Page MenuHomeVyOS Platform
Create Task
Maniphest T7489

Fix the output command "show vpn ipsec connection" for passthrough tunnels
Closed, ResolvedPublicBUG
Actions

Description

The output of command "show vpn ipsec connections" shows the passthrough tunnel as down even though the traffic goes through it, needs to show as up.

vyos@vyos:~$ show vpn ipsec connections
Connection                   State    Type    Remote address    Local TS        Remote TS       Local id     Remote id    Proposal
---------------------------  -------  ------  ----------------  --------------  --------------  -----------  -----------  -------------------------------------
vpn_01                       up       IKEv2   10.110.1.52       -               -               10.110.2.52  10.110.1.52  AES_CBC/256/HMAC_SHA2_512_256/ECP_256
vpn_01-tunnel-0              up       IPsec   10.110.1.52       10.110.10.0/24  10.110.14.0/24  10.110.2.52  10.110.1.52  AES_CBC/128/HMAC_SHA2_512_256/None
vpn_02                       up       IKEv2   10.110.1.52       -               -               10.110.2.62  10.110.1.52  AES_CBC/256/HMAC_SHA2_512_256/ECP_256
vpn_02-tunnel-0              up       IPsec   10.110.1.52       10.110.10.0/24  10.110.0.0/16   10.110.2.62  10.110.1.52  AES_CBC/128/HMAC_SHA2_512_256/None
vpn_02-tunnel-0-passthrough  down     IPsec   10.110.1.52       10.110.10.0/24  10.110.10.0/24  10.110.2.62  10.110.1.52  -
vyos@vyos:~$ sudo swanctl -L
vpn_01: IKEv2, no reauthentication, rekeying every 10800s, dpd delay 3s
  local:  10.110.2.52
  remote: 10.110.1.52
  local pre-shared key authentication:
    id: 10.110.2.52
  remote pre-shared key authentication:
    id: 10.110.1.52
  vpn_01-tunnel-0: TUNNEL, rekeying every 3272s, dpd action is trap
    local:  10.110.10.0/24
    remote: 10.110.14.0/24
vpn_02: IKEv2, no reauthentication, rekeying every 10800s, dpd delay 3s
  local:  10.110.2.62
  remote: 10.110.1.52
  local pre-shared key authentication:
    id: 10.110.2.62
  remote pre-shared key authentication:
    id: 10.110.1.52
  vpn_02-tunnel-0: TUNNEL, rekeying every 3272s, dpd action is trap
    local:  10.110.10.0/24
    remote: 10.110.0.0/16
  vpn_02-tunnel-0-passthrough: PASS, no rekeying, dpd action is none
    local:  10.110.10.0/24
    remote: 10.110.10.0/24

vyos@vyos:~$ sudo swanctl -l
vpn_01: #22, ESTABLISHED, IKEv2, 3f1de8229d55cfa7_i 0664d5dc1354f279_r*
  local  '10.110.2.52' @ 10.110.2.52[500]
  remote '10.110.1.52' @ 10.110.1.52[500]
  AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_256
  established 9290s ago, rekeying in 505s
  vpn_01-tunnel-0: #67, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_512_256/ECP_256
    installed 2806s ago, rekeying in 269s, expires in 794s
    in  c55bb8ac,      0 bytes,     0 packets
    out cb217d75,      0 bytes,     0 packets
    local  10.110.10.0/24
    remote 10.110.14.0/24
vpn_02: #21, ESTABLISHED, IKEv2, 952d25710a76d3bd_i* 8f25216780f0f4b5_r
  local  '10.110.2.62' @ 10.110.2.62[500]
  remote '10.110.1.52' @ 10.110.1.52[500]
  AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_256
  established 9475s ago, rekeying in 384s
  vpn_02-tunnel-0: #68, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_512_256/ECP_256
    installed 2262s ago, rekeying in 787s, expires in 1338s
    in  c758ec65,      0 bytes,     0 packets
    out ce6e495f,      0 bytes,     0 packets
    local  10.110.10.0/24
    remote 10.110.0.0/16

In a recent commit VPN IPsec unexpected passthrough logic was fixed.

Details

Version
1.4.1
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

SrividyaA created this task.May 27 2025, 10:28 AM
SrividyaA triaged this task as Normal priority.
pasik subscribed.May 27 2025, 10:55 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.4); removed VyOS 1.4 Sagitta (1.4.3).Jul 14 2025, 2:13 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
Viacheslav added a project: Restricted Project.Jul 14 2025, 2:25 PM
Unknown Object (User) changed the task status from Open to In progress.Jul 21 2025, 10:11 AM
Unknown Object (User) assigned this task to hedrok.
hedrok added a comment.Jul 22 2025, 3:36 PM

Tried to fix here: https://github.com/vyos/vyos-1x/pull/4616

hedrok mentioned this in rVYOSONEX6060c194e3f7: T7489: Fix output state of ipsec passthrough child.Jul 24 2025, 2:10 PM
Restricted Repository Identity mentioned this in rVYOSONEXa24d129c9fb3: Merge pull request #4616 from hedrok/T7489-fix-output-ipsec-passthrough.Jul 24 2025, 2:10 PM
dmbaturin edited projects, added VyOS 1.5 Circinus (1.5-stream-2025-Q3); removed VyOS 1.5 Circinus.Jul 31 2025, 12:32 AM
dmbaturin moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q3) board.
Viacheslav closed this task as Resolved.Jul 31 2025, 7:48 AM
Viacheslav moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.4) board.
Viacheslav moved this task from Need Triage to Completed on the VyOS Rolling board.
dmbaturin edited projects, added VyOS 1.5 Circinus (2025.11); removed VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS 1.4 Sagitta (1.4.4), VyOS Rolling.Thu, Nov 13, 2:31 AM
dmbaturin renamed this task from Fix the output command of "show vpn ipsec connection" for passthrough-tunnel to Fix the output command "show vpn ipsec connection" for passthrough tunnels.Fri, Nov 14, 10:38 AM
dmbaturin changed Issue type from Cosmetic issue (typos etc.) to Bug (incorrect behavior).