After resetting vti ipsec tunnel old child SA still active
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	Viacheslav
	Oct 28 2021, 12:41 PM

Description

To reproduce, configure vti ipsec tunnel and reset it.
VyOS configuration:

set interfaces ethernet eth1 address '100.64.0.1/30'
set interfaces vti vti1 address '10.0.102.1/30'
set interfaces vti vti1 description 'Tunnel to 100.64.0.2'
set vpn ipsec esp-group group-ESP compression 'disable'
set vpn ipsec esp-group group-ESP lifetime '3600'
set vpn ipsec esp-group group-ESP mode 'tunnel'
set vpn ipsec esp-group group-ESP pfs 'dh-group19'
set vpn ipsec esp-group group-ESP proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group group-ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group group-IKE dead-peer-detection action 'hold'
set vpn ipsec ike-group group-IKE dead-peer-detection interval '30'
set vpn ipsec ike-group group-IKE dead-peer-detection timeout '120'
set vpn ipsec ike-group group-IKE ikev2-reauth 'no'
set vpn ipsec ike-group group-IKE key-exchange 'ikev2'
set vpn ipsec ike-group group-IKE lifetime '28000'
set vpn ipsec ike-group group-IKE mobike 'disable'
set vpn ipsec ike-group group-IKE proposal 10 dh-group '19'
set vpn ipsec ike-group group-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group group-IKE proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer 100.64.0.2 authentication id '100.64.0.1'
set vpn ipsec site-to-site peer 100.64.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 100.64.0.2 authentication pre-shared-secret 'SSSecccRetT'
set vpn ipsec site-to-site peer 100.64.0.2 authentication remote-id '100.64.0.2'
set vpn ipsec site-to-site peer 100.64.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 100.64.0.2 ike-group 'group-IKE'
set vpn ipsec site-to-site peer 100.64.0.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 100.64.0.2 local-address '100.64.0.1'
set vpn ipsec site-to-site peer 100.64.0.2 vti bind 'vti1'
set vpn ipsec site-to-site peer 100.64.0.2 vti esp-group 'group-ESP'

Reset tunnel:

vyos@r1-roll:~$ reset vpn ipsec-peer 100.64.0.2 vti 
establishing CHILD_SA peer_100-64-0-2_vti{4}
generating CREATE_CHILD_SA request 4 [ SA No KE TSi TSr ]
sending packet: from 100.64.0.1[500] to 100.64.0.2[500] (337 bytes)
received packet: from 100.64.0.2[500] to 100.64.0.1[500] (257 bytes)
parsed CREATE_CHILD_SA response 4 [ SA No KE TSi TSr ]
selected proposal: ESP:AES_GCM_16_256/ECP_256/NO_EXT_SEQ
CHILD_SA peer_100-64-0-2_vti{4} established with SPIs cc054d99_i cbbfdf07_o and TS 0.0.0.0/0 === 0.0.0.0/0
connection 'peer_100-64-0-2_vti' established successfully
Peer reset result: success
vyos@r1-roll:~$

Tunnel statuses, multiple child SA "Installed" with equal peer-name:

vyos@r1-roll:~$ show vpn ipsec sa
Connection           State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------
peer_100-64-0-2_vti  up       12m30s    0B/0B           0/0               100.64.0.2        N/A          AES_GCM_16_256/ECP_256
vyos@r1-roll:~$ 
vyos@r1-roll:~$ sudo swanctl -l
peer_100-64-0-2: #1, ESTABLISHED, IKEv2, 3be5f436f0262f6e_i* c04e1e3c5fe4a15b_r
  local  '100.64.0.1' @ 100.64.0.1[500]
  remote '100.64.0.2' @ 100.64.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 754s ago, rekeying in 24669s
  peer_100-64-0-2_vti: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
    installed 754s ago, rekeying in 2846s, expires in 2846s
    in  c88e155d (-|0x00000002),      0 bytes,     0 packets,   447s ago
    out caaa62ac (-|0x00000002),      0 bytes,     0 packets
    local  0.0.0.0/0
    remote 0.0.0.0/0
  peer_100-64-0-2_vti: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256
    installed 609s ago, rekeying in 2991s, expires in 2991s
    in  cccc3259 (-|0x00000002),    336 bytes,     4 packets,   447s ago
    out c2fe4554 (-|0x00000002),    336 bytes,     4 packets,   447s ago
    local  0.0.0.0/0
    remote 0.0.0.0/0
  peer_100-64-0-2_vti: #3, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256
    installed 380s ago, rekeying in 3220s, expires in 3220s
    in  c89c771e (-|0x00000002),      0 bytes,     0 packets
    out c2d46f2a (-|0x00000002),      0 bytes,     0 packets
    local  0.0.0.0/0
    remote 0.0.0.0/0
  peer_100-64-0-2_vti: #4, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256
    installed 359s ago, rekeying in 3241s, expires in 3241s
    in  cc054d99 (-|0x00000002),      0 bytes,     0 packets
    out cbbfdf07 (-|0x00000002),      0 bytes,     0 packets
    local  0.0.0.0/0
    remote 0.0.0.0/0
vyos@r1-roll:~$

