Page MenuHomeVyOS Platform

Command 'reset vpn ipsec-profile' doesn't work
Closed, ResolvedPublicBUG

Description

Command 'reset vpn ipsec-profile' doesn't work

Example:
Configuration DMVPN
HUB:

set interfaces ethernet eth0 address '192.168.139.100/24'
set interfaces ethernet eth1 address '10.100.100.1/24'
set interfaces tunnel tun100 address '10.0.0.1/24'
set interfaces tunnel tun100 enable-multicast
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 parameters ip key '1'
set interfaces tunnel tun100 source-address '192.168.139.100'
set protocols bgp address-family ipv4-unicast network 10.100.100.0/24
set protocols bgp neighbor 10.0.0.11 address-family ipv4-unicast route-reflector-client
set protocols bgp neighbor 10.0.0.11 remote-as '65000'
set protocols bgp neighbor 10.0.0.12 address-family ipv4-unicast route-reflector-client
set protocols bgp neighbor 10.0.0.12 remote-as '65000'
set protocols bgp system-as '65000'
set protocols nhrp tunnel tun100 cisco-authentication 'secret'
set protocols nhrp tunnel tun100 holding-time '30'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut
set protocols static route 0.0.0.0/0 next-hop 192.168.139.2
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB close-action 'none'
set vpn ipsec ike-group IKE-HUB dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-HUB dead-peer-detection interval '3'
set vpn ipsec ike-group IKE-HUB dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
Interface    Type     Protocol-Address    Alias-Address    Flags    NBMA-Address     Expires-In
-----------  -------  ------------------  ---------------  -------  ---------------  ------------
tun100       local    10.0.0.255/32       10.0.0.1         up
tun100       local    10.0.0.1/32                          up
tun100       dynamic  10.0.0.12/32                         up       192.168.139.102  0:25
tun100       dynamic  10.0.0.11/32                         up       192.168.139.101  0:22
vyos@vyos:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID        Proposal
------------  -------  --------  --------------  ----------------  ----------------  ---------------  ------------------------
dmvpn         up       18m30s    21K/23K         189/207           192.168.139.101   192.168.139.101  AES_CBC_256/HMAC_SHA1_96
dmvpn         up       19m5s     19K/24K         202/193           192.168.139.102   192.168.139.102  AES_CBC_256/HMAC_SHA1_96

Trying to reset:

vyos@vyos:~$ reset  vpn ipsec-profile NHRPVPN
Profile not found, aborting
vyos@vyos:~$ reset  vpn ipsec-profile NHRPVPN tunnel
Possible completions:
  <text>                Reset a specific tunnel for given DMVPN profile


vyos@vyos:~$ reset  vpn ipsec-profile NHRPVPN tunnel tunn100
Profile not found, aborting
vyos@vyos:~$ show vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID        Proposal
------------  -------  --------  --------------  ----------------  ----------------  ---------------  ------------------------
dmvpn         up       19m29s    22K/24K         198/217           192.168.139.101   192.168.139.101  AES_CBC_256/HMAC_SHA1_96
dmvpn         up       20m4s     20K/25K         212/203           192.168.139.102   192.168.139.102  AES_CBC_256/HMAC_SHA1_96

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202303160317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

a.apostoliuk changed the task status from Open to In progress.Mar 22 2023, 8:47 AM
a.apostoliuk claimed this task.
a.apostoliuk changed the task status from In progress to Needs testing.Apr 4 2023, 8:50 AM
a.apostoliuk moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.