Show IPSEC SA failed if remote access IKEv2 vpn is used.
Configuration:
set vpn ipsec remote-access connection rw authentication client-mode 'eap-mschapv2' set vpn ipsec remote-access connection rw authentication local-id '192.168.139.52' set vpn ipsec remote-access connection rw authentication local-users username test password 'test' set vpn ipsec remote-access connection rw authentication local-users username vyos password 'vyos' set vpn ipsec remote-access connection rw authentication server-mode 'x509' set vpn ipsec remote-access connection rw authentication x509 ca-certificate 'CATEST2' set vpn ipsec remote-access connection rw authentication x509 certificate 'Servercert' set vpn ipsec remote-access connection rw esp-group 'ESP-RW' set vpn ipsec remote-access connection rw ike-group 'IKE-RW' set vpn ipsec remote-access connection rw local-address '192.168.139.52' set vpn ipsec remote-access connection rw pool 'ra-rw-ipv4' set vpn ipsec remote-access pool ra-rw-ipv4 name-server '192.168.111.1' set vpn ipsec remote-access pool ra-rw-ipv4 prefix '192.0.2.128/25'
After connection
vyos@vyos:~$ show vpn ipsec sa 'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte
Why It happens :
- Vici function list_sas returns a list of OrderedDict that contains a certificate.
- Then decode function is used to convert the byte sequence to string, and it throws an exception.
Example of returned result from vici function list_sas
[OrderedDict([('ra-rw',
OrderedDict([('uniqueid', b'2'),
('version', b'2'),
('state', b'ESTABLISHED'),
('local-host', b'192.168.139.52'),
('local-port', b'4500'),
('local-id', b'192.168.139.52'),
('local-cert-data',
b'0\x82\x03\xb50\x82\x02\x9d\xa0\x03\x02\x01'
b'\x02\x02\x14fM\x9cE0\xf2\x8be\x89'
b'\xb9\xdf\xb3\x97#=\xae\x8d\xd5\xf7\x820\r\x06\t*'
b'\x86H\x86\xf7\r\x01\x01\x0b\x05\x000W1\x0b0\t'
b'\x06\x03U\x04\x06\x13\x02GB1\x130\x11\x06\x03U'
b'\x04\x08\x0c\nSome-State1\x120\x10\x06\x03'
b'U\x04\x07\x0c\tSome-City1\r0\x0b\x06\x03'
b'U\x04\n\x0c\x04VyOS1\x100\x0e\x06\x03U'
b'\x04\x03\x0c\x07vyos.io0\x1e\x17\r230301110602Z'
b'\x17\r240229110602Z0[1\x0b0\t\x06\x03U'
b'\x04\x06\x13\x02GB1\x130\x11\x06\x03'
b'U\x04\x08\x0c\nSome-State1\x120\x10\x06'
b'\x03U\x04\x07\x0c\tSome-City1\r0\x0b\x06'
b'\x03U\x04\n\x0c\x04VyOS1\x140\x12\x06\x03'
b'U\x04\x03\x0c\x0bvpn.vyos.io0\x82\x01"0\r\x06\t'
b'*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03'
b'\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01'
b'\x00\xcc\xdd\xfeT\x7f\xb9\x1f\xa9-\xe0\x8f'
b'\xcd\x81\xab:\xf1\x85tTS\xca\xc5P'
b'\x9e\xd9\x96\xe2\xdb9\xf7j\xd8\xfd\xa4\x9b'
b'5\xa8\xf1z\xc2\xe5\xdb\x13\x04>4\xf1x\xa7`\xbc'
b'\xc5\xf90$\xee\x18\x12\x83\x84\x84o\xde'
b'5\xe7E\x94,\xbb\xe5\xdb\x9e\xd8\xd4\xad'
b'\n\x0e\x1f\x0c\nh\xca\x9c\x97:\xeb\xc1'
b'\x8c\xfa\x96g\xbcP\x9fC\xc4m\xb7\xa6'
b'\xcd1\x83\x03\xb5\x939\r\x17\xf8\x136'
