Page MenuHomeVyOS Platform
Create Task
Maniphest T2824

VPN tunnel is marked as up, even though vti0 is down.
Closed, ResolvedPublicBUG
Actions

Description

VPN shows as up

olof@oob-rou001:~$ show vpn ipsec sa | strip-private 
Connection                      State    Up       Bytes In/Out    Remote address    Remote ID    Proposal
------------------------------  -------  -------  --------------  ----------------  -----------  ----------------------------------------------
peer-xxx.xxx.216.216-tunnel-vti  up       4 hours  0B/0B           xxx.xxx.216.216    N/A          AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048_256

Try to ping remote vti interface address.

olof@oob-rou001:~$ ping 10.18.5.17
connect: Invalid argument

I try to inspect packets.

olof@oob-rou001:~$ sudo tcpdump -i vti0
tcpdump: vti0: That device is not up

But notice interface is down

olof@oob-rou001:~$ ip addr show vti0 | strip-private
8: vti0@NONE: <POINTOPOINT,NOARP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ipip xxx.xxx.240.44 peer xxxxx.tld
    inet xxx.xxx.5.18/30 scope global vti0
       valid_lft forever preferred_lft forever

Show vpn verbose shows tunnel is installed - with correct SPI on both sides

olof@oob-rou001:~$ show vpn ipsec sa verbose | strip-private 
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.106-amd64-vyos, x86_64):
  uptime: 7 days, since Aug 17 xxxx:xxxx:32 2020
  malloc: sbrk 1871872, mmap 0, used 794512, free 1077360
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
  xxx.xxx.240.44
Connections:
peer-xxx.xxx.216.216-tunnel-vti:  xxx.xxx.240.44...xxx.xxx.216.216  IKEv2, dpddelay=30s
peer-xxx.xxx.216.216-tunnel-vti:   local:  [xxx.xxx.240.44] uses pre-shared key xxxxxx
peer-xxx.xxx.216.216-tunnel-vti:   remote: [xxx.xxx.216.216] uses pre-shared key xxxxxx
peer-xxx.xxx.216.216-tunnel-vti:   child:  xxx.xxx.0.0/0 === xxx.xxx.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
peer-xxx.xxx.216.216-tunnel-vti[36]: ESTABLISHED 4 hours ago, xxx.xxx.240.44[xxx.xxx.240.44]...xxx.xxx.216.216[xxx.xxx.216.216]
peer-xxx.xxx.216.216-tunnel-vti[36]: IKEv2 SPIs: 4a0289911d7d3a6a_i* c6c6684378608039_r, rekeying in 2 hours
peer-xxx.xxx.216.216-tunnel-vti[36]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048_256
peer-xxx.xxx.216.216-tunnel-vti{258}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cf332d5e_i c4c5a85d_o
peer-xxx.xxx.216.216-tunnel-vti{258}:  AES_GCM_16_256/MODP_2048_256, 0 bytes_i, 0 bytes_o, rekeying in 8 minutes
peer-xxx.xxx.216.216-tunnel-vti{258}:   xxx.xxx.0.0/0 === xxx.xxx.0.0/0

Remote side also reports VPN as up

olof@remotevpn02:~$ show vpn ipsec sa verbose | strip-private | grep 240.44
peer-xxx.xxx.240.44-tunnel-vti:  xxx.xxx.216.216...xxx.xxx.240.44  IKEv2, dpddelay=30s
peer-xxx.xxx.240.44-tunnel-vti:   local:  [xxx.xxx.216.216] uses pre-shared key xxxxxx
peer-xxx.xxx.240.44-tunnel-vti:   remote: [xxx.xxx.240.44] uses pre-shared key xxxxxx
peer-xxx.xxx.240.44-tunnel-vti:   child:  xxx.xxx.0.0/0 === xxx.xxx.0.0/0 TUNNEL, dpdaction=restart
peer-xxx.xxx.240.44-tunnel-vti[4060]: ESTABLISHED 4 hours ago, xxx.xxx.216.216[xxx.xxx.216.216]...xxx.xxx.240.44[xxx.xxx.240.44]
peer-xxx.xxx.240.44-tunnel-vti[4060]: IKEv2 SPIs: 4a0289911d7d3a6a_i c6c6684378608039_r*, rekeying in 2 hours
peer-xxx.xxx.240.44-tunnel-vti[4060]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_2048_256
peer-xxx.xxx.240.44-tunnel-vti{86783}:  INSTALLED, TUNNEL, reqid 2893, ESP SPIs: c4c5a85d_i cf332d5e_o
peer-xxx.xxx.240.44-tunnel-vti{86783}:  AES_GCM_16_256/MODP_2048_256, 0 bytes_i, 0 bytes_o, rekeying in 11 minutes
peer-xxx.xxx.240.44-tunnel-vti{86783}:   xxx.xxx.0.0/0 === xxx.xxx.0.0/0

Configuration is identical on remote side.

olof@oob-rou001:~$ show configuration commands | grep ipsec | strip-private
set vpn ipsec esp-group ESP-OOB compression 'disable'
set vpn ipsec esp-group ESP-OOB lifetime '3600'
set vpn ipsec esp-group ESP-OOB mode 'tunnel'
set vpn ipsec esp-group ESP-OOB pfs 'dh-group24'
set vpn ipsec esp-group ESP-OOB proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP-OOB proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-OOB dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-OOB dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-OOB dead-peer-detection timeout '120'
set vpn ipsec ike-group IKE-OOB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-OOB key-exchange 'ikev2'
set vpn ipsec ike-group IKE-OOB lifetime '28800'
set vpn ipsec ike-group IKE-OOB proposal 1 dh-group '24'
set vpn ipsec ike-group IKE-OOB proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group IKE-OOB proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer xxxxx.tld authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer xxxxx.tld connection-type 'initiate'
set vpn ipsec site-to-site peer xxxxx.tld default-esp-group 'ESP-OOB'
set vpn ipsec site-to-site peer xxxxx.tld ike-group 'IKE-OOB'
set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer xxxxx.tld local-address 'xxx.xxx.240.44'
set vpn ipsec site-to-site peer xxxxx.tld vti bind 'vti0'
set vpn ipsec site-to-site peer xxxxx.tld vti esp-group 'ESP-OOB'

IKEv2 INFORMATIONAL messages are exchanged every 30 seconds, so DPD is working.
This happens every few weeks.
Only running reset vpn ipsec-peer xxx.xxx.216.216 does not solve this issue.
The solution is to run restart ipsec to restart the whole ipsec process.

This side runs vyos 1.2.5.
Remote side is vyos 1.2.3.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.5
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects

Event Timeline

olofl created this task.Aug 25 2020, 7:02 AM
pasik added a subscriber: pasik.Aug 25 2020, 4:06 PM
olofl added a comment.Aug 26 2020, 1:55 PM

Is probably fixed in https://phabricator.vyos.net/T1291 according to cpo on slack

Viacheslav added a subscriber: Viacheslav.May 20 2021, 1:07 PM

@olofl Can you re-check it? Or can we close it?

olofl closed this task as Resolved.Aug 23 2021, 8:29 AM
olofl claimed this task.

@Viacheslav this ticket can be closed.