vyos-1x icon indicating copy to clipboard operation
vyos-1x copied to clipboard

Published 20 hours ago verified publisher icon vyos

ipsec: T6148: Fixed reset command by adding init after terminating

Open aapostoliuk opened this issue 1 year ago • 2 comments

Change Summary

If 'close_action' equals 'start', strongswan does not reinitialize the session after terminating by vici. This fix adds connection initialization to the reset function after termination, if 'close_action' equals 'start'.

Types of changes

  • [x] Bug fix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Code style update (formatting, renaming)
  • [ ] Refactoring (no functional changes)
  • [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • [ ] Other (please describe):

Related Task(s)

  • https://vyos.dev/T6148

Related PR(s)

Component(s) name

ipsec

Proposed changes

This fix adds connection initialization to the reset function after termination, if 'close_action' equals 'start'.

How to test

Config A

set vpn ipsec authentication psk TEST id '192.168.0.2'
set vpn ipsec authentication psk TEST id '192.168.0.1'
set vpn ipsec authentication psk TEST secret 'test'
set vpn ipsec esp-group ESP-GRP lifetime '500'
set vpn ipsec esp-group ESP-GRP mode 'tunnel'
set vpn ipsec esp-group ESP-GRP pfs 'enable'
set vpn ipsec esp-group ESP-GRP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GRP proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-GRP close-action 'start'
set vpn ipsec ike-group IKE-GRP dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-GRP dead-peer-detection interval '15'
set vpn ipsec ike-group IKE-GRP dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE-GRP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GRP lifetime '5000'
set vpn ipsec ike-group IKE-GRP proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-GRP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GRP proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer peer1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer1 authentication remote-id '192.168.0.2'
set vpn ipsec site-to-site peer peer1 connection-type 'initiate'
set vpn ipsec site-to-site peer peer1 description 'Manesar-Israel'
set vpn ipsec site-to-site peer peer1 ike-group IKE-GRP
set vpn ipsec site-to-site peer peer1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer1 local-address '192.168.0.1'
set vpn ipsec site-to-site peer peer1 remote-address '192.168.0.2'
set vpn ipsec site-to-site peer peer1 tunnel 1 esp-group ESP-GRP
set vpn ipsec site-to-site peer peer1 tunnel 1 local prefix '10.0.1.0/24'
set vpn ipsec site-to-site peer peer1 tunnel 1 remote prefix '10.0.0.0/24'
set vpn ipsec site-to-site peer peer1 tunnel 2 esp-group 'ESP-GRP'
set vpn ipsec site-to-site peer peer1 tunnel 2 local prefix '10.0.2.0/24'
set vpn ipsec site-to-site peer peer1 tunnel 2 remote prefix '10.0.0.0/24'

Config B:

set vpn ipsec authentication psk TEST id '192.168.0.2'
set vpn ipsec authentication psk TEST id '192.168.0.1'
set vpn ipsec authentication psk TEST secret 'test'
set vpn ipsec esp-group ESP-GRP lifetime '500'
set vpn ipsec esp-group ESP-GRP mode 'tunnel'
set vpn ipsec esp-group ESP-GRP pfs 'enable'
set vpn ipsec esp-group ESP-GRP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GRP proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-GRP close-action 'trap'
set vpn ipsec ike-group IKE-GRP dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-GRP dead-peer-detection interval '15'
set vpn ipsec ike-group IKE-GRP dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE-GRP key-exchange 'ikev2'
set vpn ipsec ike-group IKE-GRP lifetime '5000'
set vpn ipsec ike-group IKE-GRP proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-GRP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GRP proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer test2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer test2 authentication remote-id '192.168.0.1'
set vpn ipsec site-to-site peer test2 connection-type 'respond'
set vpn ipsec site-to-site peer test2 description 'Manesar-Israel'
set vpn ipsec site-to-site peer test2 ike-group 'Graviton'
set vpn ipsec site-to-site peer test2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer test2 local-address '192.168.0.2'
set vpn ipsec site-to-site peer test2 remote-address '192.168.0.1'
set vpn ipsec site-to-site peer test2 tunnel 1 esp-group 'ESP-GRP'
set vpn ipsec site-to-site peer test2 tunnel 1 local prefix '10.0.0.0/24'
set vpn ipsec site-to-site peer test2 tunnel 1 remote prefix '10.0.1.0/24'
set vpn ipsec site-to-site peer test2 tunnel 2 esp-group 'ESP-GRP'
set vpn ipsec site-to-site peer test2 tunnel 2 local prefix '10.0.0.0/24'
set vpn ipsec site-to-site peer test2 tunnel 2 remote prefix '10.0.2.0/24'

Before: After reset vpn ipsec site-to-site all, Sas do not come up.

After:

vyos@vyos:~$ show vpn ipsec sa
Connection                    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
----------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer1-tunnel-1  up       8s        0B/0B           0/0               192.168.0.2       192.168.0.2  AES_CBC_256/HMAC_SHA1_96
peer1-tunnel-2  up       8s        0B/0B           0/0               192.168.0.2       192.168.0.2  AES_CBC_256/HMAC_SHA1_96/MODP_1024

vyos@vyos:~$ reset vpn ipsec site-to-site all
Peer peer1 terminate result: success
Peer peer1 initiate result: success
Peers reset result: success
vyos@vyos:~$
vyos@vyos:~$ show vpn ipsec sa
Connection                    State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
----------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer1-tunnel-1  up       1m53s     0B/0B           0/0               192.168.0.2       192.168.0.2  AES_CBC_256/HMAC_SHA1_96
peer1-tunnel-2  up       1m53s     0B/0B           0/0               192.168.0.2       192.168.0.2  AES_CBC_256/HMAC_SHA1_96/MODP_1024

Smoketest result

Checklist:

  • [x] I have read the CONTRIBUTING document
  • [x] I have linked this PR to one or more Phabricator Task(s)
  • [ ] I have run the components SMOKETESTS if applicable
  • [x] My commit headlines contain a valid Task id
  • [ ] My change requires a change to the documentation
  • [ ] I have updated the documentation accordingly

aapostoliuk avatar Jul 03 '24 14:07 aapostoliuk

👍 No issues in PR Title / Commit Title

github-actions[bot] avatar Jul 03 '24 14:07 github-actions[bot]

❌ warning: Unused import os in smoketest/scripts/cli/test_interfaces_l2tpv3.py:17.

github-actions[bot] avatar Jul 08 '24 09:07 github-actions[bot]

I changed the condition for the tunnel initialization. Now it starts only if connection-type equals initiator. The information was changed in PR. I applied the ruff for formatting.

aapostoliuk avatar Jul 26 '24 11:07 aapostoliuk

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests 👍 passed
  • Config tests 👍 passed
  • RAID1 tests 👍 passed

github-actions[bot] avatar Jul 26 '24 13:07 github-actions[bot]

@MergifyIo backport circinus sagitta

sever-sever avatar Jul 30 '24 12:07 sever-sever

backport circinus sagitta

✅ Backports have been created

mergify[bot] avatar Jul 30 '24 12:07 mergify[bot]