Page MenuHomeVyOS Platform

DMVPN generates incorrect configuration life_time for swanctl.conf
Closed, ResolvedPublicBUG

Description

Example of configuration:

vyos@hub:~$ show conf com | match "vpn|tun|addr"
set interfaces ethernet eth0 address '203.0.113.1/30'
set interfaces tunnel tun100 address '10.0.0.1/24'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 multicast 'enable'
set interfaces tunnel tun100 parameters ip key '1'
set interfaces tunnel tun100 source-address '203.0.113.1'
set protocols nhrp tunnel tun100 cisco-authentication 'secret'
set protocols nhrp tunnel tun100 holding-time '300'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut
set vpn ipsec esp-group ESP-HUB compression 'disable'
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB close-action 'none'
set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

Load configuration unknown option: life_time

vyos@hub:~$ sudo swanctl -q
loaded ike secret 'ike-dmvpn-tun100'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loading connection 'dmvpn-NHRPVPN-tun100' failed: unknown option: life_time, config discarded
loaded 0 of 1 connections, 1 failed to load, 0 unloaded
vyos@hub:~$

Swanctl configuration:

vyos@hub:~$ sudo cat /etc/swanctl/swanctl.conf 
### Autogenerated by vpn_ipsec.py ###

connections {
    dmvpn-NHRPVPN-tun100 {
        proposals = aes256-sha1-modp1024,aes128-sha1-modp1024
        version = 1
        life_time = 3600s
        keyingtries = 0
        local {
            auth = psk
        }
        remote {
            auth = psk
        }
        children {
            dmvpn {
                esp_proposals = aes256-sha1-modp1024,3des-md5-modp1024
                rekey_time = 1800s
                rand_time = 540s
                local_ts = dynamic[gre]
                remote_ts = dynamic[gre]
                mode = transport
            }
        }
    }

}

pools {
}

secrets {
    ike-dmvpn-tun100 {
        secret = secret
    }
}
vyos@hub:~$

Most likely life_time = 3600s should be rekey_time = 3600s

https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf
https://github.com/vyos/vyos-1x/blob/ce28a28b5bda2bf654eab4c291898835de1418d0/data/templates/ipsec/swanctl/profile.tmpl#L10

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.4-rolling-202111171157
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)