show vpn ipsec sa


Dear all,

I have added a custom cipher (HW based) for ESP transform. The tunnel shows active, but when I run the command

show vpn ipsec sa

the VyOS prints ‘invalidTYPE_192’ under the encrypt heading. While the cipher name is correctly saved in configuration and it is visible in log messages also.
Kindly suggest what may be the cause? and where this command is implemented in source code tree?


EDIT: I’ve found it is implemented in package vyatta-op-vpn. It is PERL script but can’t figure out.


what’s the output of “sudo ipsec statusall | grep peer”


Here’s the output.

000 “peer-”:[]…[]===; erouted; eroute owner: #4
000 “peer-”: ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 “peer-”: policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0;
000 “peer-”: newest ISAKMP SA: #1; newest IPsec SA: #4;
000 “peer-”: IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1536
000 “peer-”: ESP proposal: INVALID_PAYLOAD_TYPE_192/HMAC_SHA1/
000 #3: “peer-” STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3132s
000 #3: “peer-” esp.ceb2d374@ (0 bytes) esp.c3f8ed2d@ (0 bytes); tunnel
000 #2: “peer-” STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28332s
000 #4: “peer-” STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2653s; newest IPSEC; eroute owner
000 #4: “peer-” esp.c0c4588f@ (0 bytes) esp.cee81397@ (0 bytes); tunnel
000 #1: “peer-” STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27612s; newest ISAKMP


the command “show vpn ipsec sa” just parses the command “ipsec statusall” for the encryption type. You can see in the output of that command the INVALID_PAYLOAD_TYPE_192. So it’s actually strongswan that is reporting the hardware encryption type.


Thanks all for your help.
I have found the cause and corrected it. It was a mistake in the ‘esp_transform_name’ enum entry of my cipher name. It is found in /vyatta-strongswan/src/pluto/constants.c file.