Maniphest T1925

DMVPN is always listed as down in "show vpn ipsec sa"
Open, Requires assessmentPublicBUG
Actions

Assigned To

Authored By

	c-po
	Dec 31 2019, 5:21 PM

Description

When operating VyOS as DMVPN HUB the DMVPN tunnel is always down when issuing the show vpn ipsec sa command. The DMVPN configuration is from https://docs.vyos.io/en/latest/vpn/dmvpn.html

vyos@vyos:~$ show vpn ipsec sa
Connection                     State    Up          Bytes In/Out    Remote address    Remote ID    Proposal
-----------------------------  -------  ----------  --------------  ----------------  -----------  ------------------------------------------------
peer-172.18.203.10-tunnel-vti  up       52 seconds  252B/252B       172.18.203.10     N/A          AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
dmvpn-NHRPVPN-tun100           down     N/A         N/A             N/A               N/A          N/A

vyos@vyos:~$ show interfaces tunnel tun100
tun100@NONE: <MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1360 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre 172.18.201.10 brd 0.0.0.0
    inet 172.18.100.6/29 brd 172.18.100.7 scope global tun100
       valid_lft forever preferred_lft forever
    inet6 fe80::5efe:ac12:c90a/64 scope link
       valid_lft forever preferred_lft forever

    RX:  bytes    packets     errors    dropped    overrun      mcast
         99016        990          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
         95056        950          0          0          0          0

I do not know if this is intended or not...

Details

Difficulty level: Unknown (require assessment)
Version: 1.2.2
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		sdev	T2816 Rewrite IPsec scripts with the new XML/Python approach
		Open	BUG	Viacheslav	T1925 DMVPN is always listed as down in "show vpn ipsec sa"

Event Timeline

c-po created this task.Dec 31 2019, 5:21 PM

c-po updated the task description. (Show Details)

syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.Jan 1 2020, 1:51 PM

dmbaturin added a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.Aug 20 2020, 3:39 PM

pasik added a subscriber: pasik.Aug 21 2020, 7:37 AM

dmbaturin added a project: test.Jul 29 2021, 12:37 PM

Tested on VyOS 1.3.0-rc5

After reboot, it shows tunnels in up state.
192.0.2.1 - hub
100.64.2.11 - spoke2

vyos@spoke1:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
dmvpn         up       3m45s     1K/1K           17/17             100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn         up       8m54s     1K/1K           15/13             192.0.2.1         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024

After some time with next ping of spoke

vyos@spoke1:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
dmvpn         up       21s       276B/0B         3/0               100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn         up       21s       0B/0B           0/0               100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn         up       10m58s    2K/2K           21/20             192.0.2.1         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
vyos@spoke1:~$ 
vyos@spoke1:~$ 
vyos@spoke1:~$ 
vyos@spoke1:~$ sudo swanctl -l
dmvpn-NHRPVPN-tun100: #5, ESTABLISHED, IKEv1, 9711fa440410c7c9_i d133d28a6072a20a_r*
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '100.64.2.11' @ 100.64.2.11[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 45s ago, rekeying in 3248s
  dmvpn: #6, reqid 4, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 45s ago, rekeying in 1233s, expires in 1935s
    in  cf2d256a,    276 bytes,     3 packets,    36s ago
    out c06467d9,      0 bytes,     0 packets
    local  100.64.1.11/32[gre]
    remote 100.64.2.11/32[gre]
  dmvpn: #7, reqid 4, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 45s ago, rekeying in 1214s, expires in 1935s
    in  c4b3390b,      0 bytes,     0 packets
    out c0930e62,      0 bytes,     0 packets
    local  100.64.1.11/32[gre]
    remote 100.64.2.11/32[gre]
dmvpn-NHRPVPN-tun100: #1, ESTABLISHED, IKEv1, 2bc867b1ca327379_i* c85b15462b657b03_r
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '192.0.2.1' @ 192.0.2.1[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 682s ago, rekeying in 2719s
  dmvpn: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 682s ago, rekeying in 824s, expires in 1298s
    in  cb2b55ee,   2642 bytes,    21 packets,    37s ago
    out cb3647d6,   2132 bytes,    20 packets,    36s ago
    local  100.64.1.11/32[gre]
    remote 192.0.2.1/32[gre]
vyos@spoke1:~$

Not sure that it correct behavior, so I see 2 child SA's (for 100.64.2.11), expected 1.

