Page MenuHomeVyOS Platform

Unable to reset IPsec IPv6 peer
Closed, ResolvedPublicBUG

Description

Configure IPv6 IPsec peer and try to reset
VyOS config:

set vpn ipsec esp-group grp-ESP compression 'disable'
set vpn ipsec esp-group grp-ESP lifetime '28800'
set vpn ipsec esp-group grp-ESP mode 'tunnel'
set vpn ipsec esp-group grp-ESP pfs 'enable'
set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold'
set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30'
set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120'
set vpn ipsec ike-group grp-IKE ikev2-reauth 'no'
set vpn ipsec ike-group grp-IKE key-exchange 'ikev2'
set vpn ipsec ike-group grp-IKE lifetime '86400'
set vpn ipsec ike-group grp-IKE mobike 'disable'
set vpn ipsec ike-group grp-IKE proposal 10 dh-group '14'
set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer 2001:db8::2 authentication id '2001:db8::1'
set vpn ipsec site-to-site peer 2001:db8::2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2001:db8::2 authentication pre-shared-secret 'SSSeeccRetT'
set vpn ipsec site-to-site peer 2001:db8::2 authentication remote-id '2001:db8::2'
set vpn ipsec site-to-site peer 2001:db8::2 connection-type 'initiate'
set vpn ipsec site-to-site peer 2001:db8::2 ike-group 'grp-IKE'
set vpn ipsec site-to-site peer 2001:db8::2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 2001:db8::2 local-address '2001:db8::1'
set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 esp-group 'grp-ESP'
set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 local prefix '2001:db8:1111::/64'
set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 remote prefix '2001:db8:2222::/64'

Reset

[email protected]:~$ reset vpn ipsec-peer 
Possible completions:
  2001:db8::2   Reset all tunnels for given peer

      
[email protected]:~$ reset vpn ipsec-peer 2001:db8::2 
Tunnel(s) not found, aborting
[email protected]:~$

Connection:

[email protected]:~$ sudo swanctl -L
peer_2001-db8--2: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 30s
  local:  2001:db8::1
  remote: 2001:db8::2
  local pre-shared key authentication:
    id: 2001:db8::1
  remote pre-shared key authentication:
    id: 2001:db8::2
  peer_2001-db8--2_tunnel_0: TUNNEL, rekeying every 3600s, dpd action is hold
    local:  2001:db8:1111::/64
    remote: 2001:db8:2222::/64

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202207200217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav changed the task status from Open to In progress.Jul 23 2022, 7:56 AM
Viacheslav claimed this task.

PR https://github.com/vyos/vyos-1x/pull/1428

[email protected]:~$ reset vpn ipsec-peer 2001:db8::2 
CHILD_SA {21241} closed successfully
CHILD_SA {21243} closed successfully
CHILD_SA {21245} closed successfully
CHILD_SA {21244} closed successfully
CHILD_SA {21247} closed successfully
CHILD_SA {21246} closed successfully
CHILD_SA {21249} closed successfully
CHILD_SA {21248} closed successfully
closing CHILD_SA peer_2001-db8--2_tunnel_0{21250} with SPIs cab47d6b_i (0 bytes) c3cbba13_o (0 bytes) and TS 2001:db8:1111::/64 === 2001:db8:2222::/64
sending DELETE for ESP CHILD_SA with SPI cab47d6b
generating INFORMATIONAL request 14065 [ D ]
sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (69 bytes)
received packet: from 2001:db8::2[500] to 2001:db8::1[500] (69 bytes)
parsed INFORMATIONAL response 14065 [ D ]
received DELETE for ESP CHILD_SA with SPI c3cbba13
CHILD_SA closed
CHILD_SA {21250} closed successfully
establishing CHILD_SA peer_2001-db8--2_tunnel_0{21251}
generating CREATE_CHILD_SA request 14066 [ SA No KE TSi TSr ]
sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (497 bytes)
received packet: from 2001:db8::2[500] to 2001:db8::1[500] (497 bytes)
parsed CREATE_CHILD_SA response 14066 [ SA No KE TSi TSr ]
selected proposal: ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ
CHILD_SA peer_2001-db8--2_tunnel_0{21251} established with SPIs ccaff1e5_i c5a2b674_o and TS 2001:db8:1111::/64 === 2001:db8:2222::/64
connection 'peer_2001-db8--2_tunnel_0' established successfully
Peer reset result: success
[email protected]:~$
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.