Upgrade strongswan to 5.9.8
Closed, ResolvedPublicFEATURE REQUEST
Actions

Assigned To

Authored By

	ssasso
	Aug 4 2022, 7:10 AM

Description

As per https://forum.vyos.io/t/site-to-site-ipsec-multiple-sa-in-stale-state/9289 - and https://phabricator.vyos.net/T4551

With the current strongswan version (5.9.1) there seems to be the above issues.

I recompiled/created the deb packages on my own for strongswan 5.9.6, starting from dsc and sources for debian testing (available at https://salsa.debian.org/debian/strongswan/-/tree/debian/5.9.6-1 / tag debian/5.9.6-1).

With the newer version, the issue seems resolved.

NOTE: the patches @ https://github.com/vyos/vyos-build/tree/current/packages/strongswan/patches do not apply to the new 5.9.6 tree. However, you can find the updated patches here: https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/main/strongswan . my recompiled deb uses these ones.

NOTE: the newer version adds these deb dependencies (already available on the debian stable repo): libtss2-mu0 libtss2-sys1 tpm-udev (plus libtss2-dev for the build phase)

Details

Difficulty level: Hard (possibly days)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Perfectly compatible
Issue type: Package upgrade

Related Objects

Mentioned Here: T4551: IPsec rekeying collisions bug

Event Timeline

ssasso created this task.Aug 4 2022, 7:10 AM

ssasso updated the task description. (Show Details)

From the strongswan 5.9.6 changelog:

Actively initiating duplicate CHILD_SAs within the same IKE_SA is now largely prevented. This can happen if trap policies are installed and an IKE_SA with its CHILD_SAs is reestablished (e.g. with break-before-make reauthentication or dpd_action=restart). This does not prevent duplicates if they are initiated by the two peers concurrently.

pasik added a subscriber: pasik.Aug 4 2022, 10:55 AM

ssasso changed Issue type from Unspecified (please specify) to Package upgrade.Aug 26 2022, 9:37 AM

c-po claimed this task.Dec 26 2022, 9:57 AM

c-po renamed this task from Upgrade strongswan to 5.9.6 to Upgrade strongswan to 5.9.8.Dec 27 2022, 3:34 PM

c-po changed the task status from Open to Needs testing.

c-po triaged this task as Normal priority.

c-po changed Difficulty level from Unknown (require assessment) to Hard (possibly days).

c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Dec 27 2022, 5:04 PM

c-po closed this task as Resolved.Dec 28 2022, 6:28 PM

I met 2 issues after the last commit.
My config:

set vpn ipsec authentication psk TEST id '192.0.2.1'
set vpn ipsec authentication psk TEST secret 'test'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE close-action 'restart'
set vpn ipsec ike-group IKE dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE proposal 1 dh-group '2'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer TEST authentication local-id '192.0.2.2'
set vpn ipsec site-to-site peer TEST authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer TEST authentication remote-id '192.0.2.1'
set vpn ipsec site-to-site peer TEST default-esp-group 'ESP'
set vpn ipsec site-to-site peer TEST ike-group 'IKE'
set vpn ipsec site-to-site peer TEST local-address '192.0.2.2'
set vpn ipsec site-to-site peer TEST remote-address '192.0.2.1'
set vpn ipsec site-to-site peer TEST tunnel 0 local prefix '192.168.10.0/24'
set vpn ipsec site-to-site peer TEST tunnel 0 remote prefix '192.168.11.0/24'
set vpn ipsec site-to-site peer TEST tunnel 1 local prefix '192.168.100.0/24'
set vpn ipsec site-to-site peer TEST tunnel 1 remote prefix '192.168.101.0/24'

