After VPN is UP routes are missing

tcharewicz · February 14, 2020, 8:10am

Hi,
I’m setting up a VPN ipsec, on vyos 1.2.x build by me from crux repository, and after when ipsec are up vyos does not install kernel route to my remote site. I found a option to disable auto-installation of that routes, but I suppose it’s should be enabled by default. What can I check to find a problem with that auto-installation? At previous version of VyOS 1.1.7 and 1.1.8 auto-installation of that type of routes works fine with almost the same configuration.

–
Regards
TomekC.

Dmitry · February 14, 2020, 8:34am

Hi @tcharewicz, can you check table 220?
sudo ip route show table 220
Which mode type are you using tunnel or transport?
Can you confirm that you exactly build 1.2.x? Run command show version and check commit id.
Read more about disable-route-autoinstall VyOS 1.2.0 development news in July

tcharewicz · February 14, 2020, 9:14am

Hello @Dmitry thank you for your answer.

Table 220 does not exist and is empty

mycha@svpn-x-1:~$ show ip route table 220 
mycha@svpn-x-1:~$ sudo ip route show table 220

mycha@svpn-x-1:~$ cat /etc/iproute2/rt_tables
#
# reserved values
#
255	local
254	main
253	default
0	unspec
#
# local
#
#1	inr.ruhep

This VPN work at transport mode, without of any VTI interface.

mycha@svpn-x-1:~$ show interfaces  | strip-private
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             xxx.xxx.0.124/22                   u/u  internal
                 xxx.xxx.0.126/22
eth1             xxx.xxx.149.28/26                 u/u  public
                 xxx.xxx.149.30/26
lo               xxx.xxx.0.1/8                       u/u
                 ::1/128

Before I build VyOS I checked double if I used correct branch at github. Please check after me.

mycha@svpn-x-1:~$ show version | strip-private
Version:          VyOS 1.2.5
Built by:         txxxxxx chxxxxxxx [at]ringieraxelspringer.pl
Built on:         Wed 05 Feb 2020 12:32 UTC
Build UUID:       082c6062-0f3c-463f-947e-e4d45c0de29f
Build Commit ID:  66f9a2880dc57f

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-xx xx xx xx ..
Hardware UUID:    <UUID cuted>

Copyright:        VyOS maintainers and contributors

What can I do more?

–
Regards
TomekC.

tcharewicz · February 14, 2020, 9:20am

Openswan had a similar bug two years ago, but I don’t know is it related.

github.com/xelerance/Openswan

IPSec tunnel opened/connected but no traffic | If route added manually it works perfect [Site-to-Site]

