Page MenuHomePhabricator

Incorrect output of "run show vpn ipsec sa"
Closed, ResolvedPublicBUG

Description

after updating from 1.1.8 to 1.2rc5 the problem with site-to-site VPN is several tunnels (only first is up, but vpn connect all tunels)
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto


1       up     871.4K/27.4M   aes256   sha1_96/modp_1536 no     1500    3600    all
2       down   0.0/0.0        aes256   sha1_96/modp_1536 no     -2100   n/a     all
3       down   436.0/331.0    aes256   sha1_96/modp_1536 no     -1800   n/a     all
4       down   0.0/0.0        aes256   sha1_96/modp_1536 no     -1740   n/a     all
5       down   0.0/0.0        aes256   sha1_96/modp_1536 no     -2160   n/a     all
6       down   0.0/0.0        aes256   sha1_96/modp_1536 no     -1740   n/a     all
7       down   8.2K/7.1K      aes256   sha1_96/modp_1536 no     -1980   n/a     all
8       down   0.0/0.0        aes256   sha1_96/modp_1536 no     -1800   n/a     all
9       down   0.0/0.0        aes256   sha1_96/modp_1536 no     -1800   n/a     all
10      down   263.9K/115.8K  aes256   sha1_96/modp_1536 no     -1680   n/a     all
11      down   65.5K/90.6K    aes256   sha1_96/modp_1536 no     -2040   n/a     all
12      down   0.0/0.0        aes256   sha1_96/modp_1536 no     -1800   n/a     all

Details

Difficulty level
Unknown (require assessment)
Version
1.2
Why the issue appeared?
Issues in third-party code
syncer triaged this task as Low priority.

A long standing problem indeed. StrongSWAN changed its output format, I cannot say it was for the better.

I've made a new script that I think is better than nothing, at least it doesn't produce confusing information.

vyos@vyos# run show vpn ipsec sa
Connection         State    Up          Bytes In/Out    Remote address    Remote ID    Proposal
-----------------  -------  ----------  --------------  ----------------  -----------  ------------------------------
peer-foo-tunnel-1  up       57 minutes  0/0             10.0.0.2          foo          3DES_CBC/HMAC_MD5_96/MODP_1024
peer-foo-tunnel-1  up       57 minutes  0/0             10.0.0.2          foo          3DES_CBC/HMAC_MD5_96/MODP_1024
peer-foo-tunnel-2  up       57 minutes  0/0             10.0.0.2          foo          3DES_CBC/HMAC_MD5_96/MODP_1024
peer-foo-tunnel-2  up       57 minutes  0/0             10.0.0.2          foo          3DES_CBC/HMAC_MD5_96/MODP_1024
peer-foo-tunnel-3  up       57 minutes  0/0             10.0.0.2          foo          3DES_CBC/HMAC_MD5_96/MODP_1024
peer-foo-tunnel-3  up       57 minutes  0/0             10.0.0.2          foo          3DES_CBC/HMAC_MD5_96/MODP_1024
peer-foo-tunnel-4  up       57 minutes  0/0             10.0.0.2          foo          3DES_CBC/HMAC_MD5_96/MODP_1024
peer-foo-tunnel-4  up       57 minutes  0/0             10.0.0.2          foo          3DES_CBC/HMAC_MD5_96/MODP_1024
peer-foo-tunnel-5  down     N/A         N/A             N/A               N/A          N/A
peer-foo-tunnel-5  down     N/A         N/A             N/A               N/A          N/A
dmbaturin changed the task status from Open to In progress.Sun, Nov 18, 8:24 PM
Line2 added a subscriber: Line2.EditedSat, Nov 24, 7:10 PM

in VyOS 1.2.0-rolling+201811240337 I get no proposals and no traffic in 'show vpn ipsec sa':

vyos@vyos-test:~$ show vpn ipsec sa
Connection                     State    Up       Bytes In/Out    Remote address    Remote ID        Proposal
-----------------------------  -------  -------  --------------  ----------------  ---------------  --------------
peer-peer.domain.com-tunnel-2  up       7 hours  None/None       xx.xx.xx.xx       peer.domain.com  None/None/None
peer-peer.domain.com-tunnel-2  up       7 hours  None/None       xx.xx.xx.xx       peer.domain.com  None/None/None

@Line2 Could you attach the IPsec config and the output of "sudo ipsec statusall"?

dmbaturin changed Why the issue appeared? from Will be filled on close to Issues in third-party code.
Line2 added a comment.Sun, Nov 25, 8:20 PM

