Show vpn ipsec sa

Dear all,

I have added a custom cipher (HW based) for ESP transform. The tunnel shows active, but when I run the command

show vpn ipsec sa

the VyOS prints ‘invalidTYPE_192’ under the encrypt heading. While the cipher name is correctly saved in configuration and it is visible in log messages also.
Kindly suggest what may be the cause? and where this command is implemented in source code tree?


EDIT: I’ve found it is implemented in package vyatta-op-vpn. It is PERL script but can’t figure out.

what’s the output of “sudo ipsec statusall | grep peer”

Here’s the output.

000 “peer-”:[]…[]===; erouted; eroute owner: #4
000 “peer-”: ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 “peer-”: policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0;
000 “peer-”: newest ISAKMP SA: #1; newest IPsec SA: #4;
000 “peer-”: IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1536
000 “peer-”: ESP proposal: INVALID_PAYLOAD_TYPE_192/HMAC_SHA1/
000 #3: “peer-” STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3132s
000 #3: “peer-” esp.ceb2d374@ (0 bytes) esp.c3f8ed2d@ (0 bytes); tunnel
000 #2: “peer-” STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28332s
000 #4: “peer-” STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2653s; newest IPSEC; eroute owner
000 #4: “peer-” esp.c0c4588f@ (0 bytes) esp.cee81397@ (0 bytes); tunnel
000 #1: “peer-” STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27612s; newest ISAKMP

the command “show vpn ipsec sa” just parses the command “ipsec statusall” for the encryption type. You can see in the output of that command the INVALID_PAYLOAD_TYPE_192. So it’s actually strongswan that is reporting the hardware encryption type.

Thanks all for your help.
I have found the cause and corrected it. It was a mistake in the ‘esp_transform_name’ enum entry of my cipher name. It is found in /vyatta-strongswan/src/pluto/constants.c file.

I am facing same issue where “sh vpn ipsec sa” is showing tunnel down but “sudo ipsec statusall” shows correct output. Earlier when was using aes128 encryption algo in esp proposal it showed correct output but when I started using aes128gcm128 “sh vpn ipsec sa” is showing tunnel down.

vyos@hh-vpn:/opt/vyatta/bin/sudo-users$ sh vpn ipsec sa
Peer ID / IP Local ID / IP
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
------ ----- ------------- ------- ---- ----- ------ ------ -----
vti down n/a n/a n/a no 0 43200 all

vyos@hh-vpn:/opt/vyatta/bin/sudo-users$ sh vpn ike sa
Peer ID / IP Local ID / IP
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 aes128 sha1_96 2(MODP_1024) no 3600 86400

vyos@hh-vpn:/opt/vyatta/bin/sudo-users$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.95-amd64-vyos, x86_64):
uptime: 16 minutes, since Oct 04 09:20:05 2019
malloc: sbrk 1351680, mmap 0, used 298160, free 1053520
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 chapoly xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
peer-… IKEv2, dpddelay=30s
peer- local: [] uses pre-shared key authentication
peer- remote: [] uses pre-shared key authentication
peer- child: === TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
peer-[1]: ESTABLISHED 16 minutes ago,[]…[]
peer-[1]: IKEv2 SPIs: d7eb9c97b63c8c70_i df279845f737a0f1_r*, rekeying in 23 hours
peer-[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c1e56634_i c07ae374_o
peer-{1}: AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 11 hours
peer-{1}: ===