Page MenuHomeVyOS Platform
Create Task
Maniphest T5578

"ikev2-reauth" description contains outdated information
Closed, ResolvedPublicBUG
Actions

Description

There is outdated information in the description to option "ikev2-reauth" (Currently broken due to a strong swan bug)

[edit]
vyos@vyos# set vpn ipsec ike-group office-srv-ike ikev2-reauth
Possible completions:
   yes          Enable remote host re-autentication during an IKE rekey. Currently broken due to a strong swan bug
   no           Disable remote host re-authenticaton during an IKE rekey. (Default)

I have tested this option and reauthentication is working.

ep 13 08:48:29 vyos charon[5270]: 13[NET] <1868> received packet: from 192.168.139.101[4500] to 192.168.139.100[4500] (336 bytes)
Sep 13 08:48:29 vyos charon[5270]: 13[ENC] <1868> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 13 08:48:29 vyos charon[5270]: 13[IKE] <1868> 192.168.139.101 is initiating an IKE_SA
Sep 13 08:48:29 vyos charon[5270]: 13[CFG] <1868> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 13 08:48:29 vyos charon[5270]: 13[ENC] <1868> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Sep 13 08:48:29 vyos charon[5270]: 13[NET] <1868> sending packet: from 192.168.139.100[4500] to 192.168.139.101[4500] (336 bytes)
Sep 13 08:48:29 vyos charon[5270]: 16[NET] <1868> received packet: from 192.168.139.101[4500] to 192.168.139.100[4500] (268 bytes)
Sep 13 08:48:29 vyos charon[5270]: 16[ENC] <1868> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep 13 08:48:29 vyos charon[5270]: 16[CFG] <1868> looking for peer configs matching 192.168.139.100[192.168.139.100]...192.168.139.101[192.168.139.101]
Sep 13 08:48:29 vyos charon[5270]: 16[CFG] <peer-192.168.139.101-tunnel-0|1868> selected peer config 'peer-192.168.139.101-tunnel-0'
Sep 13 08:48:29 vyos charon[5270]: 16[IKE] <peer-192.168.139.101-tunnel-0|1868> authentication of '192.168.139.101' with pre-shared key successful
Sep 13 08:48:29 vyos charon[5270]: 16[IKE] <peer-192.168.139.101-tunnel-0|1868> peer supports MOBIKE
Sep 13 08:48:29 vyos charon[5270]: 16[IKE] <peer-192.168.139.101-tunnel-0|1868> authentication of '192.168.139.100' (myself) with pre-shared key
Sep 13 08:48:29 vyos charon[5270]: 16[IKE] <peer-192.168.139.101-tunnel-0|1868> IKE_SA peer-192.168.139.101-tunnel-0[1868] established between 192.168.139.100[192.168.139.100]...192.168.139.101[192.168.139.101]
Sep 13 08:48:29 vyos charon[5270]: 16[IKE] <peer-192.168.139.101-tunnel-0|1868> scheduling reauthentication in 210s
Sep 13 08:48:29 vyos charon[5270]: 16[IKE] <peer-192.168.139.101-tunnel-0|1868> maximum IKE_SA lifetime 299s
peer-192.168.139.101-tunnel-0: #1878, ESTABLISHED, IKEv2, f7efc7cdae804e47_i 89233047995a7195_r*
  local  '192.168.139.100' @ 192.168.139.100[4500]
  remote '192.168.139.101' @ 192.168.139.101[4500]
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 10s ago, reauth in 258s
  peer-192.168.139.101-tunnel-0: #3705, reqid 1877, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96
    installed 10s ago, rekeying in 36s, expires in 170s
    in  c225d88d,      0 bytes,     0 packets
    out cb6c83e9,      0 bytes,     0 packets
    local  192.168.200.0/24
    remote 172.31.0.0/16
  peer-192.168.139.101-tunnel-0: #3706, reqid 1877, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
    installed 10s ago, rekeying in 34s, expires in 170s
    in  cdea6779,      0 bytes,     0 packets
    out c5f743fd,      0 bytes,     0 packets
    local  192.168.200.0/24
    remote 172.31.0.0/16

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.3.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Cosmetic issue (typos etc.)

Related Objects

Mentioned In
1.3.5