SA only with hub, output correct

vyos@spoke1:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
dmvpn         up       16m24s    2K/2K           24/23             192.0.2.1         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
vyos@spoke1:~$ 
vyos@spoke1:~$ 
vyos@spoke1:~$ sudo swanctl -l
dmvpn-NHRPVPN-tun100: #1, ESTABLISHED, IKEv1, 2bc867b1ca327379_i* c85b15462b657b03_r
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '192.0.2.1' @ 192.0.2.1[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 1001s ago, rekeying in 2400s
  dmvpn: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 1001s ago, rekeying in 505s, expires in 979s
    in  cb2b55ee,   3044 bytes,    24 packets,    91s ago
    out cb3647d6,   2474 bytes,    23 packets,    91s ago
    local  100.64.1.11/32[gre]
    remote 192.0.2.1/32[gre]
vyos@spoke1:~$

Ping spoke2 to establish sa

vyos@spoke1:~$ ping 172.16.253.132
PING 172.16.253.132 (172.16.253.132) 56(84) bytes of data.
64 bytes from 172.16.253.132: icmp_seq=1 ttl=63 time=11.3 ms
64 bytes from 172.16.253.132: icmp_seq=2 ttl=64 time=3.36 ms

After ping we see 2 parent SA (with remote 100.64.2.11) and one of them with 2 child SA's

vyos@spoke1:~$ show vpn ipsec sa
Connection            State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
dmvpn                 up       4s        92B/0B          1/0               100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn                 up       4s        0B/0B           0/0               100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn                 up       17m35s    3K/2K           29/28             192.0.2.1         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn-NHRPVPN-tun100  down     N/A       N/A             N/A               N/A               N/A          N/A
vyos@spoke1:~$ 
vyos@spoke1:~$ sudo swanctl -l
dmvpn-NHRPVPN-tun100: #7, ESTABLISHED, IKEv1, 5721c95fa48413c4_i eb1ff264b01a4cbd_r*
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '100.64.2.11' @ 100.64.2.11[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 9s ago, rekeying in 3281s
  dmvpn: #9, reqid 5, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 9s ago, rekeying in 1585s, expires in 1971s
    in  c2b077b9,     92 bytes,     1 packets,     8s ago
    out ca17555e,      0 bytes,     0 packets
    local  100.64.1.11/32[gre]
    remote 100.64.2.11/32[gre]
  dmvpn: #10, reqid 5, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 9s ago, rekeying in 1554s, expires in 1971s
    in  cb0e55f7,      0 bytes,     0 packets
    out c66cac10,      0 bytes,     0 packets
    local  100.64.1.11/32[gre]
    remote 100.64.2.11/32[gre]
dmvpn-NHRPVPN-tun100: #6, ESTABLISHED, IKEv1, 209e50e93ab75799_i* 0c98a1483e954736_r
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '100.64.2.11' @ 100.64.2.11[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 9s ago, rekeying in 3253s
dmvpn-NHRPVPN-tun100: #1, ESTABLISHED, IKEv1, 2bc867b1ca327379_i* c85b15462b657b03_r
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '192.0.2.1' @ 192.0.2.1[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 1060s ago, rekeying in 2341s
  dmvpn: #1, reqid 1, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 1060s ago, rekeying in 446s, expires in 920s
    in  cb2b55ee,   3684 bytes,    29 packets,     9s ago
    out cb3647d6,   3008 bytes,    28 packets,     8s ago
    local  100.64.1.11/32[gre]
    remote 192.0.2.1/32[gre]
vyos@spoke1:~$

