Multiple ipsec connections

ackema · March 9, 2022, 2:50am

Dear all,

I created ipsec tunnel between two vyos router according to this page (IPsec — VyOS 1.3.x (equuleus) documentation) and it works.

However I found multiple connections the next day:

vyos@vyos:~$ show vpn ipsec sa
Connection                     State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer_100-100-100-106_tunnel_1  up       35m39s    0B/1K           0B/15B            100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m39s    1K/0B           15B/0B            100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m43s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m43s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m43s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m43s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m43s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m43s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m43s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m43s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m47s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m47s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m47s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m47s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer_100-100-100-106_tunnel_1  up       35m47s    0B/0B           0B/0B             100.100.100.106   LEFT         AES_CBC_128/HMAC_SHA1_96/MODP_1024
vyos@vyos:~$

Following are my left vyos’s configuration:

vyos@vyos:~$ show configuration 
interfaces {
    ethernet eth0 {
        address dhcp
        hw-id 40:62:31:12:8c:38
    }
    ethernet eth1 {
        hw-id 40:62:31:12:8c:39
    }
    ethernet eth2 {
        hw-id 40:62:31:12:8c:3a
    }
    ethernet eth3 {
        address 192.168.3.99/24
        hw-id 40:62:31:12:8c:3b
    }
    loopback lo {
        address 192.168.99.1/32
    }
    tunnel tun0 {
        address 10.10.10.1/24
        encapsulation gre
        remote 192.168.99.2
        source-address 192.168.99.1
    }
}
pki {
    key-pair ipsec-LEFT {
        private {
            key ****************
        }
        public {
            key ****************
        }
    }
    key-pair ipsec-RIGHT {
        public {
            key ****************
        }
    }
}
service {
    ...
}
system {
    ...
}
vpn {
    ipsec {
        esp-group MyESPGroup {
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group MyIKEGroup {
            proposal 1 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        interface eth0
        site-to-site {
            peer @RIGHT {
                authentication {
                    id LEFT
                    mode rsa
                    remote-id RIGHT
                    rsa {
                        local-key ****************
                        remote-key ****************
                    }
                }
                connection-type respond
                default-esp-group MyESPGroup
                ike-group MyIKEGroup
                local-address 100.100.100.106
                tunnel 1 {
                    local {
                        prefix 192.168.99.1/32
                    }
                    remote {
                        prefix 192.168.99.2/32
                    }
                }
            }
        }
    }
}
vyos@vyos:~$

Following are my right vyos’s configuration:


vyos@vyos:~$ show configuration 
firewall {
    all-ping enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        hw-id 40:62:31:12:8c:1c
    }
    ethernet eth1 {
        hw-id 40:62:31:12:8c:1d
    }
    ethernet eth2 {
        address 192.168.10.1/32
        hw-id 40:62:31:12:8c:1e
    }
    ethernet eth3 {
        address 192.168.3.90/24
        hw-id 40:62:31:12:8c:1f
    }
    loopback lo {
        address 192.168.99.2/32
    }
    tunnel tun0 {
        address 10.10.10.2/24
        encapsulation gre
        remote 192.168.99.1
        source-address 192.168.99.2
    }
}
nat {
    source {
        rule 100 {
            outbound-interface eth0
            source {
                address 192.168.1.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
pki {
    key-pair ipsec-LEFT {
        public {
            key ****************
        }
    }
    key-pair ipsec-RIGHT {
        private {
            key ****************
        }
        public {
            key ****************
        }
    }
}
service {
    ...
}
system {
    ...
}
vpn {
    ipsec {
        esp-group MyESPGroup {
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group MyIKEGroup {
            proposal 1 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        interface eth0
        site-to-site {
            peer 100.100.100.106 {
                authentication {
                    id RIGHT
                    mode rsa
                    remote-id LEFT
                    rsa {
                        local-key ****************
                        remote-key ****************
                    }
                }
                connection-type initiate
                default-esp-group MyESPGroup
                ike-group MyIKEGroup
                local-address 172.16.1.102
                tunnel 1 {
                    local {
                        prefix 192.168.99.2/32
                    }
                    remote {
                        prefix 192.168.99.1/32
                    }
                }
            }
        }
    }
}
vyos@vyos:~$

blason · March 9, 2022, 3:56am

What does your VPN debug log says?

