Show vpn ike sa output containing extra entry

General questions
1

Good morning
if I do a “show vpn ike sa” I see an extra entry other than my 2 site-to-site VPN connections. Is this expected?

Many thanks

vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP

n/a n/a

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
down   N/A     n/a      n/a     n/a(n/a)       no     0       n/a

Peer ID / IP Local ID / IP

40.68.222.120 192.168.1.32

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
up     IKEv2   aes256   sha1_96 2(MODP_1024)   no     3600    28800

Peer ID / IP Local ID / IP

52.157.87.226 192.168.1.32

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
up     IKEv2   aes256   sha1_96 2(MODP_1024)   no     3600    28800

vyos@vyos:~$ show version
Version: VyOS 1.2-rolling-201910180117
Built by: autobuild@vyos.net
Built on: Fri 18 Oct 2019 01:17 UTC
Build UUID: 9d4bb0c6-20cc-4631-add7-8ff356bf2edb
Build Commit ID: 25bb74bc51f7ee

Architecture: x86_64
Boot via: installed image
System type: Microsoft Hyper-V guest

Hardware vendor: Microsoft Corporation
Hardware model: Virtual Machine
Hardware S/N: 4734-6561-0938-8713-0170-4046-40
Hardware UUID: ae2d062f-e92b-f349-ab26-83f0970629aa

Copyright: VyOS maintainers and contributors

2

Hello, it might be configuration issue. Can you provide configuration?

show configuration commands | strip-private

3

Hi Dimitry. thanks for the reply. Here it is the configuration. The only intruders are a couple of old esp-group and ike-group that I defined but don’t use…:

