Page MenuHomeVyOS Platform

IKEv2 mobike commit failed with DMVPN nhrp
Closed, ResolvedPublicBUG

Description

There is a previous ticket, but looks like there was an issue replicating:
https://phabricator.vyos.net/T2606

I have some additional information that could help narrow down the source of this error.

VyOS version: VyOS 1.3-beta-202112080938

Here is when I receive this error:

  • I am setting up DMVPN, using GRE tunnels, with the mode as Transport where mobike = disable, causes the SWANCTL not to load the config
  • On another machine I have a regular site to site VPN (not using GRE tunnels), with the mode as tunnel, where mobike = disable causes no issue

I will attach my config that triggers the issue and can try to help narrow down the issue

Not working with MOBIKE = disabled

       //configuration is for the hub - DMVPN
       #set ipsec interface
	set vpn ipsec ipsec-interfaces interface 'eth0'
	
	#configure ipsec
	set vpn ipsec esp-group "ESP-HUB" compression 'disable'
	set vpn ipsec esp-group "ESP-HUB" lifetime '3600'
	set vpn ipsec esp-group "ESP-HUB" mode 'tunnel'
	set vpn ipsec esp-group "ESP-HUB" pfs 'dh-group21'
	set vpn ipsec esp-group "ESP-HUB" proposal 1 encryption 'aes256'
	set vpn ipsec esp-group "ESP-HUB" proposal 1 hash 'sha256'
	set vpn ipsec esp-group "ESP-HUB" proposal 2 encryption 'aes256'
	set vpn ipsec esp-group "ESP-HUB" proposal 2 hash 'sha256'

	set vpn ipsec ike-group "IKE-HUB" ikev2-reauth 'no'
	set vpn ipsec ike-group "IKE-HUB" key-exchange 'ikev2'
	set vpn ipsec ike-group "IKE-HUB" lifetime '28800'
	#set vpn ipsec ike-group "IKE-HUB" mobike 'disable'
	set vpn ipsec ike-group "IKE-HUB" proposal 1 dh-group 21
	set vpn ipsec ike-group "IKE-HUB" proposal 1 encryption 'aes256'
	set vpn ipsec ike-group "IKE-HUB" proposal 1 hash 'sha256'
	set vpn ipsec ike-group "IKE-HUB" proposal 2 dh-group 21
	set vpn ipsec ike-group "IKE-HUB" proposal 2 encryption 'aes256'
	set vpn ipsec ike-group "IKE-HUB" proposal 2 hash 'sha256'
	
	set vpn ipsec logging log-level 1
	set vpn ipsec logging log-modes dmn  
	set vpn ipsec logging log-modes mgr
	set vpn ipsec logging log-modes knl
	set vpn ipsec logging log-modes net

	###################GRE tunnel configuration#################
	#change for each hub
	#the tunnel 172.x.x.x address - IP for the tun0 interface
	set interfaces tunnel tun0 address "${TUNNEL_IP_WITH_MASK}"
	set interfaces tunnel tun0 encapsulation 'gre'
	set interfaces tunnel tun0 multicast 'enable'
	set interfaces tunnel tun0 parameters ip key '1'
	#floating WAN IP - this must be fixed for the HUB - eth ETH0 IP
	set interfaces tunnel tun0 source-address "${WAN_FLOATING_IP}"
	
	#IPSEC profile
	set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
	#using orange for testing
	set vpn ipsec profile NHRPVPN authentication pre-shared-secret "${PRE_SHARED_KEY}"
	set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
	set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
	set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
	
	#NHRP
	set protocols nhrp tunnel tun0 cisco-authentication 'orange'
	set protocols nhrp tunnel tun0 holding-time '300'
	set protocols nhrp tunnel tun0 multicast 'dynamic'
	set protocols nhrp tunnel tun0 redirect
	set protocols nhrp tunnel tun0 shortcut

Working with MOBIKE - just a site-to-site VPN

set vpn ipsec esp-group ESP-${SUFFIX} compression disable
set vpn ipsec esp-group ESP-${SUFFIX} lifetime 3600
set vpn ipsec esp-group ESP-${SUFFIX} mode tunnel
set vpn ipsec esp-group ESP-${SUFFIX} pfs disable
set vpn ipsec esp-group ESP-${SUFFIX} proposal 1 encryption aes256
set vpn ipsec esp-group ESP-${SUFFIX} proposal 1 hash sha1
set vpn ipsec esp-group ESP-${SUFFIX} proposal 2 encryption aes256
set vpn ipsec esp-group ESP-${SUFFIX} proposal 2 hash sha1

set vpn ipsec ike-group IKE-${SUFFIX} close-action restart
set vpn ipsec ike-group IKE-${SUFFIX} ikev2-reauth no
set vpn ipsec ike-group IKE-${SUFFIX} key-exchange ikev2
set vpn ipsec ike-group IKE-${SUFFIX} lifetime 28800
set vpn ipsec ike-group IKE-${SUFFIX} mobike disable
set vpn ipsec ike-group IKE-${SUFFIX} proposal 1 dh-group 21
set vpn ipsec ike-group IKE-${SUFFIX} proposal 1 encryption aes256
set vpn ipsec ike-group IKE-${SUFFIX} proposal 1 hash sha1
set vpn ipsec ike-group IKE-${SUFFIX} proposal 2 dh-group 21
set vpn ipsec ike-group IKE-${SUFFIX} proposal 2 encryption aes256
set vpn ipsec ike-group IKE-${SUFFIX} proposal 2 hash sha1

