Page MenuHomeVyOS Platform
Create Task
Maniphest T3985

vpn IPSec site-to-site continues to work if certificates are deleted
Closed, WontfixPublicBUG
Actions

Description

IPSec based on x509 certificate continues work if certificates were deleted or changed.

Config:

set interfaces vti vti0 address '10.0.0.1/30'
set pki ca peer_192-168-0-3 certificate 'MIIDAzCCAeugAwIBAgIJAP0hwYWXO8yEMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNVBAMMDUlQc2VjIFJvb3QgQ0EwHhcNMjExMTA4MTY1MzAxWhcNMjQxMTA3MTY1MzAxWjAYMRYwFAYDVQQDDA1JUHNlYyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnhm9NHifzg/1KwBe2bvhFv75XIYjASWFBoNJwClIyg4uubZAoBHo63X5xtyjD5yZbSDzvJSzHREknz5mnUqTvA52qRt8KIQcyLXEuiCIgrCjl/xRVI1PIWA8reL+qzobOugCAyMDYKOyJSLUXkJXk3E4ScO8MeehFdnPQFx0jb293mJ4eVk5qXvWff/EDRwwQWvDVz7b4k66WzRj0QmUVqW4p9fuz929uitBMGIT6EXlH4eyaXwEunYOc3zGdbSSF75JpKT9fhYcbDiOzQN6UloIKliHYqBu1/zup/Jq3GrXPULES8ocKievoT6gQTGsrmHOBK65/KRl2wZ6Np6t5QIDAQABo1AwTjAdBgNVHQ4EFgQUtSsZ4ury5EqGBKVHoeAPeX67YfIwHwYDVR0jBBgwFoAUtSsZ4ury5EqGBKVHoeAPeX67YfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAZURAs8HfoEb69VNFCFOYuBt58Z9FH4wRujb5WkPJ+Feqljqghy5ULc3yS52qsBwUT7xVzoLqOUjdZ47QG6FZKA7jxH3VNhq4UtPm5Z3rfAHzhAUUSalMDxUHrW4GEBVM1eEa54lQLf7CgJoXrl33txKScrrcMUDsFo618TMHG9yluhb8ArV6aAVbFyMnUN846zPZyp5+BsBL0ilEmQG3guANvVWmg83GW1lAg5B85JDrGDYYjJh7CDTT8yn98QAH7TdEC53zROr+fhRW3+gUzQrhA64X1Lxvej6IVNmg8Ky8OUI75h0ZghsRzMQlqe0ryoG2yHUxOGYtsIYhgmgswA=='
set pki certificate peer_192-168-0-3 certificate 'MIICpDCCAYwCAQEwDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UEAwwNSVBzZWMgUm9vdCBDQTAeFw0yMTExMDgxNjUzMTZaFw0yMjExMDgxNjUzMTZaMBgxFjAUBgNVBAMMDUlQc2VjIFJvdXRlcjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8H6CPjKzz7UuCd8uS6AYC1wKWdeOxcUgYsRxQJIzk17iUMDwia/oxaBelTxYPdeBe9gSCqCXbycXGIgdZRuVQiEz+6BLZQWuhxKenFNZ2Fm0MBHZCNqqqIAEW6rAEFWRpMGmEu8G0KDSBGRQaii7jlr0mNvXBrr+RFmaAsbVxl8xRJmbOO1NWMoCxruwCELFzzJkgHKeZ7SEtcTHZM5jxSphtt32wO/woySJ5UX/3URP5HQY6aNKFw3nJebbpIW2xhwAE6mHscRWeaf6FaeKz1UAXvTEBAnd1d/0pP7IL91x66Q5B5UDZM2D9whUw/9HnvogQT7N/CvftDR3/0eZtAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD762WY+zRg+YAFBPuU2Br9Q5N/EApsnuqzIFb6C6B1WnZOfaM4lJVwU/wANKCOe+TgsAoW+E5Sq0Mct9ab//V/gZeO/5dsYwgnPabLjB7CsOyV583rExOrWW8MymY2edkWVV6NuxHCEi+uJvN1eXdGkCTxDGiLUQYdVO8t/Qpreot0j9sZNRgASKzarUZodxDHRPKNYHd0yElMnMh1v/2cge4ZT+wqWXR3AeKPWviZLKDW3P8sirE3qJWT3AuAxO5DoT8tImqDcDJYZoR99kQfHgdbw4dD+Q1q0VM919+Ra5i9gppucuIn3PjKIoPvhH1WQG3LEmgCB1qZJNnd5H/8='
