I found two bugs related to the reset command on 1.4.0 epa2.
"reset vpn ipsec" command breaks tunnel, but command output report the reset as successful.
"reset vpn ipsec " command and does not reset SAs that are down. The problem not finding occurs both for IKE SAs and Child SAs.
Let me know what more information you need.
Bug 1: reset vpn ipsec command Breaks working SA( reset fails ) and report is as successful.
I have tested on 4 different vpns across 3 devices. On one VPNs the reset seems to work, but that might just be the remote side having a unexpected close action = reset. I have only tested on policy based VPNs(with traffic selectors defined on the tunnels)
vyos@CUSTOMER-fw-p:~$ reset vpn ipsec site-to-site peer peer_X-X-252-1 tunnel 1 Peer peer_X-X-252-1 reset result: success
The result is that the SA goes down
vyos@CUSTOMER-fw-p:~$ show vpn ipsec connections | strip-private Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal --------------------------- ------- ------ ---------------- ---------------- ----------------- ---------- ------------- --------------------------------------- peer_X-X-252-1 up IKEv2 xxx.xxx.252.1 - - xxx.xxx.252.1 AES_CBC/256/HMAC_SHA2_256_128/MODP_2048 peer_X-X-252-1-tunnel-1 down IPsec xxx.xxx.252.1 xxx.xxx.92.96/29 xxx.xxx.16.231/32 xxx.xxx.252.1 -
Bug 2: Does not find SA when it is down
vyos@CUSTOMER-fw-p:~$ reset vpn ipsec site-to-site peer peer_X-X-252-1 tunnel 1 Peer peer_X-X-252-1 tunnel 1 SA(s) not found, aborting
vyos@CUSTOMER-fw-p:~$ show vpn ipsec connections | strip-private Connection State Type Remote address Local TS Remote TS Local id Remote id Proposal --------------------------- ------- ------ ---------------- ---------------- ----------------- ---------- ------------- --------------------------------------- peer_X-X-252-1 up IKEv2 xxx.xxx.252.1 - - xxx.xxx.252.1 AES_CBC/256/HMAC_SHA2_256_128/MODP_2048 peer_X-X-252-1-tunnel-1 up IPsec xxx.xxx.252.1 xxx.xxx.92.96/29 xxx.xxx.16.231/32 xxx.xxx.252.1 AES_CBC/256/HMAC_SHA2_256_128/MODP_2048
Other output:
Swanctl (correctly) does not list the SAs that are not up. Description says active IKE_SAs, but it also display Child SAs that are up.
" swanctl --list-sas (-l) list currently active IKE_SAs"
vyos@CUSTOMER-fw-p:~$ sudo swanctl --list-sas | strip-private peer_X-X-252-1: #44, ESTABLISHED, IKEv2, b31707d09d2ea486_i 205f29da562ea554_r* local 'xxx.xxx.92.10' @ xxx.xxx.92.10[500] remote 'xxx.xxx.252.1' @ xxx.xxx.252.1[500] AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 17279s ago, rekeying in 67832s
Swanctl connection list ( configured)
vyos@CUSTOMER-fw-p:~$ sudo swanctl --list-conns | strip-private peer_X-X-252-1: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 30s local: xxx.xxx.92.10 remote: xxx.xxx.252.1 local pre-shared key xxxxxx remote pre-shared key xxxxxx id: xxx.xxx.252.1 peer_X-X-252-1-tunnel-1: TUNNEL, rekeying every 3272s, dpd action is none local: xxx.xxx.92.96/29 remote: xxx.xxx.16.231/32