IPsec config:

vyos@vyos# show vpn ipsec
 auto-update 60
 esp-group esp1 {
     compression disable
     lifetime 3600
     mode tunnel
     pfs dh-group14
     proposal 1 {
         encryption aes128
         hash sha256
     }
 }
 ike-group ike1 {
     dead-peer-detection {
         action restart
         interval 30
         timeout 120
     }
     ikev2-reauth no
     key-exchange ikev2
     lifetime 28800
     proposal 1 {
         dh-group 14
         encryption aes128
         hash sha256
     }
 }
 ipsec-interfaces {
     interface eth0
 }
 logging {
     log-level 1
     log-modes mgr
     log-modes ike
 }
 site-to-site {
     peer peer.domain.com {
         authentication {
             id @local.domain.com
             mode x509
             remote-id @peer.domain.com
             x509 {
                 ca-cert-file /config/auth/CA.crt
                 cert-file /config/auth/local.domain.com.crt
                 key {
                     file /config/auth/local.domain.com.key
                 }
             }
         }
         connection-type respond
         default-esp-group esp1
         description "Tunnel to peer"
         ike-group ike1
         ikev2-reauth inherit
         local-address 172.16.101.16
         tunnel 2 {
             allow-nat-networks disable
             allow-public-networks disable
             local {
                 prefix 172.20.10.1/32
             }
             protocol gre
             remote {
                 prefix 172.20.1.1/32
             }
         }
     }
 }

sudo ipsec statusall:

vyos@vyos# sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.4-amd64-vyos, x86_64):
  uptime: 4 hours, since Nov 25 16:46:16 2018
  malloc: sbrk 1900544, mmap 0, used 831376, free 1069168
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  172.16.101.16
Connections:
peer-peer.domain.com-tunnel-2:  172.16.101.16...peer.domain.com  IKEv2, dpddelay=30s
peer-peer.domain.com-tunnel-2:   local:  [local.domain.com] uses public key authentication
peer-peer.domain.com-tunnel-2:    cert:  "C=xx, ST=yy, L=zz, O=aa, OU=bb, CN=local.domain.com, E=mail@domain.com"
peer-peer.domain.com-tunnel-2:   remote: [peer.domain.com] uses public key authentication
peer-peer.domain.com-tunnel-2:   child:  172.20.10.1/32[gre] === 172.20.1.1/32[gre] TUNNEL, dpdaction=restart
Routed Connections:
peer-peer.domain.com-tunnel-2{1}:  ROUTED, TUNNEL, reqid 1
peer-peer.domain.com-tunnel-2{1}:   172.20.10.1/32[gre] === 172.20.1.1/32[gre]
Security Associations (1 up, 0 connecting):
peer-peer.domain.com-tunnel-2[2]: ESTABLISHED 4 hours ago, 172.16.101.16[local.domain.com]...xx.xx.xx.xx[peer.domain.com]
peer-peer.domain.com-tunnel-2[2]: IKEv2 SPIs: 2b8774795de149b4_i f5754338ae93a531_r*, rekeying in 3 hours
peer-peer.domain.com-tunnel-2[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
peer-peer.domain.com-tunnel-2{8}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccf7b705_i 61db31dd_o
peer-peer.domain.com-tunnel-2{8}:  AES_CBC_128/HMAC_SHA2_256_128/MODP_2048, 350074 bytes_i (2900 pkts, 0s ago), 384153 bytes_o (2568 pkts, 0s ago), rekeying in 37 minutes
peer-peer.domain.com-tunnel-2{8}:   172.20.10.1/32[gre] === 172.20.1.1/32[gre]
dmbaturin renamed this task from VPN site-to-site status bug to Incorrect output of "run show vpn ipsec sa".Sun, Nov 25, 9:11 PM
dmbaturin closed this task as Resolved.Mon, Dec 3, 12:43 AM

Ok, the issue is that StrongSWAN uses different format for SAs with zero and non-zero counters!

Should be fixed now.

Line2 added a comment.Wed, Dec 5, 8:50 AM

I just tested "show vpn ipsec sa" on latest rolling (vyos-1.2.0-rolling+201812050337) and get exactly the output of "sudo ipsec statusall"

oj
~$ show vpn ipsec sa
Traceback (most recent call last):

File "/usr/libexec/vyos/op_mode/show_ipsec_sa.py", line 51, in <module>
  raise e
File "/usr/libexec/vyos/op_mode/show_ipsec_sa.py", line 45, in <module>

Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.4-amd64-vyos, x86_64):

uptime: 7 minutes, since Dec 06 15:06:21 2018
malloc: sbrk 2965504, mmap 0, used 1546144, free 1419360
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 48
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters

Listening IP addresses:

Line2 added a comment.EditedThu, Dec 6, 3:53 PM

all these commands show the same output:
show vpn ipsec sa
show vpn ipsec sa verbose
show vpn debug
sudo ipsec statusall

on VyOS 1.2.0-rolling+201812050337