Page MenuHomeVyOS Platform
Create Task
Maniphest T3727

VPN IPsec ESP proposal and ESP presented in config missmatch
Closed, ResolvedPublicBUG
Actions

Description

Child SAs not accepted between 1.3.0-rc5 and 1.4-rolling-202108081830

1.3 configuration:

set interfaces ethernet eth1 address '192.0.2.1/30'
set vpn ipsec esp-group grp-ESP compression 'disable'
set vpn ipsec esp-group grp-ESP lifetime '28800'
set vpn ipsec esp-group grp-ESP mode 'tunnel'
set vpn ipsec esp-group grp-ESP pfs 'dh-group19'
set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold'
set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30'
set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120'
set vpn ipsec ike-group grp-IKE ikev2-reauth 'no'
set vpn ipsec ike-group grp-IKE key-exchange 'ikev2'
set vpn ipsec ike-group grp-IKE lifetime '86400'
set vpn ipsec ike-group grp-IKE mobike 'disable'
set vpn ipsec ike-group grp-IKE proposal 10 dh-group '19'
set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 192.0.2.2 authentication id '192.0.2.1'
set vpn ipsec site-to-site peer 192.0.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.2 authentication pre-shared-secret 'SSSeeccRetT'
set vpn ipsec site-to-site peer 192.0.2.2 authentication remote-id '192.0.2.2'
set vpn ipsec site-to-site peer 192.0.2.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.2.2 ike-group 'grp-IKE'
set vpn ipsec site-to-site peer 192.0.2.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.2.2 local-address '192.0.2.1'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 0 esp-group 'grp-ESP'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 0 local prefix '100.64.1.0/24'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 0 remote prefix '100.64.2.0/24'

1.4 configuration:

set interfaces ethernet eth1 address '192.0.2.2/30'
set vpn ipsec esp-group grp-ESP compression 'disable'
set vpn ipsec esp-group grp-ESP lifetime '28800'
set vpn ipsec esp-group grp-ESP mode 'tunnel'
set vpn ipsec esp-group grp-ESP pfs 'dh-group19'
set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold'
set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30'
set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120'
set vpn ipsec ike-group grp-IKE ikev2-reauth 'no'
set vpn ipsec ike-group grp-IKE key-exchange 'ikev2'
set vpn ipsec ike-group grp-IKE lifetime '86400'
set vpn ipsec ike-group grp-IKE mobike 'disable'
set vpn ipsec ike-group grp-IKE proposal 10 dh-group '19'
set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer 192.0.2.1 authentication id '192.0.2.2'
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'SSSeeccRetT'
set vpn ipsec site-to-site peer 192.0.2.1 authentication remote-id '192.0.2.1'
set vpn ipsec site-to-site peer 192.0.2.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'grp-IKE'
set vpn ipsec site-to-site peer 192.0.2.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2'
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 0 esp-group 'grp-ESP'
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 0 local prefix '100.64.2.0/24'
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 0 remote prefix '100.64.1.0/24'

Logs from 1.3:

Aug  9 11:27:09 r4-1 charon: 05[CFG] <peer-192.0.2.2-tunnel-0|2> received proposals: ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Aug  9 11:27:09 r4-1 charon: 05[CFG] <peer-192.0.2.2-tunnel-0|2> configured proposals: ESP:AES_GCM_16_256/ECP_256/NO_EXT_SEQ
Aug  9 11:27:09 r4-1 charon: 05[IKE] <peer-192.0.2.2-tunnel-0|2> no acceptable proposal found
Aug  9 11:27:09 r4-1 charon: 05[IKE] <peer-192.0.2.2-tunnel-0|2> failed to establish CHILD_SA, keeping IKE_SA
Aug  9 11:27:09 r4-1 charon: 05[ENC] <peer-192.0.2.2-tunnel-0|2> generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]

Logs from 1.4:

Aug  9 10:28:21 r1-roll charon: 08[IKE] <peer_192-0-2-1|7> failed to establish CHILD_SA, keeping IKE_SA
Aug  9 10:28:21 r1-roll charon: 08[ENC] <peer_192-0-2-1|7> generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]
Aug  9 10:28:21 r1-roll charon: 08[NET] <peer_192-0-2-1|7> sending packet: from 192.0.2.2[500] to 192.0.2.1[500] (117 bytes)
Aug  9 10:28:22 r1-roll charon: 09[NET] <peer_192-0-2-1|7> received packet: from 192.0.2.1[500] to 192.0.2.2[500] (257 bytes)
Aug  9 10:28:22 r1-roll charon: 09[ENC] <peer_192-0-2-1|7> parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Aug  9 10:28:22 r1-roll charon: 09[CFG] <peer_192-0-2-1|7> received proposals: ESP:AES_GCM_16_256/ECP_256/NO_EXT_SEQ
Aug  9 10:28:22 r1-roll charon: 09[CFG] <peer_192-0-2-1|7> configured proposals: ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Aug  9 10:28:22 r1-roll charon: 09[IKE] <peer_192-0-2-1|7> no acceptable proposal found

Something wrong with configured proposals.

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202108081830
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects
Search...