After some time, we see 2 parents SA to spoke2 (expected 1) each with own child SA.
Both child SA's INSTALLED but active only one.

vyos@spoke1:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
dmvpn         up       8m26s     1M/1M           15K/15K           100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn         up       8m26s     0B/0B           0/0               100.64.2.11       N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
dmvpn         up       42m42s    2K/1K           17/16             192.0.2.1         N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
vyos@spoke1:~$ 
vyos@spoke1:~$ 
vyos@spoke1:~$ sudo swanctl -l
dmvpn-NHRPVPN-tun100: #9, ESTABLISHED, IKEv1, a66064db86399b11_i 1f22ff1aea548ee9_r*
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '100.64.2.11' @ 100.64.2.11[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 509s ago, rekeying in 2847s
  dmvpn: #13, reqid 6, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 509s ago, rekeying in 906s, expires in 1471s
    in  cbf92021, 1411740 bytes, 15345 packets,    74s ago
    out c41ce29d, 1411740 bytes, 15345 packets,    74s ago
    local  100.64.1.11/32[gre]
    remote 100.64.2.11/32[gre]
dmvpn-NHRPVPN-tun100: #8, ESTABLISHED, IKEv1, 55e84f0f1530ea25_i* cda4df2e3308632e_r
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '100.64.2.11' @ 100.64.2.11[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 509s ago, rekeying in 2816s
  dmvpn: #12, reqid 6, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 509s ago, rekeying in 1073s, expires in 1471s
    in  c16a349e,      0 bytes,     0 packets
    out cd9f584c,      0 bytes,     0 packets
    local  100.64.1.11/32[gre]
    remote 100.64.2.11/32[gre]
dmvpn-NHRPVPN-tun100: #1, ESTABLISHED, IKEv1, 2bc867b1ca327379_i* c85b15462b657b03_r
  local  '100.64.1.11' @ 100.64.1.11[500]
  remote '192.0.2.1' @ 192.0.2.1[500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 2565s ago, rekeying in 836s
  dmvpn: #11, reqid 1, INSTALLED, TRANSPORT, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 1106s ago, rekeying in 449s, expires in 874s
    in  c8f6fa85,   2256 bytes,    17 packets,    39s ago
    out ce135cb2,   1818 bytes,    16 packets,    39s ago
    local  100.64.1.11/32[gre]
    remote 192.0.2.1/32[gre]

erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 5:58 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed test, VyOS 1.3 Equuleus.Sep 5 2021, 7:06 AM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus (1.3.0-epa1).Nov 1 2021, 10:09 PM

dmbaturin assigned this task to Viacheslav.Nov 9 2021, 5:06 AM

In VyOS 1.3.0-epa3

show vpn ipsec sa

worked just fine. showing the correct number of dmpvpn connections as well as there state.

In VyOS 1.3

show vpn ipsec sa

Always shows just one dmvpn connection as down, even though there are multiple dmvpn connections up at that moment.

show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
dmvpn         down     N/A       N/A             N/A               N/A               N/A          N/A

