Page MenuHomeVyOS Platform
Create Task
Maniphest T1995

"show vpn ike sa" command always show child-sas as down
Closed, ResolvedPublicBUG
Actions

Description

When between two hosts exists two or more tunnels, which share the same IKE SA, all child-sas shows as down by the "show vpn ike sa" command, no matter of real state:

vyos@vyos02:~$ show vpn ipsec sa 
Connection                  State    Up          Bytes In/Out    Remote address    Remote ID    Proposal
--------------------------  -------  ----------  --------------  ----------------  -----------  ---------------------------------------------------------
peer-192.168.30.1-tunnel-1  up       20 seconds  0B/0B           192.168.30.1      N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
peer-192.168.30.1-tunnel-2  up       20 seconds  0B/0B           192.168.30.1      N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
peer-192.168.30.1-tunnel-3  up       20 seconds  0B/0B           192.168.30.1      N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
peer-192.168.30.1-tunnel-5  up       20 seconds  0B/0B           192.168.30.1      N/A          AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
vyos@vyos02:~$ show vpn ike sa 
Peer ID / IP                            Local ID / IP               
------------                            -------------
n/a                                     192.168.30.2                           

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
192.168.30.1                            192.168.30.2                           

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv1   aes256   sha256_128 15(MODP_3072)  no     3600    28800

Most likely, this is a parsing problem of sudo ipsec statusall output.

Details

Version
1.2.4
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

zsdc created this task.Jan 29 2020, 5:49 PM
Viacheslav subscribed.Jan 29 2020, 5:52 PM
pasik subscribed.Jan 29 2020, 10:10 PM
syncer changed the task status from Open to Confirmed.Jan 30 2020, 12:00 PM
syncer triaged this task as Normal priority.
syncer assigned this task to c-po.Mar 28 2020, 11:58 AM
syncer lowered the priority of this task from Normal to Low.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
zakwan subscribed.Apr 16 2020, 7:08 AM
c-po reassigned this task from c-po to Unknown Object (User).Jun 21 2020, 12:10 PM
c-po subscribed.

I feel @Dmitry has more experience here from past topics. I hope you do not mind the reassignment.

Viacheslav changed the task status from Confirmed to In progress.May 14 2021, 3:28 PM
Viacheslav claimed this task.
Viacheslav added a subscriber: Unknown Object (User).
Viacheslav added a project: VyOS 1.4 Sagitta.May 14 2021, 3:35 PM
Viacheslav added a comment.EditedMay 14 2021, 3:59 PM

PR https://github.com/vyos/vyatta-op-vpn/pull/27

Show ipsec sa

vyos@r6-roll:~$ show vpn ipsec sa
Connection                State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer-100.64.0.2-tunnel-1  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.2-tunnel-2  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.2-tunnel-3  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.2-tunnel-4  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.2-tunnel-5  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.2-tunnel-6  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.2-tunnel-7  up       32m27s    0B/0B           0/0               100.64.0.2        N/A          AES_CBC_256/HMAC_SHA1_96/MODP_1024
peer-100.64.0.5-tunnel-0  down     N/A       N/A             N/A               N/A               N/A          N/A
peer-100.64.0.7-tunnel-0  down     N/A       N/A             N/A               N/A               N/A          N/A

Output without IKE fix:

vyos@r6-roll:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
n/a                                     100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    
    down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a    

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
100.64.0.2                              100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv1   aes256   sha1_96 2(MODP_1024)   no     1080    3600   

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
100.64.0.5                              100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   IKEv1   n/a      n/a     n/a(n/a)       no     0       n/a    

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
100.64.0.7                              100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   IKEv2   n/a      n/a     n/a(n/a)       no     0       n/a

Fixed Show IKE sa

vyos@r6-roll:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
100.64.0.2                              100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv1   aes256   sha1_96 2(MODP_1024)   no     2700    3600   

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
100.64.0.5                              100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   IKEv1   n/a      n/a     n/a(n/a)       no     0       n/a    

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
100.64.0.7                              100.64.0.1                             

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    down   IKEv2   n/a      n/a     n/a(n/a)       no     0       n/a
Viacheslav added a project: VyOS 1.2 Crux (VyOS 1.2.8).May 14 2021, 4:05 PM

Can be "cherry picked" to 1.3 and 1.2

SrividyaA subscribed.May 19 2021, 3:05 PM
Viacheslav moved this task from Open to Backport Candidates on the VyOS 1.4 Sagitta board.May 20 2021, 1:42 PM
dmbaturin closed this task as Resolved.May 29 2021, 6:22 AM
c-po moved this task from Backport Candidates to Finished on the VyOS 1.4 Sagitta board.May 29 2021, 9:12 PM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.8) board.Jul 19 2021, 8:51 PM
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 5:49 PM
erkin changed Issue type from Bug (incorrect behavior) to Unspecified (please specify).
dmbaturin removed projects: VyOS 1.4 Sagitta, VyOS 1.3 Equuleus.Sep 10 2021, 2:43 PM