6 CHILD_SAs on one tunnel

vyos@vyos:~$ show vpn ipsec sa
Connection     State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
TEST-tunnel-0  up       5m46s     0B/0B           0/0               192.0.2.1         192.0.2.1    AES_CBC_128/HMAC_SHA1_96
TEST-tunnel-0  up       5m46s     0B/0B           0/0               192.0.2.1         192.0.2.1    AES_CBC_128/HMAC_SHA1_96
TEST-tunnel-0  up       5m46s     0B/0B           0/0               192.0.2.1         192.0.2.1    AES_CBC_128/HMAC_SHA1_96
TEST-tunnel-0  up       5m46s     0B/0B           0/0               192.0.2.1         192.0.2.1    AES_CBC_128/HMAC_SHA1_96
TEST-tunnel-0  up       5m46s     672B/672B       8/8               192.0.2.1         192.0.2.1    AES_CBC_128/HMAC_SHA1_96
TEST-tunnel-0  up       5m49s     0B/0B           0/0               192.0.2.1         192.0.2.1    AES_CBC_128/HMAC_SHA1_96
TEST-tunnel-1  up       5m46s     0B/0B           0/0               192.0.2.1         192.0.2.1    AES_CBC_128/HMAC_SHA1_96/MODP_1024
TEST-tunnel-1  up       5m46s     0B/0B           0/0               192.0.2.1         192.0.2.1    AES_CBC_128/HMAC_SHA1_96/MODP_1024
TEST-tunnel-1  up       5m46s     0B/0B           0/0               192.0.2.1         192.0.2.1    AES_CBC_128/HMAC_SHA1_96/MODP_1024
      192.0.2.1    AES_CBC_128/HMAC_SHA1_96/MODP_1024
TEST-tunnel-1  up       5m46s     420B/420B       5/5               192.0.2.1         192.0.2.1    AES_CBC_128/HMAC_SHA1_96/MODP_1024
TEST-tunnel-1  up       5m49s     0B/0B           0/0               192.0.2.1         192.0.2.1    AES_CBC_128/HMAC_SHA1_96/MODP_1024

