Vyos command "reset vpn ipsec-peer 10.15.20.69" is getting stuck

hiteshhapani · February 19, 2019, 6:57am

Reset vpn ipsec command is getting stuck or taking too long to come out. I can not use restart vpn as there is multiple tunnel in vyos. Mostly this happens when peer is not reachable. I am seeing following logs in charon

Feb 19 06:54:46 15[CFG] received stroke: terminate ‘peer-10.15.20.69-tunnel-vti’
Feb 19 06:54:46 05[IKE] <peer-10.15.20.69-tunnel-vti|1> destroying IKE_SA in state CONNECTING without notification
Feb 19 06:54:46 06[CFG] received stroke: initiate ‘peer-10.15.20.69-tunnel-vti’
Feb 19 06:54:46 08[IKE] <peer-10.15.20.69-tunnel-vti|2> initiating Main Mode IKE_SA peer-10.15.20.69-tunnel-vti[2] to 10.15.20.69
Feb 19 06:54:46 08[ENC] <peer-10.15.20.69-tunnel-vti|2> generating ID_PROT request 0 [ SA V V V V V ]
Feb 19 06:54:46 08[NET] <peer-10.15.20.69-tunnel-vti|2> sending packet: from 192.168.50.223[500] to 10.15.20.69[500] (344 bytes)
Feb 19 06:54:50 10[IKE] <peer-10.15.20.69-tunnel-vti|2> sending retransmit 1 of request message ID 0, seq 1
Feb 19 06:54:50 10[NET] <peer-10.15.20.69-tunnel-vti|2> sending packet: from 192.168.50.223[500] to 10.15.20.69[500] (344 bytes)
Feb 19 06:54:58 09[IKE] <peer-10.15.20.69-tunnel-vti|2> sending retransmit 2 of request message ID 0, seq 1
Feb 19 06:54:58 09[NET] <peer-10.15.20.69-tunnel-vti|2> sending packet: from 192.168.50.223[500] to 10.15.20.69[500] (344 bytes)
Feb 19 06:55:11 12[IKE] <peer-10.15.20.69-tunnel-vti|2> sending retransmit 3 of request message ID 0, seq 1
Feb 19 06:55:11 12[NET] <peer-10.15.20.69-tunnel-vti|2> sending packet: from 192.168.50.223[500] to 10.15.20.69[500] (344 bytes)
Feb 19 06:55:34 13[IKE] <peer-10.15.20.69-tunnel-vti|2> sending retransmit 4 of request message ID 0, seq 1
Feb 19 06:55:34 13[NET] <peer-10.15.20.69-tunnel-vti|2> sending packet: from 192.168.50.223[500] to 10.15.20.69[500] (344 bytes)

Matt · February 19, 2019, 11:02am

What version of VyOS are you using?

Also, can you provide the configuration you are using for the troublesome IPsec tunnel?

hiteshhapani · February 20, 2019, 5:16am

Vyos Version: 1.7
Following is the ipsec config of one side. Other side is also configured with same config and tunnel is working fine. The issue comes when one side is not reachable and we try to reset vpn with 'reset vpn ipsec-peer ’ command. Since other side is not reachable vyos tries to re transmit info messages to other side for multiple times and all this time command gets stuck. Ideally reset command should exit and re transmition should happen internally.

ipsec {
auto-update 60
esp-group 10.15.20.168 {
lifetime 43200
pfs disable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group 10.15.20.168 {
dead-peer-detection {
action restart
interval 30
timeout 120
}
key-exchange ikev1
lifetime 86400
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
proposal 2 {
dh-group 14
encryption aes256
hash sha1
}
proposal 3 {
dh-group 19
encryption aes128
hash md5
}
proposal 4 {
dh-group 2
encryption aes128
hash sha256
}
proposal 5 {
dh-group 2
encryption aes128
hash sha384
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer 10.15.20.168 {
authentication {
id 100.64.0.1
mode pre-shared-secret
pre-shared-secret secret
remote-id %any
}
connection-type respond
default-esp-group 10.15.20.168
ike-group 10.15.20.168
local-address 10.15.20.69
vti {
bind vti0
esp-group 10.15.20.168
}
}
}
}

Matt · February 20, 2019, 1:44pm

I’d recommend migrating to a newer release of VyOS as that one is EOL, as is 1.1.8. I’d recommend building a new 1.2.0 image, or at a minimum 1.1.8 and if possible, could you try to implement IKEv2 for this specific tunnel?

hiteshhapani · February 21, 2019, 4:45am

same issue is coming for vyos 1.2.0 and ikev2.

Matt · February 21, 2019, 12:50pm

What’s the traffic level’s look like going across this tunnel? Can you try two things for me and test? First,

set vpn ipsec auto-update ‘60’ (Let this command bake for a while and see if stability is improved any)

2nd

Adjust dead dead-peer-detection timeout values

Also, can you capture logs as well when you are doing this? I am assuming both sides are on 1.2.0 now correct?

hiteshhapani · February 25, 2019, 4:50am

Tired above options already. Tunnel and traffic is stable for days that is not the issue But I have different requirement where connectivity between two vpn gw goes down for some time. I wrote one task scheduler which reset ipsec when connection is down. But when there is no connection between two vpn gw and I do reset vpn that command take too much time to exit and deny my script to run further. When I do reset vpn manually same thing happens. Already provided charon log in my post.

hammerstud · April 17, 2019, 7:18pm

Were you able to find a solution to this?

hiteshhapani · April 18, 2019, 4:38am

No. If peer ip is not reachable reset stuck. For workaround I executing reset command only when peer ip is reachable.