Page MenuHomeVyOS Platform

IPSec migration failed with missing remote-id
Closed, ResolvedPublicBUG

Description

On an upgrade from 1.3.2 to latest rolling (1.4-rolling-202212140319) the following IPSec config will not be migrate correctly

#1.3.2 Config
set vpn ipsec esp-group ESP-GROUP compression 'disable'
set vpn ipsec esp-group ESP-GROUP lifetime '3600'
set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
set vpn ipsec esp-group ESP-GROUP pfs 'dh-group14'
set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-GROUP close-action 'none'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
set vpn ipsec ike-group IKE-GROUP ikev2-reauth 'no'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP mode 'main'
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 192.0.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.2 authentication pre-shared-secret 'PSK123'
set vpn ipsec site-to-site peer 192.0.2.2 connection-type 'respond'
set vpn ipsec site-to-site peer 192.0.2.2 default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer 192.0.2.2 description 'Test-VPN'
set vpn ipsec site-to-site peer 192.0.2.2 ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer 192.0.2.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.2.2 local-address '192.0.2.1'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 local prefix '10.0.0.0/8'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 remote prefix '10.213.1.0/24'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 2 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 2 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 2 local prefix '192.168.0.0/16'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 2 remote prefix '10.213.1.0/24'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 3 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 3 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 3 local prefix '172.16.0.0/12'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 3 remote prefix '10.213.1.0/24

will be migrated to:

set vpn ipsec esp-group ESP-GROUP lifetime '3600'
set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
set vpn ipsec esp-group ESP-GROUP pfs 'dh-group14'
set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-GROUP close-action 'none'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GROUP lifetime '28800'
set vpn ipsec ike-group IKE-GROUP mode 'main'
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer peer_192-0-2-2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_192-0-2-2 authentication pre-shared-secret 'PSK123'
set vpn ipsec site-to-site peer peer_192-0-2-2 connection-type 'respond'
set vpn ipsec site-to-site peer peer_192-0-2-2 default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer peer_192-0-2-2 description 'Test-VPN'
set vpn ipsec site-to-site peer peer_192-0-2-2 ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer peer_192-0-2-2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_192-0-2-2 local-address '192.0.2.1'
set vpn ipsec site-to-site peer peer_192-0-2-2 remote-address '192.0.2.2'
set vpn ipsec site-to-site peer peer_192-0-2-2 tunnel 1 local prefix '10.0.0.0/8'
set vpn ipsec site-to-site peer peer_192-0-2-2 tunnel 1 remote prefix '10.213.1.0/24'
set vpn ipsec site-to-site peer peer_192-0-2-2 tunnel 2 local prefix '192.168.0.0/16'
set vpn ipsec site-to-site peer peer_192-0-2-2 tunnel 2 remote prefix '10.213.1.0/24'
set vpn ipsec site-to-site peer peer_192-0-2-2 tunnel 3 local prefix '172.16.0.0/12'
set vpn ipsec site-to-site peer peer_192-0-2-2 tunnel 3 remote prefix '10.213.1.0/24'

