Page MenuHomeVyOS Platform

IPSec site-to-site generates unexpected passthrough option
Closed, ResolvedPublicBUG

Description

IPSec site-to-site generates unexpected passthrough option, after commit
As result tunnel not working

set interfaces dummy dum0 address '10.10.0.2/32'
set interfaces ethernet eth2 address '192.0.2.2/30'
set interfaces tunnel tun0 address '10.0.0.2/30'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 multicast 'disable'
set interfaces tunnel tun0 remote '10.10.0.1'
set interfaces tunnel tun0 source-address '10.10.0.2'
set vpn ipsec esp-group ESP-GRP compression 'disable'
set vpn ipsec esp-group ESP-GRP lifetime '3600'
set vpn ipsec esp-group ESP-GRP mode 'tunnel'
set vpn ipsec esp-group ESP-GRP pfs 'dh-group14'
set vpn ipsec esp-group ESP-GRP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GRP proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-GRP close-action 'none'
set vpn ipsec ike-group IKE-GRP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GRP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GRP dead-peer-detection timeout '120'
set vpn ipsec ike-group IKE-GRP ikev2-reauth 'no'
set vpn ipsec ike-group IKE-GRP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GRP lifetime '28800'
set vpn ipsec ike-group IKE-GRP proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-GRP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GRP proposal 1 hash 'sha256'
set vpn ipsec interface 'eth2'
set vpn ipsec site-to-site peer 192.0.2.1 authentication id '192.0.2.2'
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'SuperPA$$swd'
set vpn ipsec site-to-site peer 192.0.2.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'IKE-GRP'
set vpn ipsec site-to-site peer 192.0.2.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2'
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group 'ESP-GRP'
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix '10.10.0.2/32'
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix '10.10.0.1/32'

Generated configuration (unexpected option peer_192-0-2-1_tunnel_1_passthough):

[email protected]# sudo cat /etc/swanctl/swanctl.conf | grep children -A 20
        children {
            peer_192-0-2-1_tunnel_1 {
                esp_proposals = aes256-sha256-modp2048
                life_time = 3600s
                local_ts = 10.10.0.2/32
                remote_ts = 10.10.0.1/32
                ipcomp = no
                mode = tunnel
                start_action = start
                dpd_action = restart
                close_action = none
            }
            peer_192-0-2-1_tunnel_1_passthough {
                local_ts = 
                remote_ts = 
                start_action = trap
                mode = pass
            }
        }
    }

As result we don't see outbound packets:

peer_192-0-2-1: #1, ESTABLISHED, IKEv2, be2a04e3a6e22022_i* 6b07c0ef01f6c28e_r
  local  '192.0.2.2' @ 192.0.2.2[4500]
  remote '192.0.2.1' @ 192.0.2.1[4500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 304s ago, rekeying in 26719s
  peer_192-0-2-1_tunnel_1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 304s ago, rekeying in 3296s, expires in 3296s
    in  c35c85cf,    546 bytes,     4 packets
    out ce0b767f,      0 bytes,     0 packets
    local  10.10.0.2/32
    remote 10.10.0.1/32

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202204250217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)