set pki certificate peer_192-168-0-3 private key 'MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8H6CPjKzz7UuCd8uS6AYC1wKWdeOxcUgYsRxQJIzk17iUMDwia/oxaBelTxYPdeBe9gSCqCXbycXGIgdZRuVQiEz+6BLZQWuhxKenFNZ2Fm0MBHZCNqqqIAEW6rAEFWRpMGmEu8G0KDSBGRQaii7jlr0mNvXBrr+RFmaAsbVxl8xRJmbOO1NWMoCxruwCELFzzJkgHKeZ7SEtcTHZM5jxSphtt32wO/woySJ5UX/3URP5HQY6aNKFw3nJebbpIW2xhwAE6mHscRWeaf6FaeKz1UAXvTEBAnd1d/0pP7IL91x66Q5B5UDZM2D9whUw/9HnvogQT7N/CvftDR3/0eZtAgMBAAECggEAOQcxajLP/0YRHOTp3ofdwqChVTE5rAHWRD30gksCNyE6ABo7MIghGTcf6+n0mw01zjOwHFeS2nTpMm4AYkz+mRIonSGHDTsqwKhX1muXs8aKmhkELIBb7iSzj9nnL+W4Qbb+VdGBH/cMK5KJqJ35Jt78SghhKayqv/XVbu/wPBWuFM84s/uEIi+F4j6reqQx2QPf3lIxUO66Q/fJQqq2x4fYctrgFsoaug/DCNQbX03UGg6RMn/FHSoVEfiK7YaWxhvbOjpaCKTqKzZqKt+e2oYl0KyfBim+KwBuOhNqSEMWS/Kz9ZtjoVfu2uxav1MRWx6uI32hSjgwO5T2o8CE9QKBgQDl8KaYrwRQXqYZs9DTZqpvEOTViwGU1hZCtmZi7ZF2FT0H6sbQPf0tRPMSThmnqULBZvj+B+Q0vW5WKtyYBDzYOB9x52ndywsdZU2nQoOF72dyhNlvs8O4r1ik+DMaajQzNJ7B/Cx9IgHLqRHqLFpl6VhIZeHxT+SryBk3YDgZrwKBgQDRcbyEFABjPWSwDnhXZR3CFLFZZt8BQHGB8x4sKxh/lPRfjLqmB0dbjEwiLOeDUYhRq5ttc8WGy5pe9R7RAxpqm4E7Y1XCDyPUbMzyfdQvJmyww4By7wpzaKeiLLllzpzYSZ1fiE98QUhJDKQ9eX75njHDDxT0A9xDaSrD6b40owKBgQCWiNL4WHQRjbVeVEtdavQfXEcDykpRv0q5iCJFl9RIIyVefoSEJmEOdvpPPJQtIHGUni5aWJ49LNsETHE4kGWpBC0J6/9x9ZCkQQLygmgKki3+WhzjtSNoUFtPPTJvk6Hy9/sLcmVJ0q6sP1Z8IWdZGsfyNckSq0RAdfKUP0ja/wKBgQCO76YOJXBWSfHLTTTHwBRc/a5DKzeKLSbJ3td6oTao60kTZIGFCXajfc3/jNG7BwuXYRxDyDzHz2/c2kBbuFhw5Qt/Mj22oIp9UHtWCpWiUADhaarhxU1GkefFf+xPFIBqA2NJbUeBrzPb1qrH4YDMbi/bxRExrujFgKJU7dKHLQKBgHFMjoHVd5gvkNtc34Ss6jH+FnrwoCOGLO/BjuaHVMKPI5VBLSYx8kpsOfr87xz6FZ+Ycg+78XwDarU4OdFxLAaModhj7MFYUtBRarrVHxT/cdFBR5TXysdpy1MXX7IuJdpVeDmA/VNAj1gbBIVku2vi/HaVOfrcHX2nJBU8Ik7p'
set vpn ipsec esp-group MyESPGroup compression 'disable'
set vpn ipsec esp-group MyESPGroup lifetime '3600'
set vpn ipsec esp-group MyESPGroup mode 'tunnel'
set vpn ipsec esp-group MyESPGroup pfs 'enable'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes128'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha256'
set vpn ipsec ike-group MyIKEGroup close-action 'none'
set vpn ipsec ike-group MyIKEGroup ikev2-reauth 'no'
set vpn ipsec ike-group MyIKEGroup key-exchange 'ikev1'
set vpn ipsec ike-group MyIKEGroup lifetime '28800'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes128'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer 192.168.0.3 authentication id 'CN=IPsec Router2'
set vpn ipsec site-to-site peer 192.168.0.3 authentication mode 'x509'
set vpn ipsec site-to-site peer 192.168.0.3 authentication remote-id 'CN=IPsec Router3'
set vpn ipsec site-to-site peer 192.168.0.3 authentication x509 ca-certificate 'peer_192-168-0-3'
set vpn ipsec site-to-site peer 192.168.0.3 authentication x509 certificate 'peer_192-168-0-3'
set vpn ipsec site-to-site peer 192.168.0.3 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.168.0.3 ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer 192.168.0.3 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.168.0.3 local-address '192.168.0.2'
set vpn ipsec site-to-site peer 192.168.0.3 vti bind 'vti0'
set vpn ipsec site-to-site peer 192.168.0.3 vti esp-group 'MyESPGroup'

