Page MenuHomeVyOS Platform

op-mode incorrect naming for ipsec policy-based tunnels
Closed, ResolvedPublicBUG

Description

In configuration was declared 2 tunnels - "tunnel 0" and "tunnel 1"

In operational mode, we see all names with "tunnel 0"

Config

set vpn ipsec esp-group grp-ESP compression 'disable'
set vpn ipsec esp-group grp-ESP lifetime '28800'
set vpn ipsec esp-group grp-ESP mode 'tunnel'
set vpn ipsec esp-group grp-ESP pfs 'dh-group19'
set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold'
set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30'
set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120'
set vpn ipsec ike-group grp-IKE ikev2-reauth 'no'
set vpn ipsec ike-group grp-IKE key-exchange 'ikev2'
set vpn ipsec ike-group grp-IKE lifetime '86400'
set vpn ipsec ike-group grp-IKE mobike 'disable'
set vpn ipsec ike-group grp-IKE proposal 10 dh-group '19'
set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 100.64.0.2 authentication id '100.64.0.1'
set vpn ipsec site-to-site peer 100.64.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 100.64.0.2 authentication pre-shared-secret 'SSSeeccRetT'
set vpn ipsec site-to-site peer 100.64.0.2 authentication remote-id '100.64.0.2'
set vpn ipsec site-to-site peer 100.64.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 100.64.0.2 ike-group 'grp-IKE'
set vpn ipsec site-to-site peer 100.64.0.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 100.64.0.2 local-address '100.64.0.1'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 esp-group 'grp-ESP'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 local prefix '10.11.10.0/24'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 remote prefix '10.21.20.0/24'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 1 esp-group 'grp-ESP'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 1 local prefix '10.10.10.0/24'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 1 remote prefix '10.20.20.0/24'

Op mode

vyos@r4-roll:~$ show vpn ipsec sa
Connection                State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------
peer-100.64.0.2-tunnel-0  up       9m4s      0B/0B           0/0               100.64.0.2        N/A          AES_GCM_16_256
peer-100.64.0.2-tunnel-0  up       9m4s      0B/0B           0/0               100.64.0.2        N/A          AES_GCM_16_256/ECP_256
vyos@r4-roll:~$

Vici shows correct tunnel names

OrderedDict([('uniqueid', b'1'),
             ('version', b'2'),
             ('state', b'ESTABLISHED'),
             ('local-host', b'100.64.0.1'),
             ('local-port', b'500'),
             ('local-id', b'100.64.0.1'),
             ('remote-host', b'100.64.0.2'),
             ('remote-port', b'500'),
             ('remote-id', b'100.64.0.2'),
             ('initiator', b'yes'),
             ('initiator-spi', b'b84053a6c941bbca'),
             ('responder-spi', b'a458ce49ad061a1d'),
             ('encr-alg', b'AES_GCM_16'),
             ('encr-keysize', b'256'),
             ('prf-alg', b'PRF_HMAC_SHA2_256'),
             ('dh-group', b'ECP_256'),
             ('established', b'1110'),
             ('rekey-time', b'84631'),
             ('child-sas',
              OrderedDict([('peer-100.64.0.2-tunnel-0-1',
                            OrderedDict([('name', b'peer-100.64.0.2-tunnel-0'),
                                         ('uniqueid', b'1'),
                                         ('reqid', b'1'),
                                         ('state', b'INSTALLED'),
                                         ('mode', b'TUNNEL'),
                                         ('protocol', b'ESP'),
                                         ('spi-in', b'ce364934'),
                                         ('spi-out', b'c226de16'),
                                         ('encr-alg', b'AES_GCM_16'),
                                         ('encr-keysize', b'256'),
                                         ('bytes-in', b'0'),
                                         ('packets-in', b'0'),
                                         ('bytes-out', b'0'),
                                         ('packets-out', b'0'),
                                         ('rekey-time', b'26631'),
                                         ('life-time', b'27690'),
                                         ('install-time', b'1110'),
                                         ('local-ts', [b'10.11.10.0/24']),
                                         ('remote-ts', [b'10.21.20.0/24'])])),
                           ('peer-100.64.0.2-tunnel-1-2',
                            OrderedDict([('name', b'peer-100.64.0.2-tunnel-1'),
                                         ('uniqueid', b'2'),
                                         ('reqid', b'2'),
                                         ('state', b'INSTALLED'),
                                         ('mode', b'TUNNEL'),
                                         ('protocol', b'ESP'),
                                         ('spi-in', b'c1a60ea8'),
                                         ('spi-out', b'c86a7a4a'),
                                         ('encr-alg', b'AES_GCM_16'),
                                         ('encr-keysize', b'256'),
                                         ('dh-group', b'ECP_256'),
                                         ('bytes-in', b'0'),
                                         ('packets-in', b'0'),
                                         ('bytes-out', b'0'),
                                         ('packets-out', b'0'),
                                         ('rekey-time', b'26733'),
                                         ('life-time', b'27690'),
                                         ('install-time', b'1110'),
                                         ('local-ts', [b'10.10.10.0/24']),
                                         ('remote-ts',
                                          [b'10.20.20.0/24'])]))]))])

https://github.com/vyos/vyos-1x/blob/current/src/op_mode/show_ipsec_sa.py

Details

Version
VyOS 1.3-rolling-202011080217
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav added a project: VyOS 1.4 Sagitta.
Viacheslav changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
Viacheslav changed the subtype of this task from "Task" to "Bug".
Viacheslav edited a custom field.
Viacheslav changed the task status from Open to Needs testing.Mar 29 2021, 7:31 PM
Viacheslav assigned this task to jack9603301.
erkin renamed this task from op-mode incorrect naming fo ipsec policy-based tunnels to op-mode incorrect naming for ipsec policy-based tunnels .Aug 29 2021, 12:19 PM
erkin set Issue type to Bug (incorrect behavior).
erkin removed a subscriber: Global Notifications.