log 1.4 as initializer

Dec 14 15:20:38 server charon[1742]: 08[KNL] creating acquire job for policy 172.16.1.1/32[udp/32862] === 10.213.1.1/32[udp/1025] with reqid {3}
Dec 14 15:20:38 server charon[1742]: 08[IKE] <peer_192-0-2-2|1> initiating Main Mode IKE_SA peer_192-0-2-2[1] to 192.0.2.2
Dec 14 15:20:38 server charon[1742]: 08[ENC] <peer_192-0-2-2|1> generating ID_PROT request 0 [ SA V V V V V ]
Dec 14 15:20:38 server charon[1742]: 08[NET] <peer_192-0-2-2|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (180 bytes)
Dec 14 15:20:38 server charon[1742]: 11[NET] <peer_192-0-2-2|1> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (160 bytes)
Dec 14 15:20:38 server charon[1742]: 11[ENC] <peer_192-0-2-2|1> parsed ID_PROT response 0 [ SA V V V V ]
Dec 14 15:20:38 server charon[1742]: 11[IKE] <peer_192-0-2-2|1> received XAuth vendor ID
Dec 14 15:20:38 server charon[1742]: 11[IKE] <peer_192-0-2-2|1> received DPD vendor ID
Dec 14 15:20:38 server charon[1742]: 11[IKE] <peer_192-0-2-2|1> received FRAGMENTATION vendor ID
Dec 14 15:20:38 server charon[1742]: 11[IKE] <peer_192-0-2-2|1> received NAT-T (RFC 3947) vendor ID
Dec 14 15:20:38 server charon[1742]: 11[CFG] <peer_192-0-2-2|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 14 15:20:38 server charon[1742]: 11[ENC] <peer_192-0-2-2|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 14 15:20:38 server charon[1742]: 11[NET] <peer_192-0-2-2|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (396 bytes)
Dec 14 15:20:38 server charon[1742]: 12[NET] <peer_192-0-2-2|1> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (396 bytes)
Dec 14 15:20:38 server charon[1742]: 12[ENC] <peer_192-0-2-2|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 14 15:20:38 server charon[1742]: 12[ENC] <peer_192-0-2-2|1> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Dec 14 15:20:38 server charon[1742]: 12[NET] <peer_192-0-2-2|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (108 bytes)
Dec 14 15:20:38 server charon[1742]: 13[NET] <peer_192-0-2-2|1> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (92 bytes)
Dec 14 15:20:38 server charon[1742]: 13[ENC] <peer_192-0-2-2|1> parsed ID_PROT response 0 [ ID HASH ]
Dec 14 15:20:38 server charon[1742]: 13[IKE] <peer_192-0-2-2|1> IDir '192.0.2.2' does not match to 'peer_192-0-2-2'
Dec 14 15:20:38 server charon[1742]: 13[IKE] <peer_192-0-2-2|1> deleting IKE_SA peer_192-0-2-2[1] between 192.0.2.1[192.0.2.1]...192.0.2.2[%any]
Dec 14 15:20:38 server charon[1742]: 13[IKE] <peer_192-0-2-2|1> sending DELETE for IKE_SA peer_192-0-2-2[1]
Dec 14 15:20:38 server charon[1742]: 13[ENC] <peer_192-0-2-2|1> generating INFORMATIONAL_V1 request 913608266 [ HASH D ]
Dec 14 15:20:38 server charon[1742]: 13[NET] <peer_192-0-2-2|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (108 bytes
`

log from 1.4 as responder

Dec 14 15:23:45 server charon[1742]: 07[NET] <2> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (180 bytes)
Dec 14 15:23:45 server charon[1742]: 07[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V ]
Dec 14 15:23:45 server charon[1742]: 07[IKE] <2> received XAuth vendor ID
Dec 14 15:23:45 server charon[1742]: 07[IKE] <2> received DPD vendor ID
Dec 14 15:23:45 server charon[1742]: 07[IKE] <2> received FRAGMENTATION vendor ID
Dec 14 15:23:45 server charon[1742]: 07[IKE] <2> received NAT-T (RFC 3947) vendor ID
Dec 14 15:23:45 server charon[1742]: 07[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 14 15:23:45 server charon[1742]: 07[IKE] <2> 192.0.2.2 is initiating a Main Mode IKE_SA
Dec 14 15:23:45 server charon[1742]: 07[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 14 15:23:45 server charon[1742]: 07[ENC] <2> generating ID_PROT response 0 [ SA V V V V ]
Dec 14 15:23:45 server charon[1742]: 07[NET] <2> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (160 bytes)
Dec 14 15:23:45 server charon[1742]: 10[NET] <2> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (396 bytes)
Dec 14 15:23:45 server charon[1742]: 10[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 14 15:23:45 server charon[1742]: 10[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Dec 14 15:23:45 server charon[1742]: 10[NET] <2> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (396 bytes)
Dec 14 15:23:45 server charon[1742]: 08[NET] <2> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (108 bytes)
Dec 14 15:23:45 server charon[1742]: 08[ENC] <2> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Dec 14 15:23:45 server charon[1742]: 08[CFG] <2> looking for pre-shared key peer configs matching 192.0.2.1...192.0.2.2[192.0.2.2]
Dec 14 15:23:45 server charon[1742]: 08[IKE] <2> no peer config found
Dec 14 15:23:45 server charon[1742]: 08[ENC] <2> generating INFORMATIONAL_V1 request 2097376506 [ HASH N(AUTH_FAILED) ]
Dec 14 15:23:45 server charon[1742]: 08[NET] <2> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (108 bytes)

when i add

set vpn ipsec site-to-site peer peer_192-0-2-2 authentication remote-id 192.0.2.2

anything worked

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202212140319
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav added a subscriber: Viacheslav.

Related task IPsec syntax overhaul T4118

Viacheslav changed the task status from Open to In progress.Dec 19 2022, 2:22 PM
Viacheslav claimed this task.
Viacheslav changed the task status from In progress to Needs testing.Dec 20 2022, 7:02 AM

the change worked for my example.