Page MenuHomeVyOS Platform

IPsec some proposal combinations could be invalid and the service strongswan stops
In progress, NormalPublicBUG

Description

IPsec some proposal combinations could be invalid, and the service strongswan stops.
To reproduce:

set interfaces ethernet eth1 address '192.0.2.14/24'

set interfaces tunnel tun100 address '192.168.250.4/24'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 parameters ip key '1'
set interfaces tunnel tun100 source-address '192.0.2.14'
set protocols nhrp tunnel tun100 cisco-authentication 'secret'
set protocols nhrp tunnel tun100 holding-time '30'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut

set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group21'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'aes256gmac'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '24'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'aes256gmac'
set vpn ipsec interface 'eth1'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'secret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

Check strongswan service (nonezero exit code):

vyos@r4# sudo systemctl status strongswan
× strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
     Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; preset: enabled)
     Active: failed (Result: exit-code) since Tue 2024-03-05 13:17:17 EET; 3s ago
    Process: 7507 ExecStart=/usr/sbin/charon-systemd (code=exited, status=0/SUCCESS)
    Process: 7531 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=22)
   Main PID: 7507 (code=exited, status=0/SUCCESS)
     Status: "charon-systemd running, strongSwan 5.9.11, Linux 6.6.19-amd64-vyos, x86_64"
        CPU: 52ms

Mar 05 13:17:17 r4 swanctl[7531]: loading connection 'dmvpn-NHRPVPN-tun100' failed: invalid value for: proposals, config discarded
Mar 05 13:17:17 r4 swanctl[7531]: loaded 0 of 1 connections, 1 failed to load, 0 unloaded
Mar 05 13:17:17 r4 swanctl[7531]: loaded ike secret 'ike-dmvpn-tun100'
Mar 05 13:17:17 r4 swanctl[7531]: no authorities found, 0 unloaded
Mar 05 13:17:17 r4 swanctl[7531]: no pools found, 0 unloaded
Mar 05 13:17:17 r4 systemd[1]: strongswan.service: Control process exited, code=exited, status=22/n/a
Mar 05 13:17:17 r4 charon-systemd[7507]: SIGTERM received, shutting down
Mar 05 13:17:17 r4 charon[7507]: 00[DMN] SIGTERM received, shutting down
Mar 05 13:17:17 r4 systemd[1]: strongswan.service: Failed with result 'exit-code'.
Mar 05 13:17:17 r4 systemd[1]: Failed to start strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
[edit]
vyos@r4#

Generated config:

vyos@r4# cat /etc/swanctl/swanctl.conf 
### Autogenerated by vpn_ipsec.py ###

connections {
    dmvpn-NHRPVPN-tun100 {
        proposals = aes256gcm128-aes256gmac-modp2048s256
        version = 2
        rekey_time = 3600s
        keyingtries = 0
        dpd_timeout = 120
        dpd_delay = 30
        local {
            auth = psk
        }
        remote {
            auth = psk
        }
        children {
            dmvpn {
                esp_proposals = aes256gcm128-aes256gmac-ecp521
                rekey_time = 1800s
                rand_time = 540s
                local_ts = dynamic[gre]
                remote_ts = dynamic[gre]
                mode = transport
                dpd_action = clear
            }
        }
    }

}

pools {
}

secrets {
    ike-dmvpn-tun100 {
        secret = secret
    }

}

Based on show log ipsec it requires PRF

Mar 05 13:37:59 charon[9055]: 11[CFG] a PRF algorithm is mandatory in IKE proposals
Mar 05 13:37:59 charon-systemd[9055]: a PRF algorithm is mandatory in IKE proposals
Mar 05 13:37:59 swanctl[9079]: loading connection 'dmvpn-NHRPVPN-tun100' failed: invalid value for: proposals, config discarded
Mar 05 13:37:59 swanctl[9079]: loaded 0 of 1 connections, 1 failed to load, 0 unloaded
Mar 05 13:37:59 swanctl[9079]: loaded ike secret 'ike-dmvpn-tun100'
Mar 05 13:37:59 swanctl[9079]: no authorities found, 0 unloaded
Mar 05 13:37:59 swanctl[9079]: no pools found, 0 unloaded
Mar 05 13:37:59 systemd[1]: strongswan.service: Control process exited, code=exited, status=22/n/a
Mar 05 13:37:59 charon-systemd[9055]: SIGTERM received, shutting down
Mar 05 13:37:59 charon[9055]: 00[DMN] SIGTERM received, shutting down
Mar 05 13:37:59 systemd[1]: strongswan.service: Failed with result 'exit-code'.
Mar 05 13:37:59 systemd[1]: Failed to start strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.

To fix this case:

vyos@r4# set vpn ipsec ike-group IKE-HUB proposal 1 prf prfsha256
[edit]
vyos@r4# commit
[edit]
vyos@r4# sudo systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
     Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; preset: enabled)
     Active: active (running) since Tue 2024-03-05 13:39:35 EET; 3s ago

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.5-rolling-202403050022, 1.4.0-epa1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)