opened 01:01AM - 31 Jan 17 UTC

closed 11:18PM - 31 Jan 17 UTC

Bubelbub

Hey guys, I dont know why it is not working. Some people told to me that I n…ot need a route in linux routing table for successful ping to each computer in other network. But if I add the route manually it works perfect. My network is simple. I have a IPSec with OpenSwan (IPCop) on the other side and another IPSec with OpenSwan (IPCop) on the other side. One side is my Server which interface is directly assigned to the public internet address. The other side is my Client which is connected to a LTE/UMTS stick and uses the internal ip address. I call them simply "Server" and "Client" - because the Server shouldnt connect to the client but the client should connect to the server automatically. **Server:** `ipsec.secrets` : RSA /var/ipcop/certs/hostkey.pem @srv.dyndns.org @stick.dyndns.org : PSK 'thisismykey' `ipsec.conf` # Do not modify 'ipsec.conf' directly since any changes you make will be # overwritten whenever you change IPsec settings using the web interface! # version 2.0 config setup protostack=netkey klipsdebug="none" plutodebug="none" uniqueids=yes nat_traversal=yes conn %default keyingtries=0 disablearrivalcheck=no leftupdown=/usr/local/bin/ipsecupdown.sh # # net-2-net to RED conn Vereinsnetz left=srv.dyndns.org leftsubnet=192.168.2.0/255.255.255.0 right=stick.dyndns.org rightsubnet=192.168.1.0/255.255.255.0 leftid="@srv.dyndns.org" rightid="@stick.dyndns.org" ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024 esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5 ikelifetime=1h keylife=8h dpddelay=30 dpdtimeout=120 dpdaction=hold pfs=yes authby=secret auto=add **Client:** `ipsec.secrets` : RSA /var/ipcop/certs/hostkey.pem @srv.dyndns.org @stick.dyndns.org : PSK 'thisismykey' `ipsec.conf` # Do not modify 'ipsec.conf' directly since any changes you make will be # overwritten whenever you change IPsec settings using the web interface! # version 2.0 config setup protostack=netkey klipsdebug="none" plutodebug="none" uniqueids=yes nat_traversal=yes conn %default keyingtries=0 disablearrivalcheck=no leftupdown=/usr/local/bin/ipsecupdown.sh # # net-2-net to RED conn Vereinsnetz left=192.168.1.1 leftsubnet=192.168.1.0/255.255.255.0 right=srv.dyndns.org rightsubnet=192.168.2.0/255.255.255.0 leftid="@stick.dyndns.org" rightid="@srv.dyndns.org" ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024 esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5 ikelifetime=1h keylife=8h dpddelay=30 dpdtimeout=120 dpdaction=restart pfs=yes authby=secret auto=start Thats working fine. Tunnel is up and running - I would say 👍 But if I try... `$ ping 192.168.2.1` or `$ ping 192.168.1.1` (from Client -> Server or Server -> Client) I get no response. TCPDump shows nothing. The ping said **No route to host**. If I try `traceroute` then they go a wrong way. (Use internet gateway instead using IPSec tunnel) **$ route** (of Server) Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default static.225.20.7 0.0.0.0 UG 0 0 0 wan-1 10.45.158.0 10.45.158.2 255.255.255.0 UG 0 0 0 tun0 10.45.158.2 * 255.255.255.255 UH 0 0 0 tun0 144.73.20.24 * 255.255.255.248 U 0 0 0 wan-1 192.168.2.0 * 255.255.255.0 U 0 0 0 lan-1 The 192.168.1.0 network of the client is missing. And... If I'm adding the routes manually. **Server:** `route add -net 192.168.1.0/24 gw 192.168.2.1 lan-1` **Client:** `route add -net 192.168.2.0/24 gw 192.168.1.1 lan-1` Then it work's perfect. traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets 1 router.local (192.168.2.1) 0.172 ms 0.227 ms 0.176 ms 2 192.168.1.1 (192.168.1.1) 26.148 ms 26.398 ms 26.453 ms But Why!?!? the route is not added automatically from IPSec? On `auto` it should `add` on server and `start` on client. So why IPSec / OpenSwan not add this routes automatically? And in my first sentence I said that somebody said IPSec should work without routes. So why it work if I add the route and not if I not add the route!? 👎 **Some more informations:** **$ ip xfrm state** src 87.172.164.149 dst 144.73.20.30 proto esp spi 0x1056faee reqid 16405 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0x9310c236f4917891fe9a5b3215cd2b3a801d593c 96 enc cbc(aes) 0xca1767ae12dd3cdf85cbbdbcedce2c6c encap type espinudp sport 63453 dport 4500 addr 0.0.0.0 src 144.73.20.30 dst 87.172.164.149 proto esp spi 0x1a9609af reqid 16405 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0xdb23eb1368f490b286a3e6920a6039d7c0b27ecc 96 enc cbc(aes) 0x46fcbd56399a75236c23a277b4cf98bf encap type espinudp sport 4500 dport 63453 addr 0.0.0.0 **$ ip xfrm policy** src 192.168.2.0/24 dst 192.168.1.0/24 dir out priority 2344 tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 0 mode transport src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 Thank you in Advance for any ideas!

Dmitry · February 14, 2020, 5:34pm

Hi @tcharewicz, you build VyOS from master branch instead of crux (1.2.X) Delete accidently added submodule · vyos/vyos-build@66f9a28 · GitHub, this is commit id.
Provide please you configuration for reproducing this issue.
show configuration commands | strip-private | grep vpn

tcharewicz · February 17, 2020, 11:11am

Hello @Dmitry,
Yes, I found the place where I made the mistake of choosing the wrong branch when working with the repository before compilation. Sorry for bothering with this stupid mistake.

IPsec configuration look like this:
set vpn ipsec site-to-site peer xxxxx.tld authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer xxxxx.tld connection-type ‘initiate’
set vpn ipsec site-to-site peer xxxxx.tld default-esp-group ‘xxxxx_ESP’
set vpn ipsec site-to-site peer xxxxx.tld description ‘xxxxx-secondary’
set vpn ipsec site-to-site peer xxxxx.tld ike-group ‘xxxxx_IKE’
set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth ‘no’
set vpn ipsec site-to-site peer xxxxx.tld local-address ‘xxx.xxx.149.30’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 esp-group ‘xxxxx_ESP’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 local prefix ‘xxx.xxx.147.136/32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 remote prefix ‘xxx.xxx.250.112/32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 esp-group ‘xxxxx_ESP’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 local prefix ‘xxx.xxx.147.137/32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 remote prefix ‘xxx.xxx.250.112/32’
set vpn ipsec site-to-site peer xxxxx.tld authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer xxxxx.tld connection-type ‘initiate’
set vpn ipsec site-to-site peer xxxxx.tld default-esp-group ‘xxxxx_ESP’
set vpn ipsec site-to-site peer xxxxx.tld description ‘xxxxx-primary’
set vpn ipsec site-to-site peer xxxxx.tld ike-group ‘xxxxx_IKE’
set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth ‘no’
set vpn ipsec site-to-site peer xxxxx.tld local-address ‘xxx.xxx.149.30’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 esp-group ‘xxxxx_ESP’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 local prefix ‘xxx.xxx.147.136/32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 remote prefix ‘xxx.xxx.249.112/32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 esp-group ‘xxxxx_ESP’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 local prefix ‘xxx.xxx.147.137/32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 remote prefix ‘xxx.xxx.249.112/32’

–
Regards
TomekC.