ackema · March 9, 2022, 6:57am

I checked /var/log/message. It was keep closing and establishing sa all the night:

vyos@vyos:/var/log$ cat messages.1 | grep charon | grep -v "sending keep alive" | grep closed | wc -l
35
vyos@vyos:/var/log$ 
vyos@vyos:/var/log$ cat messages.1 | grep charon | grep -v "sending keep alive" | grep established | wc -l
35
vyos@vyos:/var/log$ 
vyos@vyos:/var/log$ 
vyos@vyos:/var/log$ cat messages.2 | grep charon | grep -v "sending keep alive" | grep established | wc -l
22
vyos@vyos:/var/log$ 
vyos@vyos:/var/log$ cat messages.2 | grep charon | grep -v "sending keep alive" | grep closed | wc -l
22
vyos@vyos:/var/log$ 
vyos@vyos:/var/log$ cat messages.3 | grep charon | grep -v "sending keep alive" | grep closed | wc -l
15
vyos@vyos:/var/log$ 
vyos@vyos:/var/log$ cat messages.3 | grep charon | grep -v "sending keep alive" | grep established | wc -l
15
vyos@vyos:/var/log$

vyos@vyos:/var/log$ cat messages.1 | grep charon | grep -v "sending keep alive"
Mar  8 20:02:51 vyos charon: 05[ENC] <peer_100-100-100-106|8> generating INFORMATIONAL request 3 [ D ]
Mar  8 20:02:51 vyos charon: 05[NET] <peer_100-100-100-106|8> sending packet: from 172.16.1.102[4500] to 100.100.100.106[4500] (76 bytes)
Mar  8 20:02:51 vyos charon: 12[KNL] creating delete job for CHILD_SA ESP/0xcb342b26/100.100.100.106
Mar  8 20:02:51 vyos charon: 01[NET] <peer_100-100-100-106|7> received packet: from 100.100.100.106[4500] to 172.16.1.102[4500] (76 bytes)
Mar  8 20:02:51 vyos charon: 01[ENC] <peer_100-100-100-106|7> parsed INFORMATIONAL request 23 [ D ]
Mar  8 20:02:51 vyos charon: 01[IKE] <peer_100-100-100-106|7> received DELETE for ESP CHILD_SA with SPI c47f17f5
Mar  8 20:02:51 vyos charon: 01[IKE] <peer_100-100-100-106|7> closing CHILD_SA peer_100-100-100-106_tunnel_1{138} with SPIs cf84f6b9_i (0 bytes) c47f17f5_o (0 bytes) and TS 192.168.99.2/32 === 192.168.99.1/32
Mar  8 20:02:51 vyos charon: 01[IKE] <peer_100-100-100-106|7> sending DELETE for ESP CHILD_SA with SPI cf84f6b9
Mar  8 20:02:51 vyos charon: 01[IKE] <peer_100-100-100-106|7> CHILD_SA closed
Mar  8 20:02:51 vyos charon: 01[ENC] <peer_100-100-100-106|7> generating INFORMATIONAL response 23 [ D ]
Mar  8 20:02:51 vyos charon: 01[NET] <peer_100-100-100-106|7> sending packet: from 172.16.1.102[4500] to 100.100.100.106[4500] (76 bytes)
Mar  8 20:02:51 vyos charon: 11[NET] <peer_100-100-100-106|8> received packet: from 100.100.100.106[4500] to 172.16.1.102[4500] (76 bytes)
Mar  8 20:02:51 vyos charon: 11[ENC] <peer_100-100-100-106|8> parsed INFORMATIONAL response 3 [ D ]
Mar  8 20:02:51 vyos charon: 11[IKE] <peer_100-100-100-106|8> received DELETE for ESP CHILD_SA with SPI cb342b26
Mar  8 20:02:51 vyos charon: 11[IKE] <peer_100-100-100-106|8> CHILD_SA closed
Mar  8 20:02:51 vyos charon: 11[ENC] <peer_100-100-100-106|8> generating INFORMATIONAL request 4 [ ]
Mar  8 20:02:51 vyos charon: 11[NET] <peer_100-100-100-106|8> sending packet: from 172.16.1.102[4500] to 100.100.100.106[4500] (76 bytes)
Mar  8 20:02:51 vyos charon: 07[NET] <peer_100-100-100-106|7> received packet: from 100.100.100.106[4500] to 172.16.1.102[4500] (76 bytes)