Check that IPSec in UP state and delete certificates:

vyos@r2# run show vpn ipsec sa
Connection            State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID         Proposal
--------------------  -------  --------  --------------  ----------------  ----------------  ----------------  ---------------------------------------
peer_192-168-0-3_vti  up       5m5s      0B/0B           0/0               192.168.0.3       CN=IPsec Router3  AES_CBC_128/HMAC_SHA2_256_128/MODP_1024
[edit]
vyos@r2# 
[edit]
vyos@r2# delete pki
[edit]
vyos@r2# commit
[edit]
vyos@r2#

Reset peer, and it establish connection again:

vyos@r2# run reset vpn ipsec-peer 192.168.0.3 
closing CHILD_SA peer_192-168-0-3_vti{1} with SPIs c9318e6f_i (0 bytes) ca20f83e_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
sending DELETE for ESP CHILD_SA with SPI c9318e6f
generating INFORMATIONAL_V1 request 2193869679 [ HASH D ]
sending packet: from 192.168.0.2[500] to 192.168.0.3[500] (92 bytes)
CHILD_SA {1} closed successfully
generating QUICK_MODE request 108106976 [ HASH SA No KE ID ID ]
sending packet: from 192.168.0.2[500] to 192.168.0.3[500] (332 bytes)
received packet: from 192.168.0.3[500] to 192.168.0.2[500] (332 bytes)
parsed QUICK_MODE response 108106976 [ HASH SA No KE ID ID ]
selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
CHILD_SA peer_192-168-0-3_vti{2} established with SPIs cfcb2387_i c0f5e296_o and TS 0.0.0.0/0 === 0.0.0.0/0
connection 'peer_192-168-0-3_vti' established successfully
Peer reset result: success
[edit]
vyos@r2# 

vyos@r2# run show vpn ipsec sa
Connection            State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID         Proposal
--------------------  -------  --------  --------------  ----------------  ----------------  ----------------  ---------------------------------------
peer_192-168-0-3_vti  up       6s        0B/0B           0/0               192.168.0.3       CN=IPsec Router3  AES_CBC_128/HMAC_SHA2_256_128/MODP_1024
[edit]
vyos@r2#

If I delete all certificates completely I don't expect that they will be used anywhere in the router.
Also if I change pki CA to new, it will still use the original (old) certificate for ipsec for the same reason.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202111080547
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav changed the task status from Open to Confirmed.EditedNov 11 2021, 6:16 PM
Viacheslav created this task.

Certificates can be wound there:

loaded certificate from '/etc/swanctl/x509/R1.pem'
loaded certificate from '/etc/swanctl/x509ca/CA.pem'
loaded RSA key from '/etc/swanctl/private/x509_R1.pem'

At least it should generate Warning that certificates still use.

SrividyaA added a subscriber: SrividyaA.Nov 11 2021, 6:36 PM
Viacheslav closed this task as Wontfix.Jan 20 2024, 10:05 AM
Viacheslav claimed this task.