#use eth0 that has the floating IP address
set vpn ipsec ipsec-interfaces interface eth0

set vpn ipsec logging log-level 1
set vpn ipsec logging log-mode dmn
set vpn ipsec logging log-mode mgr
set vpn ipsec logging log-mode knl
set vpn ipsec logging log-mode net

set vpn ipsec site-to-site peer ${PEER_IP} authentication id ${FLOATING_IP}
set vpn ipsec site-to-site peer ${PEER_IP} authentication mode pre-shared-secret
set vpn ipsec site-to-site peer ${PEER_IP} authentication pre-shared-secret ${PSK_SECRET}
set vpn ipsec site-to-site peer ${PEER_IP} authentication remote-id ${PEER_IP}

set vpn ipsec site-to-site peer ${PEER_IP} connection-type respond
set vpn ipsec site-to-site peer ${PEER_IP} default-esp-group ESP-${SUFFIX}
set vpn ipsec site-to-site peer ${PEER_IP} description "my description"
set vpn ipsec site-to-site peer ${PEER_IP} ike-group IKE-${SUFFIX}
set vpn ipsec site-to-site peer ${PEER_IP} ikev2-reauth inherit
set vpn ipsec site-to-site peer ${PEER_IP} local-address ${FLOATING_IP}
set vpn ipsec site-to-site peer ${PEER_IP} tunnel 0 allow-nat-networks disable
set vpn ipsec site-to-site peer ${PEER_IP} tunnel 0 allow-public-networks disable
set vpn ipsec site-to-site peer ${PEER_IP} tunnel 0 local prefix ${VPC_NETWORK}
set vpn ipsec site-to-site peer ${PEER_IP} tunnel 0 remote prefix ${REMOTE_SUBNET_WITH_CIDR}

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3-beta-202112080938
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

@nikeshhajari thanks, I can reproduce it in 1.3:

set interfaces ethernet eth0 address '192.168.122.14/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '1'
set interfaces tunnel tun0 source-address '192.168.122.14'
set protocols nhrp tunnel tun0 cisco-authentication 'orange'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 multicast 'dynamic'
set protocols nhrp tunnel tun0 redirect
set protocols nhrp tunnel tun0 shortcut
set vpn ipsec esp-group ESP-HUB compression 'disable'
set vpn ipsec esp-group ESP-HUB lifetime '3600'
set vpn ipsec esp-group ESP-HUB mode 'tunnel'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group21'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'sha256'
set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
set vpn ipsec ike-group IKE-HUB lifetime '28800'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '21'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '21'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'PRE_SHARED_KEY'
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
commit

Add mobile disable:

set vpn ipsec ike-group IKE-HUB mobike 'disable'
commit
[ vpn ]
Warning: unable to [reload changes to swanctl.conf], received error code 5632

Restarting Next Hop Resolution Protocol: opennhrp.

[edit]
[email protected]#

It doesn't matter what you add mobike disable or enable
A possible reason it generates incorrect swanctl.conf for option mobike

[email protected]# sudo cat /etc/swanctl/swanctl.conf 
# generated by /opt/vyatta/sbin/dmvpn-config.pl

connections {
	dmvpn-NHRPVPN-tun0 {
		proposals = aes256-sha256-ecp521,aes256-sha256-ecp521
		version = 2
		rekey_time = 28800s
		mobike = yes		keyingtries = 0
		local

So mobike + keyingtries in one line which incorrect

PR https://github.com/vyos/vyatta-cfg-vpn/pull/52

[email protected]# set vpn ipsec ike-group IKE-HUB mobike 'disable'
[edit]
[email protected]# commit
[ vpn ]
Restarting Next Hop Resolution Protocol: opennhrp.

[edit]
[email protected]# sudo cat /etc/swanctl/swanctl.conf 
# generated by /opt/vyatta/sbin/dmvpn-config.pl

connections {
	dmvpn-NHRPVPN-tun0 {
		proposals = aes256-sha256-ecp521,aes256-sha256-ecp521
		version = 2
		rekey_time = 28800s
		mobike = no
		keyingtries = 0
		local {
Viacheslav renamed this task from Reopen: IKEv2 mobike commit failed to IKEv2 mobike commit failed with DMVPN nhrp.Dec 22 2021, 6:37 PM
Viacheslav changed the task status from Open to In progress.Dec 22 2021, 6:53 PM