Mar  8 20:02:51 vyos charon: 07[ENC] <peer_100-100-100-106|7> parsed INFORMATIONAL request 24 [ ]
Mar  8 20:02:51 vyos charon: 07[ENC] <peer_100-100-100-106|7> generating INFORMATIONAL response 24 [ ]
Mar  8 20:02:51 vyos charon: 07[NET] <peer_100-100-100-106|7> sending packet: from 172.16.1.102[4500] to 100.100.100.106[4500] (76 bytes)
Mar  8 20:02:51 vyos charon: 10[NET] <peer_100-100-100-106|8> received packet: from 100.100.100.106[4500] to 172.16.1.102[4500] (76 bytes)
Mar  8 20:02:51 vyos charon: 10[ENC] <peer_100-100-100-106|8> parsed INFORMATIONAL response 4 [ ]
Mar  8 20:02:51 vyos charon: 10[IKE] <peer_100-100-100-106|8> establishing CHILD_SA peer_100-100-100-106_tunnel_1{145}
Mar  8 20:02:51 vyos charon: 10[ENC] <peer_100-100-100-106|8> generating CREATE_CHILD_SA request 5 [ SA No KE TSi TSr ]
Mar  8 20:02:51 vyos charon: 10[NET] <peer_100-100-100-106|8> sending packet: from 172.16.1.102[4500] to 100.100.100.106[4500] (348 bytes)
Mar  8 20:02:51 vyos charon: 09[NET] <peer_100-100-100-106|7> received packet: from 100.100.100.106[4500] to 172.16.1.102[4500] (348 bytes)
Mar  8 20:02:51 vyos charon: 09[ENC] <peer_100-100-100-106|7> parsed CREATE_CHILD_SA request 25 [ SA No KE TSi TSr ]
Mar  8 20:02:51 vyos charon: 09[CFG] <peer_100-100-100-106|7> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Mar  8 20:02:51 vyos charon: 09[IKE] <peer_100-100-100-106|7> CHILD_SA peer_100-100-100-106_tunnel_1{146} established with SPIs c261c8b7_i c6e34163_o and TS 192.168.99.2/32 === 192.168.99.1/32
Mar  8 20:02:51 vyos charon: 09[ENC] <peer_100-100-100-106|7> generating CREATE_CHILD_SA response 25 [ SA No KE TSi TSr ]
Mar  8 20:02:51 vyos charon: 09[NET] <peer_100-100-100-106|7> sending packet: from 172.16.1.102[4500] to 100.100.100.106[4500] (348 bytes)
Mar  8 20:02:51 vyos charon: 08[NET] <peer_100-100-100-106|8> received packet: from 100.100.100.106[4500] to 172.16.1.102[4500] (348 bytes)
Mar  8 20:02:51 vyos charon: 08[ENC] <peer_100-100-100-106|8> parsed CREATE_CHILD_SA response 5 [ SA No KE TSi TSr ]
Mar  8 20:02:51 vyos charon: 08[CFG] <peer_100-100-100-106|8> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Mar  8 20:02:51 vyos charon: 08[IKE] <peer_100-100-100-106|8> CHILD_SA peer_100-100-100-106_tunnel_1{145} established with SPIs ce041d76_i c3695037_o and TS 192.168.99.2/32 === 192.168.99.1/32
Mar  8 20:02:51 vyos charon: 15[NET] <peer_100-100-100-106|7> received packet: from 100.100.100.106[4500] to 172.16.1.102[4500] (76 bytes)
Mar  8 20:02:51 vyos charon: 15[ENC] <peer_100-100-100-106|7> parsed INFORMATIONAL request 26 [ D ]
Mar  8 20:02:51 vyos charon: 15[IKE] <peer_100-100-100-106|7> received DELETE for ESP CHILD_SA with SPI cff4938a
Mar  8 20:02:51 vyos charon: 15[IKE] <peer_100-100-100-106|7> closing CHILD_SA peer_100-100-100-106_tunnel_1{140} with SPIs c79e0edd_i (0 bytes) cff4938a_o (0 bytes) and TS 192.168.99.2/32 === 192.168.99.1/32
Mar  8 20:02:51 vyos charon: 15[IKE] <peer_100-100-100-106|7> sending DELETE for ESP CHILD_SA with SPI c79e0edd
Mar  8 20:02:51 vyos charon: 15[IKE] <peer_100-100-100-106|7> CHILD_SA closed
