Problem Description:
"show vpn ipsec sa" reports ESP tunnels to be up when they are not.
To reproduce the issue, try the following configuration:
Mismatched esp settings:
VyOS1:
set vpn ipsec esp-group espA compression 'disable'
set vpn ipsec esp-group espA lifetime '1500'
set vpn ipsec esp-group espA mode 'tunnel'
set vpn ipsec esp-group espA pfs 'disable'
set vpn ipsec esp-group espA proposal 1 encryption 'aes128'
set vpn ipsec esp-group espA proposal 1 hash 'sha512'
VyOS2:
set vpn ipsec esp-group espA compression 'disable'
set vpn ipsec esp-group espA lifetime '1500'
set vpn ipsec esp-group espA mode 'tunnel'
set vpn ipsec esp-group espA pfs 'dh-group14'
set vpn ipsec esp-group espA proposal 1 encryption 'aes256'
set vpn ipsec esp-group espA proposal 1 hash 'sha512'
Output commands:
vyos@vyos:~$ sh vpn ipsec sa Connection State Up Bytes In/Out Remote address Remote ID Proposal --------------------------- ------- --------- -------------- ---------------- ----------- --------------------------------------------------------- peer-200.200.200.2-tunnel-2 up 4 minutes N/A 200.200.200.2 N/A AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 vyos@vyos:~$ sh vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 200.200.200.2 100.100.100.2 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv2 aes256 sha512_256 14(MODP_2048) no 840 1800
In the ipsec logs, it shows that CHILD_SA was failed to established.
Feb 17 17:02:57 vyos charon[14173]: 10[CFG] received stroke: add connection 'peer-200.200.200.2-tunnel-2' Feb 17 17:02:57 vyos charon[14173]: 10[CFG] added configuration 'peer-200.200.200.2-tunnel-2' Feb 17 17:02:57 vyos charon[14173]: 11[CFG] received stroke: initiate 'peer-200.200.200.2-tunnel-2' Feb 17 17:02:57 vyos charon[14173]: 11[IKE] establishing CHILD_SA peer-200.200.200.2-tunnel-2{2} Feb 17 17:02:57 vyos charon[14173]: 11[ENC] generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ] Feb 17 17:02:57 vyos charon[14173]: 11[NET] sending packet: from 100.100.100.2[4500] to 200.200.200.2[4500] (224 bytes) Feb 17 17:02:57 vyos charon[14173]: 13[NET] received packet: from 200.200.200.2[4500] to 100.100.100.2[4500] (96 bytes) Feb 17 17:02:57 vyos charon[14173]: 13[ENC] parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ] Feb 17 17:02:57 vyos charon[14173]: 13[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built Feb 17 17:02:57 vyos charon[14173]: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Output of ipsec commands
vyos@vyos:~$ sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.142-amd64-vyos, x86_64): uptime: 28 hours, since Feb 16 12:25:27 2021 malloc: sbrk 1867776, mmap 0, used 784144, free 1083632 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters Listening IP addresses: 100.100.100.2 Connections: peer-200.200.200.2-tunnel-2: 100.100.100.2...200.200.200.2 IKEv2, dpddelay=10s peer-200.200.200.2-tunnel-2: local: [100.100.100.2] uses pre-shared key authentication peer-200.200.200.2-tunnel-2: remote: [200.200.200.2] uses pre-shared key authentication peer-200.200.200.2-tunnel-2: child: 10.2.0.0/16 === 10.1.0.0/16 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): peer-200.200.200.2-tunnel-2[2]: ESTABLISHED 9 minutes ago, 100.100.100.2[100.100.100.2]...200.200.200.2[200.200.200.2] peer-200.200.200.2-tunnel-2[2]: IKEv2 SPIs: 308292afcb26a966_i* f9e8bfbf18630454_r, rekeying in 11 minutes peer-200.200.200.2-tunnel-2[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048 vyos@vyos:~$ sudo ipsec up peer-200.200.200.2-tunnel-2 establishing CHILD_SA peer-200.200.200.2-tunnel-2{3} generating CREATE_CHILD_SA request 7 [ SA No TSi TSr ] sending packet: from 100.100.100.2[4500] to 200.200.200.2[4500] (224 bytes) received packet: from 200.200.200.2[4500] to 100.100.100.2[4500] (96 bytes) parsed CREATE_CHILD_SA response 7 [ N(NO_PROP) ] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built failed to establish CHILD_SA, keeping IKE_SA establishing connection 'peer-200.200.200.2-tunnel-2' failed
The script "/usr/libexec/vyos/op_mode/show_ipsec_sa.py" verifies with the established parameter for IKE_SA not for CHILD_SA(ESP_SA)