Page MenuHomeVyOS Platform
Create Task
Maniphest T4906

ipsec connections shows only one connection as up
Closed, ResolvedPublicBUG
Actions

Description

The operational command show vpn ipsec connections shows only one tunnel as UP. Whichever tunnel is loaded last, that tunnel is shown as up.
Sending traffic also doesn't make any difference.

vyos@vyos# run sh vpn ipsec connections
Connection        State    Type    Remote address    Local TS         Remote TS        Local id    Remote id    Proposal
----------------  -------  ------  ----------------  ---------------  ---------------  ----------  -----------  -------------------------------------
remote1           down     IKEv2   1.2.3.4           -                -                            1.2.3.4      -
remote1-tunnel-0  down     IPsec   1.2.3.4           192.168.99.2/32  192.168.99.1/32              1.2.3.4      -
remote2           up       IKEv2   1.2.3.5           -                -                            1.2.3.5      AES_CBC/256/HMAC_SHA2_256_128/ECP_521
remote2-tunnel-0  up       IPsec   1.2.3.5           192.168.99.2/32  192.168.99.3/32              1.2.3.5      AES_CBC/256/HMAC_SHA2_256_128/None
[edit]

vyos@vyos# run sh vpn ipsec sa
Connection        State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
----------------  -------  --------  --------------  ----------------  ----------------  -----------  -----------------------------
remote1-tunnel-0  up       15m26s    1K/1K           19/19             1.2.3.4           1.2.3.4      AES_CBC_256/HMAC_SHA2_256_128
remote2-tunnel-0  up       15m26s    0B/0B           0/0               1.2.3.5           1.2.3.5      AES_CBC_256/HMAC_SHA2_256_128

vyos@vyos# sudo swanctl -l
remote2: #2, ESTABLISHED, IKEv2, bd540d0a31d55f9f_i* 4d134218c45dac62_r
  local  '1.2.3.3' @ 1.2.3.3[4500]
  remote '1.2.3.5' @ 1.2.3.5[4500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
  established 975s ago, rekeying in 27156s
  remote2-tunnel-0: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 975s ago, rekeying in 2625s, expires in 2625s
    in  c60737ef,      0 bytes,     0 packets
    out cd25f7dc,      0 bytes,     0 packets
    local  192.168.99.2/32
    remote 192.168.99.3/32
remote1: #1, ESTABLISHED, IKEv2, 2c3f98ad856b2e0c_i* c661cd025f731e12_r
  local  '1.2.3.3' @ 1.2.3.3[4500]
  remote '1.2.3.4' @ 1.2.3.4[4500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
  established 975s ago, rekeying in 25385s
  remote1-tunnel-0: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 975s ago, rekeying in 2625s, expires in 2625s
    in  ce2acb92,   5628 bytes,    67 packets,     1s ago
    out c0c69888,   5628 bytes,    67 packets,     1s ago
    local  192.168.99.2/32
    remote 192.168.99.1/32
[edit]

vyos@vyos# sudo swanctl -L
remote1: IKEv2, no reauthentication, rekeying every 28800s, dpd delay 30s
  local:  1.2.3.3
  remote: 1.2.3.4
  local pre-shared key authentication:
  remote pre-shared key authentication:
    id: 1.2.3.4
  remote1-tunnel-0: TUNNEL, rekeying every 3600s, dpd action is clear
    local:  192.168.99.2/32
    remote: 192.168.99.1/32
remote2: IKEv2, no reauthentication, rekeying every 28800s, dpd delay 30s
  local:  1.2.3.3
  remote: 1.2.3.5
  local pre-shared key authentication:
  remote pre-shared key authentication:
    id: 1.2.3.5
  remote2-tunnel-0: TUNNEL, rekeying every 3600s, dpd action is clear
    local:  192.168.99.2/32
    remote: 192.168.99.3/32

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202212060318
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Related Objects

