Page MenuHomeVyOS Platform
Create Task
Maniphest T4608

IPSec shows only one IKE for the same peer
Open, LowPublicBUG
Actions

Description

IPSec shows only one IKE for the same peer, but sometimes it can be more than 1 connection in Phase1
It is difficult to reproduce, but sometimes it happens
There are 2 SA's of Phase1 with same peer, but in show vpn ike sa we see only one

vyos@r14:~$ sudo swanctl -l
peer_2001-db8--2: #3, ESTABLISHED, IKEv2, dae368231f55fcec_i 7a6eeb20639cef4e_r*
  local  '2001:db8::1' @ 2001:db8::1[500]
  remote '2001:db8::2' @ 2001:db8::2[500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 721s ago, rekeying in 80568s
  peer_2001-db8--2_tunnel_0: #165, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 606s ago, rekeying in 684s, expires in 28194s
    in  c50bbf4f,      0 bytes,     0 packets
    out c4fc9576,      0 bytes,     0 packets
    local  2001:db8:1111::/64
    remote 2001:db8:2222::/64
  peer_2001-db8--2_tunnel_0: #183, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 353s ago, rekeying in 1173s, expires in 28447s
    in  c96e2e2b,      0 bytes,     0 packets
    out c135bac8,      0 bytes,     0 packets
    local  2001:db8:1111::/64
    remote 2001:db8:2222::/64
peer_2001-db8--2: #1, ESTABLISHED, IKEv2, d18f16027ae188f9_i* 9bcc6b23c607b349_r
  local  '2001:db8::1' @ 2001:db8::1[500]
  remote '2001:db8::2' @ 2001:db8::2[500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 744s ago, rekeying in 79691s
  peer_2001-db8--2_tunnel_0: #273, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 124s ago, rekeying in 148s, expires in 28676s
    in  c0d25317,      0 bytes,     0 packets
    out c39b0881,      0 bytes,     0 packets
    local  2001:db8:1111::/64
    remote 2001:db8:2222::/64
vyos@r14:~$

Show IKE:

vyos@r14:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP               
------------                            -------------
2001:db8::2 2001:db8::2                 2001:db8::1 2001:db8::1                

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA2_256_128 MODP_2048      no     742     0      

vyos@r14:~$

Show SA

vyos@r14:~$ show vpn ipsec sa
Connection                 State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ---------------------------------------
peer_2001-db8--2_tunnel_0  up       2m36s     0B/0B           0B/0B             2001:db8::2       2001:db8::2  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
peer_2001-db8--2_tunnel_0  up       6m25s     0B/0B           0B/0B             2001:db8::2       2001:db8::2  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
peer_2001-db8--2_tunnel_0  up       10m38s    0B/0B           0B/0B             2001:db8::2       2001:db8::2  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
vyos@r14:~$

Example of configuration:

set vpn ipsec esp-group grp-ESPv4 compression 'disable'
set vpn ipsec esp-group grp-ESPv4 lifetime '28800'
set vpn ipsec esp-group grp-ESPv4 mode 'tunnel'
set vpn ipsec esp-group grp-ESPv4 pfs 'dh-group14'
set vpn ipsec esp-group grp-ESPv4 proposal 10 encryption 'aes256'
set vpn ipsec esp-group grp-ESPv4 proposal 10 hash 'sha256'
set vpn ipsec ike-group grp-IKEv4 dead-peer-detection action 'hold'
set vpn ipsec ike-group grp-IKEv4 dead-peer-detection interval '30'
set vpn ipsec ike-group grp-IKEv4 dead-peer-detection timeout '120'
set vpn ipsec ike-group grp-IKEv4 ikev2-reauth 'no'
set vpn ipsec ike-group grp-IKEv4 key-exchange 'ikev2'
set vpn ipsec ike-group grp-IKEv4 lifetime '86400'
set vpn ipsec ike-group grp-IKEv4 mobike 'disable'
set vpn ipsec ike-group grp-IKEv4 proposal 10 dh-group '14'
set vpn ipsec ike-group grp-IKEv4 proposal 10 encryption 'aes256'
set vpn ipsec ike-group grp-IKEv4 proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer @foo authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer @foo authentication pre-shared-secret 'FoFoF'
set vpn ipsec site-to-site peer @foo ike-group 'grp-IKEv4'
set vpn ipsec site-to-site peer @foo local-address 'any'
set vpn ipsec site-to-site peer @foo tunnel 0 esp-group 'grp-ESPv4'
set vpn ipsec site-to-site peer @foo tunnel 0 local prefix '100.64.0.0/24'
set vpn ipsec site-to-site peer @foo tunnel 0 remote prefix '10.50.60.0/24'
set vpn ipsec site-to-site peer 2001:db8::2 authentication id '2001:db8::1'
set vpn ipsec site-to-site peer 2001:db8::2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 2001:db8::2 authentication pre-shared-secret 'SSSeeccRetT'
set vpn ipsec site-to-site peer 2001:db8::2 authentication remote-id '2001:db8::2'
set vpn ipsec site-to-site peer 2001:db8::2 connection-type 'initiate'
set vpn ipsec site-to-site peer 2001:db8::2 ike-group 'grp-IKEv4'
set vpn ipsec site-to-site peer 2001:db8::2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 2001:db8::2 local-address '2001:db8::1'
set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 esp-group 'grp-ESPv4'
set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 local prefix '2001:db8:1111::/64'
set vpn ipsec site-to-site peer 2001:db8::2 tunnel 0 remote prefix '2001:db8:2222::/64'

Details

Version
VyOS 1.4-rolling-202208120217
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)