b'\xed\x0b&\xa8\xc2<\xe6\x1f; \x83\xb3'
b'\x19\x0c\xf8\xe0\x93\xba\x9d"d\xc0.\x06'
b'|\x16\xd5\x80KQ\xce~\xec\xa48U\xb6]\xb3:'
b'\x8d\xb1i\x18\xc3p\xf9\x19\x04\xab\xfap'
b'\xf8\xa2\xcc7\xed\\\xa5;\xc4\xc7\x9a\x89'
b'\x0c3\x99\x81\xa2\x97:\xc68\x0b\xf3Loe\xc6v'
b'\xe2\xe5`Bo\xaf)d/\x91\x8d\x02i\xa8\xf4\xbe'
b'U\\\x80\x01\xc1\xee\x1d\x1e|\x8bb{tY\xa6j'
b'\xc4<\x0f\xcek\x82\x99~/]\xbc0\xbb\xf3\xc8\xa5'
b'@\x182\x1a,_r\xae\xa6\xc2,y\x99\xf5\xb3}'
b'M\x02\x03\x01\x00\x01\xa3u0s0\x0c\x06\x03U\x1d'
b'\x13\x01\x01\xff\x04\x020\x000\x0e\x06\x03'
b'U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x07\x80'
b'0\x13\x06\x03U\x1d%\x04\x0c0\n\x06\x08+\x06\x01'
b'\x05\x05\x07\x03\x010\x1d\x06\x03U\x1d\x0e'
b'\x04\x16\x04\x14\xfcGLQ\xf8\x17[\xb4\x88a\x95z'
b'rV\xcc\x8c\x88\xf8\xa2p0\x1f\x06\x03U\x1d#\x04'
b'\x180\x16\x80\x14I\xe2\x10\xe4\xd3\x16$'
b'\xd1\xb88\xea\xe5\x91\x0fR\xbe\xc11\x1dx0\r\x06'
b'\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00'
b'\x03\x82\x01\x01\x00-9\x0b\x9b\x9f\xb9\x9a'
b')U_\x0b\xf2\xa7\xfdt\xc8\xddW\xc3g)\x10O'
b'\x9b+\xf5\xa1\xe6\x1d\x88\xb2\x88^SL'
b'\x0e\x15T\xfb\xfb\xd9lOFb@BF\xa7:v'
b'\xc0\xa6\xd0\xbf\xa7+\x9b0\xa7\xddR\xec'
b'\x8c\x95\xd9\xb0\x18G\x7f \xcd\xf8\xd7\xba'
b'73\x1d\xc5\xd5YD\xe0\xeb\x12\x1e\xce'
b'-\xc4\x9b\x15Y\xc2D \xe3J&\xdc\xa3`\x94;'
b'\x93+k\xcc\x16Fl\t]\x8fh\x8c\xc8\xb6\x9am'
b'\x04>\xce\xcc\xbb\x8e\xa2+w\x19y\xf3'
b'\xa2L\x87\xeeAW\xb3\xab\xebD\xb4\xf3'
b"\x1a(\xd6\x99\xd7\xa3'L\x81'\x14\xe0\x08\xb0Xs"
b'\xf8\x91\xd2JZ\xc5\\\x99\xf0\x9c\xfbO$\xf9)\xb8'
b'!)+;f\xbe\xcbc\x8aH+\xfb\xd5\xbd\xe2\xbb'
b'\xabu\xb5c\xe1W\x11^5\x06\xd4K}\n\x8aW'
b"\xe7\xd0\xdf\xf6\xf9\xaf\x05t'\x7f%]97\xef\x15"
b'\xc9r\xe5TA\xdb\xf9\x1f\x90\xb5\xb0\xcb'
b'J\xc4\x8a\xac\xea\xb8\x82d\r\x14\xdb\xb0'
b"\xaa%\x11\x80y'$\x8dw"),
('remote-host', b'192.168.139.51'),
('remote-port', b'4500'),
('remote-id', b'192.168.5.2'),
('remote-eap-id', b'vyos'),
('initiator-spi', b'6bc3038f5183e371'),
('responder-spi', b'f6e57cf714c67408'),
('nat-remote', b'yes'),
('nat-any', b'yes'),
('encr-alg', b'AES_GCM_16'),
('encr-keysize', b'128'),
('prf-alg', b'PRF_HMAC_SHA2_256'),
('dh-group', b'MODP_2048'),
('established', b'3766'),
('rekey-time', b'3236'),
('remote-vips', [b'192.0.2.129']),
('child-sas',
OrderedDict([('ikev2-vpn-7',
OrderedDict([('name', b'ikev2-vpn'),
('uniqueid', b'7'),
('reqid', b'1'),
('state', b'INSTALLED'),
('mode', b'TUNNEL'),
('protocol', b'ESP'),
('encap', b'yes'),
('spi-in', b'c958827b'),
('spi-out',
b'ce99d582'),
('encr-alg',
b'AES_GCM_16'),
('encr-keysize',
b'128'),
('dh-group',
b'MODP_2048'),
('bytes-in', b'3247'),
('packets-in', b'22'),
('use-in', b'1973'),
('bytes-out', b'0'),
('packets-out', b'0'),
('rekey-time', b'906'),
('life-time', b'1736'),
('install-time',
b'2224'),
('local-ts',
[b'0.0.0.0/0',
b'::/0']),
('remote-ts',
[b'192.0.2.129/'
b'32'])]))]))]))])]