Page MenuHomeVyOS Platform
Create Task
Maniphest T8195

"restart ipsec" command does not reinitiate the ipsec connection in DMVPN setup
Open, NormalPublicBUG
Actions

Assigned To
None
Authored By
SrividyaA
Wed, Jan 21, 12:59 PM
Tags
None
Referenced Files
F67502875: image.png
Thu, Jan 22, 9:44 AM
F66993946: Configuration_DMVPN.txt
Wed, Jan 21, 12:59 PM
F66970678: image.png
Wed, Jan 21, 12:59 PM
Subscribers
pasik
SrividyaA
Viacheslav
Global Notifications
Maintainers

Description

Description: "restart ipsec" command does not reinitiate the ipsec connection only in DMVPN setup.

The command "restart ipsec" was executed in the spoke, post which the tunnel goes down and just the new ipsec process is created and no further messages were observed.

Jan 21 11:01:26 charon[4680]: 12[CFG] added vici connection: dmvpn-nhrvpn-tun100
Jan 21 11:01:26 swanctl[4706]: loaded ike secret 'ike-dmvpn-tun100'
Jan 21 11:01:26 swanctl[4706]: no authorities found, 0 unloaded
Jan 21 11:01:26 swanctl[4706]: no pools found, 0 unloaded
Jan 21 11:01:26 swanctl[4706]: loaded connection 'dmvpn-nhrvpn-tun100'
Jan 21 11:01:26 swanctl[4706]: successfully loaded 1 connections, 0 unloaded
Jan 21 11:01:26 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.

Restarting the opennhrp and strongswan service also does not initiate the ipsec connection.

sudo systemctl restart opennhrp 
sudo systemctl restart strongswan

In the hub, I notice the child-sa gets created but again being deleted:

image.png (393×1 px, 81 KB)

Loading configuration brings the ipsec connection back i.e committing any changes related to ipsec.

Jan 21 11:01:26 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
Jan 21 12:12:21 systemd[1]: Reloading strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
Jan 21 12:12:21 charon[4680]: 05[CFG] loaded 0 entries for attr plugin configuration
Jan 21 12:12:21 swanctl[6395]: loaded connection 'dmvpn-nhrvpn-tun100'
Jan 21 12:12:21 swanctl[6395]: successfully loaded 1 connections, 0 unloaded
Jan 21 12:12:21 systemd[1]: Reloaded strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
Jan 21 12:12:26 charon[4680]: 05[CFG] vici initiate CHILD_SA 'dmvpn', me 10.53.0.2, other 100.10.1.2, limits 0
Jan 21 12:12:26 charon-systemd[4680]: vici initiate CHILD_SA 'dmvpn', me 10.53.0.2, other 100.10.1.2, limits 0
Jan 21 12:12:26 charon-systemd[4680]: initiating IKE_SA dmvpn-nhrvpn-tun100[1] to 100.10.1.2

Is their a logic behind which does not initiate the connection in the DMVPN setup ?

Attached the configuratioon for reference.

Configuration_DMVPN.txt3 KBDownload

Details

Version
1.4.4, 2025.11
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

SrividyaA created this task.Wed, Jan 21, 12:59 PM
SrividyaA triaged this task as Normal priority.
Viacheslav subscribed.Wed, Jan 21, 1:42 PM

@SrividyaA what about reset ?

pasik subscribed.Wed, Jan 21, 2:02 PM
SrividyaA added a comment.Thu, Jan 22, 6:01 AM

Reset command works but it will not be helpful if the tunnels are down from the start to re-initiate:

vyos@spoke03:~$ sh vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  -----------------------------
dmvpn         up       1m11s     2K/2K           27/26             100.10.1.2        10.51.1.2    AES_CBC_256/HMAC_SHA2_256_128


vyos@spoke03:~$ reset vpn ipsec profile nhrvpn tunnel tun100
Profile nhrvpn tunnel tun100 remote-host 100.10.1.2 reset result: success
Profile nhrvpn tunnel tun100 reset result: success
vyos@spoke03:~$ sh vpn ipsec sa
Connection    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------  -------  --------  --------------  ----------------  ----------------  -----------  -----------------------------
dmvpn         up       5s        116B/100B       1/1               100.10.1.2        10.51.1.2    AES_CBC_256/HMAC_SHA2_256_128

Logs:

Jan 22 04:10:33 charon[3471]: 07[IKE] <dmvpn-nhrvpn-tun100|1> IKE_SA deleted
Jan 22 04:10:33 charon-systemd[3471]: IKE_SA deleted
Jan 22 04:10:33 charon[3471]: 05[CFG] vici initiate CHILD_SA 'dmvpn', me 10.53.0.2, other 100.10.1.2, limits 0
Jan 22 04:10:33 charon-systemd[3471]: vici initiate CHILD_SA 'dmvpn', me 10.53.0.2, other 100.10.1.2, limits 0
Jan 22 04:10:33 charon-systemd[3471]: initiating IKE_SA dmvpn-nhrvpn-tun100[2] to 100.10.1.2
Jan 22 04:10:33 charon[3471]: 05[IKE] <dmvpn-nhrvpn-tun100|2> initiating IKE_SA dmvpn-nhrvpn-tun100[2] to 100.10.1.2
Jan 22 04:10:33 charon[3471]: 05[ENC] <dmvpn-nhrvpn-tun100|2> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 22 04:10:33 charon-systemd[3471]: generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 22 04:10:33 charon[3471]: 05[NET] <dmvpn-nhrvpn-tun100|2> sending packet: from 10.53.0.2[500] to 100.10.1.2[500] (272 bytes)
Jan 22 04:10:33 charon-systemd[3471]: sending packet: from 10.53.0.2[500] to 100.10.1.2[500] (272 bytes)
Jan 22 04:10:33 charon[3471]: 15[NET] <dmvpn-nhrvpn-tun100|2> received packet: from 100.10.1.2[500] to 10.53.0.2[500] (280 bytes)
Jan 22 04:10:33 charon-systemd[3471]: received packet: from 100.10.1.2[500] to 10.53.0.2[500] (280 bytes)
Jan 22 04:10:33 charon[3471]: 15[ENC] <dmvpn-nhrvpn-tun100|2> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jan 22 04:10:33 charon-systemd[3471]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jan 22 04:10:33 charon[3471]: 15[CFG] <dmvpn-nhrvpn-tun100|2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jan 22 04:10:33 charon-systemd[3471]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Jan 22 04:10:33 charon[3471]: 15[IKE] <dmvpn-nhrvpn-tun100|2> remote host is behind NAT
Jan 22 04:10:33 charon-systemd[3471]: remote host is behind NAT
SrividyaA added a comment.Thu, Jan 22, 9:44 AM

On further checking, I found that just starting the openhrp service brings the ipsec tunnel up, so it seems that opennhrp script takes the responsibilty of starting the tunnel in case of dmvpn and restart ipsec utility does not load the dmvpn profile.

image.png (240×1 px, 19 KB)