Page MenuHomeVyOS Platform
Create Task
Maniphest T7139

Changing VPN IPsec configuration kills Strongswan bug
Needs testing, HighPublicBUG
Actions

Description

Initial confiuration

set interfaces ethernet eth1 address '192.0.2.2/30'
set interfaces dummy dum0 address '203.0.113.254/32'

set vpn ipsec authentication psk PSK id '192.0.2.1'
set vpn ipsec authentication psk PSK id '192.0.2.2'
set vpn ipsec authentication psk PSK secret 'vyos-secret'
set vpn ipsec esp-group ESP-group pfs 'disable'
set vpn ipsec esp-group ESP-group proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-group proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-group key-exchange 'ikev2'
set vpn ipsec ike-group IKE-group proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-group proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-group proposal 1 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer VPP authentication local-id '192.0.2.2'
set vpn ipsec site-to-site peer VPP authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer VPP authentication remote-id '192.0.2.1'
set vpn ipsec site-to-site peer VPP connection-type 'respond'
set vpn ipsec site-to-site peer VPP ike-group 'IKE-group'
set vpn ipsec site-to-site peer VPP local-address '192.0.2.2'
set vpn ipsec site-to-site peer VPP remote-address '192.0.2.1'
set vpn ipsec site-to-site peer VPP tunnel 1 esp-group 'ESP-group'
set vpn ipsec site-to-site peer VPP tunnel 1 local prefix '203.0.113.254/32'
set vpn ipsec site-to-site peer VPP tunnel 1 remote prefix '203.0.113.1/32'
commit

set vpn ipsec esp-group ESP-group pfs dh-group14
commit

commit

vyos@r16# commit
[ vpn ipsec ]
Job for strongswan.service failed.
See "systemctl status strongswan.service" and "journalctl -xeu strongswan.service" for details.

[edit]
vyos@r16#

logs:

Feb 06 19:48:56 r16 systemd[1]: strongswan.service: Control process exited, code=exited, status=22/n/a
Feb 06 19:48:56 r16 systemd[1]: Reload failed for strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
Feb 06 19:48:56 r16 systemd[1]: strongswan.service: Main process exited, code=killed, status=6/ABRT
Feb 06 19:48:56 r16 systemd[1]: strongswan.service: Failed with result 'signal'.

Extended logs:

