Page MenuHomeVyOS Platform

VTI tunnel SA is incorrectly displayed as down when it's in fact up
Closed, ResolvedPublic

Description

I have heard about the IPSec VTI problem at VyOS meeting in Japan.

Mr. Asama said that this problem might solve with this patch.
http://bugzilla.vyos.net/show_bug.cgi?id=183

But currently, this patch was reverted.
http://bugzilla.vyos.net/show_bug.cgi?id=183#c3

It seems that this problem occurs when another vendor IPSec client (IE Yamaha RTX Series) connect to VyOS IPSec server.

We'll update about the problem later.

Details

Difficulty level
Easy (less than an hour)
Version
1.1.7

Event Timeline

syncer triaged this task as Normal priority.Aug 1 2017, 4:24 AM
syncer changed the edit policy from "Task Author" to "Custom Policy".
syncer added a project: VyOS 1.2 Crux.

@hiroyuki-sato is this applies to 1.2.x series?

@hiroyuki-sato maybe 1.2 is not affected with that issue,
i will check with @dmbaturin

syncer added a subscriber: syncer.

@dmbaturin now as we have bugzilla back, can you check this one ?

Tested on 1.2.0-rolling

show version
Version:          VyOS 1.2.0-rolling+201804260337
show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
remoteip                              localip

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    vti     down   0.0/192.0      aes256   sha1_96 no     -25200          all
sudo ipsec status
Routed Connections:
peer-remoteip-tunnel-vti{1}:  ROUTED, TUNNEL, reqid 1
peer-remoteip-tunnel-vti{1}:   0.0.0.0/0 === 0.0.0.0/0
Security Associations (1 up, 0 connecting):
peer-remoteip-tunnel-vti[1]: ESTABLISHED 6 minutes ago, localip[localid]...remoteip[remoteid]
peer-remoteip-tunnel-vti{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cea088f2_i e0267f52_o
peer-remoteip-tunnel-vti{2}:   0.0.0.0/0 === 0.0.0.0/0

Remote site believes the tunnel is connected. But as you can see the vti interface is shows as down.

syncer changed the task status from Open to On hold.Oct 13 2018, 9:19 AM

This is cosmetic, please retest on latest rolling

I'm seeing the same thing using a newer rolling version. My tunnels are up and can pass traffic.

vyos@cni-lima-iptv-vpn-1:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
remote                                  local

    Description: AWS Tunnel 1

    Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----    -----  ------  ------  -----
    vti     down   14.6K/0.0      aes128   sha1_96/modp_1024 no     -1920           all
vyos@cni-lima-iptv-vpn-1:~$ show version
Version:          VyOS 1.2.0-rolling+201810141404
Built by:         [email protected]
Built on:         Sun 14 Oct 2018 14:04 UTC
syncer added a subscriber: JulesT.

@JulesT want to look into that?

This should have been resolved by T956, but if it reappears or the fix turns out incomplete, feel free to reopen.

dmbaturin renamed this task from [Revise] Bug 183 - VTI will not be up automatic when IPsec SA up. to VTI tunnel SA is incorrectly displayed as down when it's in fact up.Nov 25 2018, 8:34 PM