Multiple tunnels show if peer become unreachable

ajshire · January 21, 2022, 1:48pm

Hi All.

I am new to vyos and am currently using VyOS 1.3.0-rc6 and have a stable site to site Ipsec VPN using IKE2 which looks like this;

Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

peer-xxx.xxx.x.x-tunnel-0 up 1h57m8s 14M/768K 35K/19K xxx.xxx.x.x N/A AES_CBC_256/HMAC_SHA2_256_128/MODP_2048

If the peer becomes unreachable vyos tries to recreate the tunnel BUT I end up seeing anywhere from 3 to 5 tunnels as below.

Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

peer-xxx.xxx.x.x-tunnel-0 up 41s 0B/0B 0/0 xxx.xxx.x.x N/A AES_CBC_256/HMAC_SHA2_256_128
peer-xxx.xxx.x.x-tunnel-0 up 41s 0B/0B 0/0 xxx.xxx.x.x N/A AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
peer-xxx.xxx.x.x-tunnel-0 up 41s 0B/0B 0/0 xxx.xxx.x.x N/A AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
peer-xxx.xxx.x.x-tunnel-0 up 41s 0B/0B 0/0 xxx.xxx.x.x N/A AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
peer-xxx.xxx.x.x-tunnel-0 up 41s 0B/0B 0/0 xxx.xxx.x.x N/A AES_CBC_256/HMAC_SHA2_256_128/MODP_2048

when the peer becomes reachable again data flows between the 2 peers even though it shows 5 tunnels.

The only way to solve this is to issue the command;

reset vpn ipsec-peer xxx.xxx.x.x

This only works while the peer is reachable.

After this is done it will again show 1 tunnel as in the top example.

Is there a setting I need to change to correct this or is it a bug in the current release?

Nikolay · January 24, 2022, 12:14am

Hi @ajshire
Can you provide the full config of the router?

ajshire · January 24, 2022, 9:49am

Hi Nikolay,

Thanks for getting back to me.

Here it is,

set interfaces dummy dum0 address 'xxx.xxx.xxx.207/32'
set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth1 address 'xxx.xxx.x.1/24'
set interfaces loopback lo
set nat source rule 110 description ‘xx’
set nat source rule 110 destination address 'xxx.xxx.xx.114/32'
set nat source rule 110 outbound-interface 'eth0'
set nat source rule 110 source address 'xxx.xxx.x.0/24'
set nat source rule 110 translation address 'xxx.xxx.xxx.207'
set protocols static route xxx.xxx.78.114/32 next-hop xxx.xxx.xx.1
set service ssh client-keepalive-interval '180'
set service ssh disable-password-authentication
set service ssh port '22'
set system config-management commit-revisions '100'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx authentication public-keys [email protected] key xxxxxx
set system login user xxxxxx authentication public-keys [email protected] type ssh-xxx
set system name-servers-dhcp 'eth0'
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set vpn ipsec esp-group esp-local-remote compression 'disable'
set vpn ipsec esp-group esp-local-remote lifetime '3600'
set vpn ipsec esp-group esp-local-remote mode 'tunnel'
set vpn ipsec esp-group esp-local-remote pfs 'dh-group14'
set vpn ipsec esp-group esp-local-remote proposal 1 encryption 'aes256'
set vpn ipsec esp-group esp-local-remote proposal 1 hash 'sha256'
set vpn ipsec ike-group ike-local-remote close-action 'none'
set vpn ipsec ike-group ike-local-remote dead-peer-detection action 'restart'
set vpn ipsec ike-group ike-local-remote dead-peer-detection interval '30'
set vpn ipsec ike-group ike-local-remote dead-peer-detection timeout '120'
set vpn ipsec ike-group ike-local-remote ikev2-reauth 'no'
set vpn ipsec ike-group ike-local-remote key-exchange 'ikev2'
set vpn ipsec ike-group ike-local-remote lifetime '28800'
set vpn ipsec ike-group ike-local-remote mobike 'disable'
set vpn ipsec ike-group ike-local-remote proposal 1 dh-group '14'
set vpn ipsec ike-group ike-local-remote proposal 1 encryption 'aes256'
set vpn ipsec ike-group ike-local-remote proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-level '1'
set vpn ipsec logging log-modes 'any'
set vpn ipsec nat-networks allowed-network xxx.xxx.x.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer xxxxx.tld authentication id 'xxx.xxx.xxx.80'
set vpn ipsec site-to-site peer xxxxx.tld authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer xxxxx.tld connection-type 'initiate'
set vpn ipsec site-to-site peer xxxxx.tld default-esp-group 'esp-local-remote'
set vpn ipsec site-to-site peer xxxxx.tld ike-group 'ike-local-remote'
set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer xxxxx.tld local-address 'xxx.xxx.xxx.80'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 0 local prefix 'xxx.xxx.xxx.207/32'
set vpn ipsec site-to-site peer xxxxx.tld tunnel 0 remote prefix 'xxx.xxx.xx.114/32'

Viacheslav · January 25, 2022, 8:02am

It should be fixed in 1.3.0 LTS release, as “show VPN” was rewritten