Details

Version: VyOS 1.4-rolling-202110240217
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Related Objects

Mentioned In: rVYOSONEX6f26e2694c14: op-mode: T3951: Fix for reset IPSec tunnels
rVYOSONEXf54a877b93fb: Merge pull request #1048 from sever-sever/T3951

Event Timeline

Viacheslav created this task.Oct 28 2021, 12:41 PM

Viacheslav updated the task description. (Show Details)

Viacheslav claimed this task.Oct 28 2021, 1:00 PM

PR https://github.com/vyos/vyos-1x/pull/1048

vyos@r1-roll:~$ reset vpn ipsec-peer 100.64.0.2 vti 
closing CHILD_SA peer_100-64-0-2_vti{20} with SPIs c9dd31a2_i (0 bytes) c9c127e4_o (0 bytes) and TS 0.0.0.0/0 === 0.0.0.0/0
sending DELETE for ESP CHILD_SA with SPI c9dd31a2
generating INFORMATIONAL request 40 [ D ]
sending packet: from 100.64.0.1[500] to 100.64.0.2[500] (69 bytes)
received packet: from 100.64.0.2[500] to 100.64.0.1[500] (69 bytes)
parsed INFORMATIONAL response 40 [ D ]
received DELETE for ESP CHILD_SA with SPI c9c127e4
CHILD_SA closed
CHILD_SA {20} closed successfully
establishing CHILD_SA peer_100-64-0-2_vti{21}
generating CREATE_CHILD_SA request 41 [ SA No KE TSi TSr ]
sending packet: from 100.64.0.1[500] to 100.64.0.2[500] (337 bytes)
received packet: from 100.64.0.2[500] to 100.64.0.1[500] (257 bytes)
parsed CREATE_CHILD_SA response 41 [ SA No KE TSi TSr ]
selected proposal: ESP:AES_GCM_16_256/ECP_256/NO_EXT_SEQ
CHILD_SA peer_100-64-0-2_vti{21} established with SPIs cdd77973_i ce6eba0b_o and TS 0.0.0.0/0 === 0.0.0.0/0
connection 'peer_100-64-0-2_vti' established successfully
Peer reset result: success
vyos@r1-roll:~$
vyos@r1-roll:~$
vyos@r1-roll:~$ sudo swanctl -l
peer_100-64-0-2: #1, ESTABLISHED, IKEv2, 3be5f436f0262f6e_i* c04e1e3c5fe4a15b_r
  local  '100.64.0.1' @ 100.64.0.1[500]
  remote '100.64.0.2' @ 100.64.0.2[500]
  AES_GCM_16-256/PRF_HMAC_SHA2_256/ECP_256
  established 2979s ago, rekeying in 22444s
  peer_100-64-0-2_vti: #21, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256/ECP_256
    installed 11s ago, rekeying in 3589s, expires in 3589s
    in  cdd77973 (-|0x00000002),      0 bytes,     0 packets
    out ce6eba0b (-|0x00000002),      0 bytes,     0 packets
    local  0.0.0.0/0
    remote 0.0.0.0/0
vyos@r1-roll:~$

Viacheslav changed the task status from Open to In progress.Oct 28 2021, 1:18 PM

Viacheslav updated the task description. (Show Details)Oct 28 2021, 1:20 PM

pasik subscribed.Oct 28 2021, 2:38 PM

Restricted Repository Identity mentioned this in rVYOSONEXf54a877b93fb: Merge pull request #1048 from sever-sever/T3951.Oct 28 2021, 6:14 PM

Viacheslav mentioned this in rVYOSONEX6f26e2694c14: op-mode: T3951: Fix for reset IPSec tunnels.Oct 28 2021, 6:14 PM

Viacheslav closed this task as Resolved.Oct 28 2021, 6:57 PM

Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.

After resetting vti ipsec tunnel old child SA still activeClosed, ResolvedPublicBUGActions

Description

Details

Related Objects

Event Timeline

After resetting vti ipsec tunnel old child SA still active
Closed, ResolvedPublicBUG
Actions