vyos@vyos:~$ show configuration commands | strip-private
set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall options interface vti1 adjust-mss ‘1350’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces ethernet eth0 address ‘xxx.xxx.1.32/24’
set interfaces ethernet eth0 description ‘OUTSIDE’
set interfaces ethernet eth0 hw-id ‘XX:XX:XX:XX:XX:02’
set interfaces ethernet eth1 address ‘xxx.xxx.1.254/24’
set interfaces ethernet eth1 description ‘DMZ’
set interfaces ethernet eth1 hw-id ‘XX:XX:XX:XX:XX:03’
set interfaces ethernet eth2 address ‘xxx.xxx.0.254/24’
set interfaces ethernet eth2 description ‘INTERNAL’
set interfaces ethernet eth2 hw-id ‘XX:XX:XX:XX:XX:04’
set interfaces ethernet eth3 address ‘xxx.xxx.2.254/24’
set interfaces ethernet eth3 hw-id ‘XX:XX:XX:XX:XX:1b’
set interfaces ethernet eth4 address ‘xxx.xxx.3.254/24’
set interfaces ethernet eth4 hw-id ‘XX:XX:XX:XX:XX:1c’
set interfaces loopback lo
set interfaces vti vti1 address ‘xxx.xxx.1.5/32’
set interfaces vti vti1 description ‘Azure Tunnel’
set nat source rule 10 destination address ‘xxx.xxx.0.0/24’
set nat source rule 10 exclude
set nat source rule 10 outbound-interface ‘eth0’
set nat source rule 10 source address ‘xxx.xxx.0.0/16’
set nat source rule 11 destination address ‘xxx.xxx.0.0/24’
set nat source rule 11 exclude
set nat source rule 11 outbound-interface ‘eth0’
set nat source rule 11 source address ‘xxx.xxx.0.0/16’
set nat source rule 12 destination address ‘xxx.xxx.0.14/32’
set nat source rule 12 exclude
set nat source rule 12 outbound-interface ‘eth0’
set nat source rule 12 source address ‘xxx.xxx.1.32/32’
set nat source rule 100 outbound-interface ‘eth0’
set nat source rule 100 source address ‘xxx.xxx.0.0/24’
set nat source rule 100 translation address ‘masquerade’
set nat source rule 101 outbound-interface ‘eth0’
set nat source rule 101 source address ‘xxx.xxx.2.0/24’
set nat source rule 101 translation address ‘masquerade’
set nat source rule 102 outbound-interface ‘eth0’
set nat source rule 102 source address ‘xxx.xxx.3.0/24’
set nat source rule 102 translation address ‘masquerade’
set nat source rule 200 outbound-interface ‘eth0’
set nat source rule 200 source address ‘xxx.xxx.1.0/24’
set nat source rule 200 translation address ‘masquerade’
set protocols bgp XXXXXX address-family ipv4-unicast network xxx.xxx.0.0/24
set protocols bgp XXXXXX neighbor xxx.xxx.0.14 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp XXXXXX neighbor xxx.xxx.0.14 disable-connected-check
set protocols bgp XXXXXX neighbor xxx.xxx.0.14 ebgp-multihop ‘2’
set protocols bgp XXXXXX neighbor xxx.xxx.0.14 remote-as ‘65515’
set protocols bgp XXXXXX neighbor xxx.xxx.0.14 timers holdtime ‘30’
set protocols bgp XXXXXX neighbor xxx.xxx.0.14 timers keepalive ‘10’
set protocols static interface-route xxx.xxx.0.14/32 next-hop-interface vti1
set protocols static route xxx.xxx.0.0/0 next-hop xxx.xxx.1.1
set service ssh port ‘22’
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx level ‘admin’
set system name-server ‘xxx.xxx.8.8’
set system name-server ‘xxx.xxx.4.4’
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘UTC’
set vpn ipsec esp-group AZURE compression ‘disable’
set vpn ipsec esp-group AZURE lifetime ‘3600’
set vpn ipsec esp-group AZURE mode ‘tunnel’
set vpn ipsec esp-group AZURE pfs ‘dh-group2’
set vpn ipsec esp-group AZURE proposal 1 encryption ‘aes256’
set vpn ipsec esp-group AZURE proposal 1 hash ‘sha1’
set vpn ipsec esp-group esp-azure compression ‘disable’
set vpn ipsec esp-group esp-azure lifetime ‘3600’
set vpn ipsec esp-group esp-azure mode ‘tunnel’
set vpn ipsec esp-group esp-azure pfs ‘disable’
set vpn ipsec esp-group esp-azure proposal 1 encryption ‘aes256’
set vpn ipsec esp-group esp-azure proposal 1 hash ‘sha1’
set vpn ipsec ike-group AZURE dead-peer-detection action ‘restart’
set vpn ipsec ike-group AZURE dead-peer-detection interval ‘15’
set vpn ipsec ike-group AZURE dead-peer-detection timeout ‘30’
set vpn ipsec ike-group AZURE ikev2-reauth ‘yes’
set vpn ipsec ike-group AZURE key-exchange ‘ikev2’
set vpn ipsec ike-group AZURE lifetime ‘28800’
set vpn ipsec ike-group AZURE proposal 1 dh-group ‘2’
set vpn ipsec ike-group AZURE proposal 1 encryption ‘aes256’
set vpn ipsec ike-group AZURE proposal 1 hash ‘sha1’
set vpn ipsec ike-group ike-azure ikev2-reauth ‘no’
set vpn ipsec ike-group ike-azure key-exchange ‘ikev1’
set vpn ipsec ike-group ike-azure lifetime ‘28800’
set vpn ipsec ike-group ike-azure proposal 1 dh-group ‘2’
set vpn ipsec ike-group ike-azure proposal 1 encryption ‘aes256’
set vpn ipsec ike-group ike-azure proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer xxxxx.tld authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer xxxxx.tld connection-type ‘initiate’
set vpn ipsec site-to-site peer xxxxx.tld ike-group ‘AZURE’
set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxxxx.tld local-address ‘xxx.xxx.1.32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 0 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 0 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 0 esp-group ‘AZURE’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 0 local prefix ‘xxx.xxx.0.0/16’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 0 remote prefix ‘xxx.xxx.0.0/24’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 esp-group ‘AZURE’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 local prefix ‘xxx.xxx.0.0/16’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 remote prefix ‘xxx.xxx.0.0/24’
set vpn ipsec site-to-site peer xxxxx.tld authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer xxxxx.tld connection-type ‘initiate’
set vpn ipsec site-to-site peer xxxxx.tld ike-group ‘AZURE’
set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxxxx.tld local-address ‘xxx.xxx.1.32’
set vpn ipsec site-to-site peer xxxxx.tld vti bind ‘vti1’
set vpn ipsec site-to-site peer xxxxx.tld vti esp-group ‘AZURE’

4

Try delete old esp-group and ike-group.
Do you use peer like 0.0.0.0?

5

Hi Dimitry
I deleted the two extra groups and rebooted the appliance. Result is the same.
I don’t use any 0.0.0.0 peer.
I can forward you my full config file if you tell me how…

6

I tried deleting “tunnel 1” from one of the site-to-site definitions and output now is correct.
Maybe it is not clear from the conf, I have 2 site-to-site VPNs, one with 2 tunnels (peer 40.x.x.120) defined and one using VTI interface and BGP (peer 52.x.x.226).

BTW, in the “show ipsec sa” output there is the opposite issue… Only one tunnel is shown (output is taken when the configuration had 2 tunnels defined for peer 40.x.x.120):
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

peer-52.x.x.226-tunnel-vti up 3m8s 3K/139B 58/3 52.x.x.226 N/A AES_CBC_256/HMAC_SHA1_96
peer-40.x.x.120-tunnel-0 up 3m8s 52K/10K 181/98 40.x.x.120 N/A AES_CBC_256/HMAC_SHA1_96

7

I will wait config in PM

8

I confirm this, exist wrong output of command show vpn ike sa when used 2 tunnels. I think need create bug report on the phabricator.vyos.net