Mar  8 20:02:51 vyos charon: 15[ENC] <peer_100-100-100-106|7> generating INFORMATIONAL response 26 [ D ]
Mar  8 20:02:51 vyos charon: 15[NET] <peer_100-100-100-106|7> sending packet: from 172.16.1.102[4500] to 100.100.100.106[4500] (76 bytes)
Mar  8 20:02:51 vyos charon: 14[NET] <peer_100-100-100-106|7> received packet: from 100.100.100.106[4500] to 172.16.1.102[4500] (76 bytes)
Mar  8 20:02:51 vyos charon: 14[ENC] <peer_100-100-100-106|7> parsed INFORMATIONAL request 27 [ ]
Mar  8 20:02:51 vyos charon: 14[ENC] <peer_100-100-100-106|7> generating INFORMATIONAL response 27 [ ]
Mar  8 20:02:51 vyos charon: 14[NET] <peer_100-100-100-106|7> sending packet: from 172.16.1.102[4500] to 100.100.100.106[4500] (76 bytes)
Mar  8 20:02:51 vyos charon: 05[NET] <peer_100-100-100-106|7> received packet: from 100.100.100.106[4500] to 172.16.1.102[4500] (348 bytes)
Mar  8 20:02:51 vyos charon: 05[ENC] <peer_100-100-100-106|7> parsed CREATE_CHILD_SA request 28 [ SA No KE TSi TSr ]
Mar  8 20:02:51 vyos charon: 05[CFG] <peer_100-100-100-106|7> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Mar  8 20:02:51 vyos charon: 05[IKE] <peer_100-100-100-106|7> CHILD_SA peer_100-100-100-106_tunnel_1{147} established with SPIs ce6b08c7_i cd721de9_o and TS 192.168.99.2/32 === 192.168.99.1/32
Mar  8 20:02:51 vyos charon: 05[ENC] <peer_100-100-100-106|7> generating CREATE_CHILD_SA response 28 [ SA No KE TSi TSr ]
Mar  8 20:02:51 vyos charon: 05[NET] <peer_100-100-100-106|7> sending packet: from 172.16.1.102[4500] to 100.100.100.106[4500] (348 bytes)
Mar  8 20:02:55 vyos charon: 11[NET] <peer_100-100-100-106|7> received packet: from 100.100.100.106[4500] to 172.16.1.102[4500] (76 bytes)
Mar  8 20:02:55 vyos charon: 11[ENC] <peer_100-100-100-106|7> parsed INFORMATIONAL request 29 [ D ]
Mar  8 20:02:55 vyos charon: 11[IKE] <peer_100-100-100-106|7> received DELETE for ESP CHILD_SA with SPI c992a027
Mar  8 20:02:55 vyos charon: 11[IKE] <peer_100-100-100-106|7> closing CHILD_SA peer_100-100-100-106_tunnel_1{141} with SPIs c0d11289_i (0 bytes) c992a027_o (0 bytes) and TS 192.168.99.2/32 === 192.168.99.1/32
Mar  8 20:02:55 vyos charon: 11[IKE] <peer_100-100-100-106|7> sending DELETE for ESP CHILD_SA with SPI c0d11289
Mar  8 20:02:55 vyos charon: 11[IKE] <peer_100-100-100-106|7> CHILD_SA closed
Mar  8 20:02:55 vyos charon: 11[ENC] <peer_100-100-100-106|7> generating INFORMATIONAL response 29 [ D ]
Mar  8 20:02:55 vyos charon: 11[NET] <peer_100-100-100-106|7> sending packet: from 172.16.1.102[4500] to 100.100.100.106[4500] (76 bytes)
Mar  8 20:02:55 vyos charon: 07[NET] <peer_100-100-100-106|7> received packet: from 100.100.100.106[4500] to 172.16.1.102[4500] (76 bytes)
Mar  8 20:02:55 vyos charon: 07[ENC] <peer_100-100-100-106|7> parsed INFORMATIONAL request 30 [ ]
Mar  8 20:02:55 vyos charon: 07[ENC] <peer_100-100-100-106|7> generating INFORMATIONAL response 30 [ ]
Mar  8 20:02:55 vyos charon: 07[NET] <peer_100-100-100-106|7> sending packet: from 172.16.1.102[4500] to 100.100.100.106[4500] (76 bytes)

Viacheslav · March 12, 2022, 4:36pm

sudo swanctl -L
sudo swanctl -l