However,

show vpn ipsec sa verbose

on the same router running VyOS 1.3 shows the correct connection states

show vpn ipsec sa verbose 
Status of IKE charon daemon (strongSwan 5.7.2, Linux 5.4.165-amd64-vyos, x86_64):
  uptime: 14 hours, since Dec 28 00:15:54 2021
  malloc: sbrk 3092480, mmap 0, used 1629456, free 1463024
  worker threads: 10 of 16 idle, 5/0/1/0 working, job queue: 0/0/0/0, scheduled: 15
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  192.168.1.254
  2a02:58:140:1600:20d:b9ff:fe5a:380
Connections:
dmvpn-NHRPVPN-tun0:  %any...%any  IKEv1, dpddelay=30s
dmvpn-NHRPVPN-tun0:   local:  [192.168.1.254] uses pre-shared key authentication
dmvpn-NHRPVPN-tun0:   remote: uses pre-shared key authentication
       dmvpn:   child:  dynamic[gre] === dynamic[gre] TRANSPORT, dpdaction=restart
dmvpn-NHRPVPN-tun1:  %any...%any  IKEv1, dpddelay=30s
dmvpn-NHRPVPN-tun1:   local:  uses pre-shared key authentication
dmvpn-NHRPVPN-tun1:   remote: uses pre-shared key authentication
       dmvpn:   child:  dynamic[gre] === dynamic[gre] TRANSPORT, dpdaction=restart
Security Associations (3 up, 1 connecting):
dmvpn-NHRPVPN-tun0[9]: ESTABLISHED 5 minutes ago, 192.168.1.254[192.168.1.254]...193.189.102.247[193.189.102.247]
dmvpn-NHRPVPN-tun0[9]: IKEv1 SPIs: d6f1a85cbfea804c_i 9b12fac53ad71791_r*, rekeying in 7 hours
dmvpn-NHRPVPN-tun0[9]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
       dmvpn{49}:  INSTALLED, TRANSPORT, reqid 2, ESP in UDP SPIs: c9211fe6_i cff64656_o
       dmvpn{49}:  AES_GCM_16_128/ECP_256, 33392 bytes_i (377 pkts, 5s ago), 27768 bytes_o (342 pkts, 2s ago), rekeying in 10 minutes
       dmvpn{49}:   192.168.1.254/32[gre] === 193.189.102.247/32[gre]
dmvpn-NHRPVPN-tun0[8]: ESTABLISHED 6 hours ago, 192.168.1.254[192.168.1.254]...83.142.150.186[83.142.150.186]
dmvpn-NHRPVPN-tun0[8]: IKEv1 SPIs: 642466fb42c2fe6e_i* ecd4a3d06a028bc5_r, rekeying in 49 minutes
dmvpn-NHRPVPN-tun0[8]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
       dmvpn{50}:  INSTALLED, TRANSPORT, reqid 3, ESP in UDP SPIs: c8caf081_i ccc4698f_o
       dmvpn{50}:  AES_GCM_16_128/ECP_256, 27900332 bytes_i (93538 pkts, 0s ago), 0 bytes_o, rekeying in 6 minutes
       dmvpn{50}:   192.168.1.254/32[gre] === 83.142.150.186/32[gre]
dmvpn-NHRPVPN-tun0[7]: ESTABLISHED 7 hours ago, 192.168.1.254[192.168.1.254]...62.172.118.165[62.172.118.165]
dmvpn-NHRPVPN-tun0[7]: IKEv1 SPIs: b73eeb56f685e1b8_i* 070a5b93055a9b3b_r, rekeying in 7 minutes
dmvpn-NHRPVPN-tun0[7]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
       dmvpn{51}:  INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: c0485eaa_i c6a8dcfa_o
       dmvpn{51}:  AES_GCM_16_128/ECP_256, 5605933 bytes_i (37024 pkts, 0s ago), 5463455 bytes_o (38431 pkts, 0s ago), rekeying in 11 minutes
       dmvpn{51}:   192.168.1.254/32[gre] === 62.172.118.165/32[gre]
dmvpn-NHRPVPN-tun0[1]: CONNECTING, 192.168.1.254[%any]...192.168.200.1[%any]
dmvpn-NHRPVPN-tun0[1]: IKEv1 SPIs: e55483181ffa490b_i* 0000000000000000_r
dmvpn-NHRPVPN-tun0[1]: Tasks queued: QUICK_MODE 
dmvpn-NHRPVPN-tun0[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD

PR https://github.com/vyos/vyos-1x/pull/1133

syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:05 AM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:43 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:30 PM

DMVPN is always listed as down in "show vpn ipsec sa"Open, Requires assessmentPublicBUGActions

Description

Details

Related ObjectsSearch...

Event Timeline

DMVPN is always listed as down in "show vpn ipsec sa"
Open, Requires assessmentPublicBUG
Actions

Related Objects
Search...