Page MenuHomeVyOS Platform

Unable to reset vpn IPsec peer
Closed, ResolvedPublicBUG

Description

Unable to reset vpn ipsec peer
An example of configuration:

set vpn ipsec esp-group office-srv-esp lifetime '1800'
set vpn ipsec esp-group office-srv-esp mode 'tunnel'
set vpn ipsec esp-group office-srv-esp pfs 'enable'
set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
set vpn ipsec ike-group office-srv-ike lifetime '3600'
set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'office-srv-ike'
set vpn ipsec site-to-site peer OFFICE-B local-address '198.51.100.3'
set vpn ipsec site-to-site peer OFFICE-B remote-address '203.0.113.2'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'office-srv-esp'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '192.168.0.0/24'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '10.0.0.0/21'

Show SA and try to reset peer:

vyos@r14:~$ show vpn ipsec sa
Connection         State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
OFFICE-B-tunnel-0  up       17m38s    0B/0B           0/0               203.0.113.2       203.0.113.2  AES_CBC_256/HMAC_SHA1_96/MODP_1024
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ reset vpn ipsec-peer OFFICE-B 
Tunnel(s) not found, aborting
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ reset vpn ipsec-peer OFFICE-B tunnel 0
Tunnel(s) not found, aborting
vyos@r14:~$ 
vyos@r14:~$

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202210020218
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

PR https://github.com/vyos/vyos-1x/pull/1596

vyos@r14:~$ show vpn ipsec sa 
Connection         State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------  -------  --------  --------------  ----------------  ----------------  -----------  ---------------------------------------
OFFICE-B-tunnel-0  up       4s        0B/0B           0/0               192.0.2.2         192.0.2.2    AES_CBC_256/HMAC_SHA2_256_128/MODP_1024
vyos@r14:~$ 
vyos@r14:~$ 
vyos@r14:~$ reset vpn ipsec-peer OFFICE-B 
closing CHILD_SA OFFICE-B-tunnel-0{16} with SPIs cc364877_i (0 bytes) c521f540_o (0 bytes) and TS 192.168.0.0/24 === 10.0.0.0/21
CHILD_SA {16} closed successfully
generating QUICK_MODE request 1449430238 [ HASH SA No KE ID ID ]
sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (332 bytes)
received packet: from 192.0.2.2[500] to 192.0.2.1[500] (332 bytes)
parsed QUICK_MODE response 1449430238 [ HASH SA No KE ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ
CHILD_SA OFFICE-B-tunnel-0{17} established with SPIs cd451e27_i cfb63c3c_o and TS 192.168.0.0/24 === 10.0.0.0/21
generating QUICK_MODE request 1449430238 [ HASH ]
sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (76 bytes)
connection 'OFFICE-B-tunnel-0' established successfully
Peer reset result: success
vyos@r14:~$
Viacheslav changed the task status from Open to In progress.Oct 14 2022, 8:18 AM
Viacheslav claimed this task.
Viacheslav changed the task status from In progress to Needs testing.Oct 14 2022, 9:52 AM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.