vyos@vyos:~$ sudo swanctl -l
TEST: #11, ESTABLISHED, IKEv2, 529c52443be59beb_i 135a462a9fafbd9f_r*
  local  '192.0.2.2' @ 192.0.2.2[4500]
  remote '192.0.2.1' @ 192.0.2.1[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 387s ago, rekeying in 26342s
  TEST-tunnel-0: #11, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 387s ago, rekeying in 2578s, expires in 3213s
    in  c9074c1c,      0 bytes,     0 packets,   291s ago
    out cdd2a11c,      0 bytes,     0 packets
    local  192.168.10.0/24
    remote 192.168.11.0/24
  TEST-tunnel-1: #12, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_1024
    installed 387s ago, rekeying in 2751s, expires in 3213s
    in  cf93d07f,      0 bytes,     0 packets,   314s ago
    out c5da4713,      0 bytes,     0 packets
    local  192.168.100.0/24
    remote 192.168.101.0/24
TEST: #10, ESTABLISHED, IKEv2, 6913ea6a1c4251dd_i* 577be9ed94297f7d_r
  local  '192.0.2.2' @ 192.0.2.2[4500]
  remote '192.0.2.1' @ 192.0.2.1[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 384s ago, rekeying in 25784s
  TEST-tunnel-0: #18, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 384s ago, rekeying in 2565s, expires in 3216s
    in  cdb074d1,    672 bytes,     8 packets,   291s ago
    out cecc1b7f,    672 bytes,     8 packets,   291s ago
    local  192.168.10.0/24
    remote 192.168.11.0/24
  TEST-tunnel-1: #22, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_1024
    installed 384s ago, rekeying in 2573s, expires in 3216s
    in  cdc3d6d3,      0 bytes,     0 packets,   314s ago
    out c9cc4080,      0 bytes,     0 packets
    local  192.168.100.0/24
    remote 192.168.101.0/24
TEST: #8, ESTABLISHED, IKEv2, 38d9fbcaccd77a3c_i* 21d6d99990bb74f8_r
  local  '192.0.2.2' @ 192.0.2.2[4500]
  remote '192.0.2.1' @ 192.0.2.1[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 384s ago, rekeying in 26407s
  TEST-tunnel-0: #19, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 384s ago, rekeying in 2617s, expires in 3216s
    in  c4b1516c,      0 bytes,     0 packets,   291s ago
    out c3c95e4b,      0 bytes,     0 packets
    local  192.168.10.0/24
    remote 192.168.11.0/24
  TEST-tunnel-1: #21, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_1024
    installed 384s ago, rekeying in 2585s, expires in 3216s
    in  cfad4511,    420 bytes,     5 packets,   314s ago
    out c3c720ac,    420 bytes,     5 packets,   314s ago
    local  192.168.100.0/24
    remote 192.168.101.0/24
TEST: #9, ESTABLISHED, IKEv2, 0ade9ec225c3f289_i* a918376d80b5451d_r
  local  '192.0.2.2' @ 192.0.2.2[4500]
  remote '192.0.2.1' @ 192.0.2.1[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 384s ago, rekeying in 27255s
  TEST-tunnel-0: #14, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 384s ago, rekeying in 2745s, expires in 3216s
    in  cd4967e9,      0 bytes,     0 packets,   291s ago
    out cce383ff,      0 bytes,     0 packets
    local  192.168.10.0/24
    remote 192.168.11.0/24
  TEST-tunnel-1: #20, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_1024
    installed 384s ago, rekeying in 2561s, expires in 3216s
    in  c38ad01b,      0 bytes,     0 packets,   314s ago
    out c6a8e808,      0 bytes,     0 packets
    local  192.168.100.0/24
    remote 192.168.101.0/24
TEST: #7, ESTABLISHED, IKEv2, b821fa4082d35bbf_i* 7c3c02bd186daaf0_r
  local  '192.0.2.2' @ 192.0.2.2[4500]
  remote '192.0.2.1' @ 192.0.2.1[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 384s ago, rekeying in 26331s
  TEST-tunnel-0: #15, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 384s ago, rekeying in 2644s, expires in 3216s
    in  ce1733e4,      0 bytes,     0 packets,   291s ago
    out ca4c011a,      0 bytes,     0 packets
    local  192.168.10.0/24
    remote 192.168.11.0/24
  TEST-tunnel-1: #17, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_1024
    installed 384s ago, rekeying in 2622s, expires in 3216s
    in  c03f9b0f,      0 bytes,     0 packets,   314s ago
    out c784ca2d,      0 bytes,     0 packets
    local  192.168.100.0/24
    remote 192.168.101.0/24
TEST: #6, ESTABLISHED, IKEv2, 9eab5c6219798ac0_i* 2c6e2e2726d16e4d_r
  local  '192.0.2.2' @ 192.0.2.2[4500]
  remote '192.0.2.1' @ 192.0.2.1[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 384s ago, rekeying in 27835s
  TEST-tunnel-0: #13, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96
    installed 384s ago, rekeying in 2599s, expires in 3216s
    in  cec5ba50,      0 bytes,     0 packets,   291s ago
    out cdb4b765,      0 bytes,     0 packets
    local  192.168.10.0/24
    remote 192.168.11.0/24
  TEST-tunnel-1: #16, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_1024
    installed 384s ago, rekeying in 2848s, expires in 3216s
    in  c9300e04,      0 bytes,     0 packets,   314s ago
    out cc5069dd,      0 bytes,     0 packets
    local  192.168.100.0/24
    remote 192.168.101.0/24

"reset vpn ipsec-peer" command does not work.

vyos@vyos:~$ reset vpn ipsec-peer TEST
Peer reset result: success
vyos@vyos:~$ reset vpn ipsec-peer TEST tunnel 0
Peer reset result: success

But nothing changes.
command 'sudo /usr/sbin/ipsec down' does not give any result.

I was wrong. NOT 6 CHILSD_SAs on one tunnel.
6 IKE SAs on one configured tunnel.

SrividyaA added a subscriber: SrividyaA.Feb 16 2023, 8:06 AM

Upgrade strongswan to 5.9.8Closed, ResolvedPublicFEATURE REQUESTActions

Description

Details

Related Objects

Event Timeline

Upgrade strongswan to 5.9.8
Closed, ResolvedPublicFEATURE REQUEST
Actions