Page MenuHomeVyOS Platform
Create Task
Maniphest T3643

show vpn ipsec sa doesn't show tunnels in "down" state
Closed, ResolvedPublicBUG
Actions

Description

Step to reproduce:
Configure vpn with multiple tunnels but with incorrect (not matching) local/remote subnets.
Show sa

Config LeftSite 1.4, config RighSite 1.2.7

vpn-Left-site.txt5 KBDownload

vpn-Right-site.txt8 KBDownload

1.4

[email protected]:~$ show vpn ipsec sa
Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
peer_192-0-2-2  down     N/A       N/A             N/A               N/A               N/A          N/A
[email protected]:~$

[email protected]:~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
[email protected]:~$ 
[email protected]:~$ 
[email protected]:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
[email protected]:~$

Expected output, as in 1.2.7

[email protected]:~$ show vpn ipsec sa
Connection                State    Up    Bytes In/Out    Remote address    Remote ID    Proposal
------------------------  -------  ----  --------------  ----------------  -----------  ----------
peer-192.0.2.1-tunnel-20  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-4   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-5   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-16  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-7   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-6   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-9   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-3   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-10  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-11  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-2   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-13  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-12  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-1   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-14  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-15  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-19  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-8   down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-18  down     N/A   N/A             N/A               N/A          N/A
peer-192.0.2.1-tunnel-17  down     N/A   N/A             N/A               N/A          N/A

Maybe another bug, needs to clarify.
Before ipsec restart 1.4, show sa's

[email protected]:~$ sudo swanctl -l -P
list-sa event {
  peer_192-0-2-2 {
    uniqueid = 1
    version = 1
    state = ESTABLISHED
    local-host = 192.0.2.1
    local-port = 500
    local-id = 192.0.2.1
    remote-host = 192.0.2.2
    remote-port = 500
    remote-id = 192.0.2.2
    initiator = yes
    initiator-spi = 45f77d7342584e6b
    responder-spi = afdc10256fef76b5
    encr-alg = AES_CBC
    encr-keysize = 256
    integ-alg = HMAC_SHA1_96
    prf-alg = PRF_HMAC_SHA1
    dh-group = MODP_1024
    established = 48
    rekey-time = 13179
    child-sas {
    }
  }
}
list-sas reply {
}
[email protected]:~$

SA's after restart

[email protected]:~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
[email protected]:~$ 
[email protected]:~$ sudo swanctl -l -P
list-sas reply {
}
[email protected]:~$ 
[email protected]:~$ sudo swanctl -L
[email protected]:~$

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202106190417
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects
Search...

Event Timeline

Viacheslav renamed this task from show vpn ipsec sa doesn't show tunnel in "down" state to show vpn ipsec sa doesn't show tunnels in "down" state.Jun 21 2021, 8:46 PM
Viacheslav created this task.
Viacheslav updated the task description. (Show Details)Jun 21 2021, 8:56 PM
Viacheslav added a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.
pasik added a subscriber: pasik.Jun 22 2021, 6:25 AM
sdev added a subscriber: sdev.Jun 22 2021, 7:44 AM

PR: https://github.com/vyos/vyos-1x/pull/894

Viacheslav added a comment.EditedJun 22 2021, 10:07 AM

Different format

[email protected]:~$ show vpn ipsec sa
Connection                State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------
peer_192-0-2-2_tunnel_1   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_10  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_11  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_12  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_13  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_14  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_15  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_16  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_17  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_18  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_19  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_2   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_20  down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_3   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_4   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_5   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_6   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_7   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_8   down     N/A       N/A             N/A               N/A               N/A          N/A
peer_192-0-2-2_tunnel_9   down     N/A       N/A             N/A               N/A               N/A          N/A
[email protected]:~$

Try to reset

[email protected]:~$ reset vpn ipsec-peer 192.0.2.2 tunnel 1
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 203, in <module>
    reset_peer(args.name, args.tunnel)
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 119, in reset_peer
    conns = get_peer_connections(peer, tunnel, return_all = (not tunnel or tunnel == 'all'))
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 105, in get_peer_connections
    with open(SWANCTL_CONF, 'r') as f:
FileNotFoundError: [Errno 2] No such file or directory: '/etc/swanctl.conf'
[email protected]:~$ 

[email protected]:~$ reset vpn ipsec-peer 192.0.2.2
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 203, in <module>
    reset_peer(args.name, args.tunnel)
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 119, in reset_peer
    conns = get_peer_connections(peer, tunnel, return_all = (not tunnel or tunnel == 'all'))
  File "/usr/libexec/vyos/op_mode/vpn_ipsec.py", line 105, in get_peer_connections
    with open(SWANCTL_CONF, 'r') as f:
FileNotFoundError: [Errno 2] No such file or directory: '/etc/swanctl.conf'
[email protected]:~$

File swanctl

[email protected]:~$ 
[email protected]:~$ file /etc/swanctl.conf 
/etc/swanctl.conf: cannot open `/etc/swanctl.conf' (No such file or directory)
[email protected]:~$ 
[email protected]:~$ file /etc/swanctl/swanctl.conf 
/etc/swanctl/swanctl.conf: ASCII text
[email protected]:~$
Viacheslav assigned this task to sdev.Jun 22 2021, 10:59 AM
SrividyaA added a subscriber: SrividyaA.Jun 23 2021, 11:07 AM
Viacheslav added a comment.Jun 23 2021, 3:20 PM

PR https://github.com/vyos/vyos-1x/pull/897
Fix path for swanctl.conf file

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Sep 6 2021, 9:18 AM
syncer changed the task status from Open to In progress.Oct 17 2021, 3:00 PM
syncer triaged this task as Normal priority.
Viacheslav added a comment.EditedOct 29 2021, 8:00 AM

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1052

[email protected]:~$ show vpn ipsec sa
Connection                  State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------------------  -------  --------  --------------  ----------------  ----------------  -----------  --------------
peer-100.64.0.1-tunnel-vti  up       26m18s    0B/0B           0/0               100.64.0.1        N/A          AES_GCM_16_256
peer-192.0.2.2-tunnel-1     down     N/A       N/A             N/A               N/A               N/A          N/A
peer-192.0.2.2-tunnel-2     down     N/A       N/A             N/A               N/A               N/A          N/A
peer-192.0.2.2-tunnel-3     down     N/A       N/A             N/A               N/A               N/A          N/A
[email protected]:~$
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:24 AM
Viacheslav closed this task as Resolved.Feb 3 2022, 5:35 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.