Mentioned In
1.3.3

Event Timeline

SrividyaA created this task.Jan 2 2023, 5:45 PM
Viacheslav changed the subtype of this task from "Task" to "Bug".Jan 2 2023, 6:01 PM
pasik added a subscriber: pasik.Jan 2 2023, 6:35 PM
Viacheslav triaged this task as High priority.Jan 4 2023, 3:49 PM
Viacheslav added a project: VyOS 1.3 Equuleus (1.3.3).
Viacheslav changed the task status from Open to In progress.Jan 9 2023, 10:19 AM
Viacheslav claimed this task.
Viacheslav added a comment.Jan 10 2023, 12:47 PM

PR https://github.com/vyos/vyos-1x/pull/1745

root@r1:/home/vyos# /usr/libexec/vyos/op_mode/ipsec.py show_connections
Connection         State    Type    Remote address    Local TS        Remote TS     Local id                Remote id         Proposal
-----------------  -------  ------  ----------------  --------------  ------------  ----------------------  ----------------  ---------------------------------------
OFFICE-B           up       IKEv1   192.0.2.2         -               -             192.0.2.1.local.peer-b  192.0.2.2.peer-b  AES_CBC/256/HMAC_SHA2_256_128/MODP_2048
OFFICE-B-tunnel-0  up       IPsec   192.0.2.2         192.168.0.0/24  10.0.0.0/21   192.0.2.1.local.peer-b  192.0.2.2.peer-b  AES_CBC/128/HMAC_SHA1_96/MODP_2048
OFFICE-C           up       IKEv2   192.0.2.3         -               -             192.0.2.1.local.peer-c  192.0.2.3.peer-c  AES_CBC/128/HMAC_SHA1_96/MODP_1024
OFFICE-C-tunnel-0  up       IPsec   192.0.2.3         192.168.2.0/24  10.0.0.0/21   192.0.2.1.local.peer-c  192.0.2.3.peer-c  AES_CBC/256/HMAC_SHA2_256_128/None
OFFICE-D           down     IKEv2   192.0.2.5         -               -             192.0.2.1.local.peer-d  192.0.2.5.peer-d  -
OFFICE-D-tunnel-0  down     IPsec   192.0.2.5         192.168.5.0/24  10.0.50.0/24  192.0.2.1.local.peer-d  192.0.2.5.peer-d  -
root@r1:/home/vyos# 
root@r1:/home/vyos#

Actual data:

root@r1:/home/vyos# sudo swanctl -l
OFFICE-D: #3, CONNECTING, IKEv2, eaf9ca8cc93a6ad1_i* 0000000000000000_r
  local  '%any' @ 192.0.2.1[500]
  remote '%any' @ 192.0.2.5[500]
  active:  IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
OFFICE-C: #2, ESTABLISHED, IKEv2, af88b0f57d59e101_i* 95586d5e18ced6e8_r
  local  '192.0.2.1.local.peer-c' @ 192.0.2.1[4500]
  remote '192.0.2.3.peer-c' @ 192.0.2.3[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 26s ago, rekeying in 3531s
  OFFICE-C-tunnel-0: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 26s ago, rekeying in 3574s, expires in 1774s
    in  cf46d59e,      0 bytes,     0 packets
    out cb296e9f,      0 bytes,     0 packets
    local  192.168.2.0/24
    remote 10.0.0.0/21
OFFICE-B: #1, ESTABLISHED, IKEv1, b259b522ee162430_i* 8ef895d0b4fcd325_r
  local  '192.0.2.1.local.peer-b' @ 192.0.2.1[500]
  remote '192.0.2.2.peer-b' @ 192.0.2.2[500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 26s ago, rekeying in 3378s
  OFFICE-B-tunnel-0: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 26s ago, rekeying in 3574s, expires in 1774s
    in  c0d93128,      0 bytes,     0 packets
    out c8e2c4a9,      0 bytes,     0 packets
    local  192.168.0.0/24
    remote 10.0.0.0/21
root@r1:/home/vyos#
Viacheslav changed the task status from In progress to Needs testing.Jan 10 2023, 3:37 PM
Viacheslav added a comment.Jan 17 2023, 4:57 PM

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1762

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Jan 17 2023, 8:57 PM
c-po closed this task as Resolved.Jan 22 2023, 7:33 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.3) board.
dmbaturin mentioned this in 1.3.3.May 19 2023, 1:04 PM