentication remote-id '100.64.0.2'
set vpn ipsec site-to-site peer 100.64.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 100.64.0.2 ike-group 'group-IKE'
set vpn ipsec site-to-site peer 100.64.0.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 100.64.0.2 local-address '100.64.0.1'
set vpn ipsec site-to-site peer 100.64.0.2 vti bind 'vti1'
set vpn ipsec site-to-site peer 100.64.0.2 vti esp-group 'group-ESP'

Reset tunnel:

vyos@r1-roll:~$ reset vpn ipsec-peer 100.64.0.2 vti 
establishing CHILD_SA peer_100-64-0-2_vti{4}
generating CREATE_CHILD_SA request 4 [ SA No KE TSi TSr ]
sending packet: from 100.64.0.1[500] to 100.64.0.2[500] (337 bytes)
received packet: from 100.64.0.2[500] to 100.64.0.1[500] (257 bytes)
parsed CREATE_CHILD_SA response 4 [ SA No KE TSi TSr ]
selected proposal: ESP:AES_GCM_16_256/ECP_256/NO_EXT_SEQ
CHILD_SA peer_100-64-0-2_vti{4} established with SPIs cc054d99_i cbbfdf07_o and TS 0.0.0.0/0 === 0.0.0.0/0
connection 'peer_100-64-0-2_vti' established successfully
Peer reset result: success
vyos@r1-roll:~$

Tunnel statuses, multiple child SA "Installed" with equal peer-name:

vyos@r1-roll:~$ show vpn ipsec sa
Connection           State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------
peer_100-64-0-2_vti  up       12m30s    0B/0B           0/0               100.64.0.2        N/A          AES_GCM_16_256/ECP_256
vyos@r1-roll:~$ 
vyos@r1-roll:~$ sudo swanctl -l
peer_100-64-0-2: #1, ESTABLISHED, IKEv2, 3be5f436f0262f6e_i* c04e1e3c5fe4a15b_r
  local  '100.64.0.1' @ 100.64.0.1[500]
  remote '100.64.0.2' @ 100.64.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 754s ago, rekeying in 24669s
  peer_100-64-0-2_vti: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 754s ago, rekeying in 2846s, expires in 2846s
    in  c88e155d (-|0x00000002),      0 bytes,     0 packets,   447s ago
    out caaa62ac (-|0x00000002),      0 bytes,     0 packets
    local  0.0.0.0/0
    remote 0.0.0.0/0
  peer_100-64-0-2_vti: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256
    installed 609s ago, rekeying in 2991s, expires in 2991s
    in  cccc3259 (-|0x00000002),    336 bytes,     4 packets,   447s ago
    out c2fe4554 (-|0x00000002),    336 bytes,     4 packets,   447s ago
    local  0.0.0.0/0
    remote 0.0.0.0/0
  peer_100-64-0-2_vti: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256
    installed 380s ago, rekeying in 3220s, expires in 3220s
    in  c89c771e (-|0x00000002),      0 bytes,     0 packets
    out c2d46f2a (-|0x00000002),      0 bytes,     0 packets
    local  0.0.0.0/0
    remote 0.0.0.0/0
  peer_100-64-0-2_vti: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256
    installed 359s ago, rekeying in 3241s, expires in 3241s
    in  cc054d99 (-|0x00000002),      0 bytes,     0 packets
    out cbbfdf07 (-|0x00000002),      0 bytes,     0 packets
    local  0.0.0.0/0
    remote 0.0.0.0/0
vyos@r1-roll:~$

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202110240217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

PR https://github.com/vyos/vyos-1x/pull/1048

vyos@r1-roll:~$ reset vpn ipsec-peer 100.64.0.2 vti 
closing CHILD_SA peer_100-64-0-2_vti{20} with SPIs c9dd31a2_i (0 bytes) c9c127e4_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
sending DELETE for ESP CHILD_SA with SPI c9dd31a2
generating INFORMATIONAL request 40 [ D ]
sending packet: from 100.64.0.1[500] to 100.64.0.2[500] (69 bytes)
received packet: from 100.64.0.2[500] to 100.64.0.1[500] (69 bytes)
parsed INFORMATIONAL response 40 [ D ]
received DELETE for ESP CHILD_SA with SPI c9c127e4
CHILD_SA closed
CHILD_SA {20} closed successfully
establishing CHILD_SA peer_100-64-0-2_vti{21}
generating CREATE_CHILD_SA request 41 [ SA No KE TSi TSr ]
sending packet: from 100.64.0.1[500] to 100.64.0.2[500] (337 bytes)
received packet: from 100.64.0.2[500] to 100.64.0.1[500] (257 bytes)
parsed CREATE_CHILD_SA response 41 [ SA No KE TSi TSr ]
selected proposal: ESP:AES_GCM_16_256/ECP_256/NO_EXT_SEQ
CHILD_SA peer_100-64-0-2_vti{21} established with SPIs cdd77973_i ce6eba0b_o and TS 0.0.0.0/0 === 0.0.0.0/0
connection 'peer_100-64-0-2_vti' established successfully
Peer reset result: success
vyos@r1-roll:~$
vyos@r1-roll:~$
vyos@r1-roll:~$ sudo swanctl -l
peer_100-64-0-2: #1, ESTABLISHED, IKEv2, 3be5f436f0262f6e_i* c04e1e3c5fe4a15b_r
  local  '100.64.0.1' @ 100.64.0.1[500]
  remote '100.64.0.2' @ 100.64.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 2979s ago, rekeying in 22444s
  peer_100-64-0-2_vti: #21, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256
    installed 11s ago, rekeying in 3589s, expires in 3589s
    in  cdd77973 (-|0x00000002),      0 bytes,     0 packets
    out ce6eba0b (-|0x00000002),      0 bytes,     0 packets
    local  0.0.0.0/0
    remote 0.0.0.0/0
vyos@r1-roll:~$
Viacheslav changed the task status from Open to In progress.Oct 28 2021, 1:18 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.