Feb 06 19:48:56 r16 systemd[1]: Reloading strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
Feb 06 19:48:56 r16 charon[27569]: 09[CFG] loaded 0 entries for attr plugin configuration
Feb 06 19:48:56 r16 charon[27569]: 09[CFG] loaded 0 RADIUS server configurations
Feb 06 19:48:56 r16 charon[27569]: 05[CFG] loaded IKE shared key with id 'ike-PSK' for: '192.0.2.1', '192.0.2.2'
Feb 06 19:48:56 r16 charon[27569]: 02[CFG] updated vici connection: VPP
Feb 06 19:48:56 r16 charon[27569]: 02[CFG] uninstalling 'VPP-tunnel-1'
Feb 06 19:48:56 r16 charon[27569]: 02[DMN] thread 2 received 11
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]  dumping 19 stack frame addresses:
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f080a566000 [0x7f080a5a2050]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/plugins/libstrongswan-vici.so @ 0x7f0809001000 [0x7f080900d9b9]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f080a820000 [0x7f080a831099]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f080a820000 [0x7f080a84f81c]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f080a820000 [0x7f080a852338]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f080a820000 [0x7f080a8604e7]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f080a820000 [0x7f080a860af8]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/plugins/libstrongswan-vici.so @ 0x7f0809001000 [0x7f0809013e11]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/plugins/libstrongswan-vici.so @ 0x7f0809001000 [0x7f0809014ec2]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/plugins/libstrongswan-vici.so @ 0x7f0809001000 [0x7f0809007b2b]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/plugins/libstrongswan-vici.so @ 0x7f0809001000 [0x7f0809010d2b]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/plugins/libstrongswan-vici.so @ 0x7f0809001000 (process_request+0xc5) [0x7f0809009275]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/plugins/libstrongswan-vici.so @ 0x7f0809001000 [0x7f0809009605]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/plugins/libstrongswan-vici.so @ 0x7f0809001000 [0x7f0809005df9]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f080a8bc000 [0x7f080a8f9cf2]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f080a8bc000 [0x7f080a8fa656]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f080a8bc000 [0x7f080a90e46e]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f080a566000 [0x7f080a5ef1c4]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]   /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f080a566000 [0x7f080a66f85c]
Feb 06 19:48:56 r16 charon[27569]: 02[LIB]     ->
Feb 06 19:48:56 r16 charon[27569]: 02[DMN] killing ourself, received critical signal
Feb 06 19:48:56 r16 swanctl[27817]: load-conn request failed: Connection reset by peer
Feb 06 19:48:56 r16 swanctl[27817]: loaded 0 of 1 connections, 1 failed to load, 0 unloaded
Feb 06 19:48:56 r16 swanctl[27817]: loaded ike secret 'ike-PSK'
Feb 06 19:48:56 r16 swanctl[27817]: no authorities found, 0 unloaded
Feb 06 19:48:56 r16 swanctl[27817]: no pools found, 0 unloaded
Feb 06 19:48:56 r16 systemd[1]: strongswan.service: Control process exited, code=exited, status=22/n/a
Feb 06 19:48:56 r16 systemd[1]: Reload failed for strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
Feb 06 19:48:56 r16 systemd[1]: strongswan.service: Main process exited, code=killed, status=6/ABRT
Feb 06 19:48:56 r16 systemd[1]: strongswan.service: Failed with result 'signal'.
Feb 06 19:48:57 r16 systemd[1]: opt-vyatta-config-tmp-new_config_3321.mount: Deactivated successfully.
Feb 06 19:48:57 r16 systemd[1]: strongswan.service: Scheduled restart job, restart counter is at 1.
Feb 06 19:48:57 r16 systemd[1]: Stopped strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
Feb 06 19:48:57 r16 systemd[1]: Starting strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
Feb 06 19:48:57 r16 charon[27873]: 00[CFG] PKCS11 module '<name>' lacks library path
Feb 06 19:48:57 r16 charon[27873]: 00[PTS] TPM 2.0 - could not load "libtss2-tcti-tabrmd.so.0"
Feb 06 19:48:57 r16 charon[27873]: 00[LIB] plugin 'tpm': failed to load - tpm_plugin_create returned NULL
Feb 06 19:48:57 r16 charon[27873]: 00[LIB] providers loaded by OpenSSL: legacy default
Feb 06 19:48:57 r16 charon[27873]: 00[CFG] install DNS servers in '/etc/resolv.conf'
Feb 06 19:48:57 r16 charon[27873]: 00[KNL] unable to create IPv4 routing table rule
Feb 06 19:48:57 r16 charon[27873]: 00[KNL] unable to create IPv6 routing table rule
Feb 06 19:48:57 r16 charon[27873]: 00[NET] using forecast interface eth0
Feb 06 19:48:57 r16 charon[27873]: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Feb 06 19:48:57 r16 charon[27873]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 06 19:48:57 r16 charon[27873]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 06 19:48:57 r16 charon[27873]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 06 19:48:57 r16 charon[27873]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 06 19:48:57 r16 charon[27873]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 06 19:48:57 r16 charon[27873]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 06 19:48:57 r16 charon[27873]: 00[CFG] opening secrets file '/etc/ipsec.secrets' failed: No such file or directory
Feb 06 19:48:57 r16 charon[27873]: 00[CFG] loaded 0 RADIUS server configurations
Feb 06 19:48:57 r16 charon[27873]: 00[CFG] HA config misses local/remote address
Feb 06 19:48:57 r16 charon[27873]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 06 19:48:57 r16 charon[27873]: 00[JOB] spawning 16 worker threads
Feb 06 19:48:57 r16 charon[27873]: 07[CFG] loaded IKE shared key with id 'ike-PSK' for: '192.0.2.1', '192.0.2.2'
Feb 06 19:48:57 r16 charon[27873]: 11[CFG] added vici connection: VPP
Feb 06 19:48:57 r16 charon[27873]: 11[CFG] installing 'VPP-tunnel-1'
Feb 06 19:48:57 r16 charon[27873]: 11[KNL] policy already exists, try to update it
Feb 06 19:48:57 r16 charon[27873]: 11[KNL] policy already exists, try to update it
Feb 06 19:48:57 r16 charon[27873]: 11[KNL] policy already exists, try to update it
Feb 06 19:48:57 r16 swanctl[27905]: loaded ike secret 'ike-PSK'
Feb 06 19:48:57 r16 swanctl[27905]: no authorities found, 0 unloaded
Feb 06 19:48:57 r16 swanctl[27905]: no pools found, 0 unloaded
Feb 06 19:48:57 r16 swanctl[27905]: loaded connection 'VPP'
Feb 06 19:48:57 r16 swanctl[27905]: successfully loaded 1 connections, 0 unloaded
Feb 06 19:48:57 r16 systemd[1]: Started strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
Feb 06 19:48:57 r16 commit[27929]: Successful change to active configuration by user vyos on /dev/pts/0

Details

Version
VyOS 1.5-rolling-202502030007
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav created this task.Feb 6 2025, 5:54 PM
Viacheslav renamed this task from Changing IPsec configuration kills Strongswan bug to Changing VPN IPsec configuration kills Strongswan bug.
Viacheslav triaged this task as High priority.
pasik subscribed.Feb 6 2025, 6:52 PM
Viacheslav changed the task status from Open to Needs testing.Tue, Nov 25, 2:56 AM