Vyos stop forwarding traffic after receiving "deleting IKE_SA"

Crash99 · October 28, 2019, 5:34am

I have VyOS 1.2.2 with several vti tunnels configured on it.
We were trying to establish new ipsec vpn tunnel with peer 10.2.2.2, it’s established successfully but after some period ~10 minutes, we receiving IKE_SA delete messages from the peer and vyos became unreachable, only by console.
If I input - reset vpn ipsec-peer 10.2.2.2 , - vyos became reachable untile next Delete IKE_SA.

$ show version
Version: VyOS 1.2.2
Built by: vyos_bld@b4ed4f59c1e8
Built on: Thu 25 Jul 2019 04:18 UTC
Build UUID: 04105957-02c4-46cf-8b65-0d1aad46377a
Build Commit ID: 427bc06a89d99b

Architecture: x86_64
Boot via: installed image
System type: VMware guest

Hardware vendor: VMware, Inc.
Hardware model: VMware Virtual Platform

Oct 22 15:11:40 ala-grx-e1 charon[2629]: 10[NET] received packet: from 10.2.2.2[500] to 192.168.1.181[500] (84 bytes)
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 10[ENC] parsed INFORMATIONAL_V1 request 2334580306 [ HASH D ]
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 10[IKE] received DELETE for IKE_SA peer-10.2.2.2-tunnel-vti[43]
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 10[IKE] deleting IKE_SA peer-10.2.2.2-tunnel-vti[43] between 192.168.1.181[192.168.1.181]…10.2.2.2[10.2.2.2]
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 07[NET] received packet: from 10.2.2.2[500] to 192.168.1.181[500] (224 bytes)
Oct 22 15:11:40 ala-grx-e1 sudo[10352]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/ip link set vti20 down
Oct 22 15:11:40 ala-grx-e1 sudo[10352]: pam_unix(sudo:session): session opened for user root by (uid=0)
Oct 22 15:11:40 ala-grx-e1 netplugd[1069]: vti20: ignoring event
Oct 22 15:11:40 ala-grx-e1 sudo[10352]: pam_unix(sudo:session): session closed for user root
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 07[ENC] parsed ID_PROT request 0 [ SA V V V V ]
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 07[IKE] received NAT-T (RFC 3947) vendor ID
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 07[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 07[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 07[IKE] 10.2.2.2 is initiating a Main Mode IKE_SA
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 07[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 07[ENC] generating ID_PROT response 0 [ SA V V V ]
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 07[NET] sending packet: from 192.168.1.181[500] to 10.2.2.2[500] (132 bytes)
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 06[NET] received packet: from 10.2.2.2[500] to 192.168.1.181[500] (284 bytes)
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 06[ENC] parsed ID_PROT request 0 [ KE No V V V NAT-D NAT-D ]
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 06[IKE] received DPD vendor ID
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 06[ENC] received unknown vendor ID: fa:34:3a:ca:57:5f:7a:13:0f:32:3f:9b:5b:52:4b:4f
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 06[IKE] received XAuth vendor ID
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 06[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 06[NET] sending packet: from 192.168.1.181[500] to 10.2.2.2[500] (244 bytes)
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 05[NET] received packet: from 10.2.2.2[500] to 192.168.1.181[500] (68 bytes)
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 05[ENC] parsed ID_PROT request 0 [ ID HASH ]
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 05[CFG] looking for pre-shared key peer configs matching 192.168.1.181…10.2.2.2[10.2.2.2]
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 05[CFG] selected peer config “peer-10.2.2.2-tunnel-vti”
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 05[IKE] IKE_SA peer-10.2.2.2-tunnel-vti[44] established between 192.168.1.181[192.168.1.181]…10.2.2.2[10.2.2.2]
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 05[IKE] scheduling reauthentication in 3171s
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 05[IKE] maximum IKE_SA lifetime 3711s
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 05[ENC] generating ID_PROT response 0 [ ID HASH ]
Oct 22 15:11:40 ala-grx-e1 charon[2629]: 05[NET] sending packet: from 192.168.1.181[500] to 10.2.2.2[500] (68 bytes)
Oct 22 15:11:40 ala-grx-e1 sshd[10336]: pam_unix(sshd:session): session closed for user kiwi
Oct 22 15:11:41 ala-grx-e1 ntpd[1992]: Deleting interface #13 vti20, fe80::200:5efe:c32f:ffb5#123, interface stats: received=0, sent=0, dropped=0, active_time=553 secs

Config:

set high-availability vrrp group eth1-100 advertise-interval '1'
set high-availability vrrp group eth1-100 interface 'eth1'
set high-availability vrrp group eth1-100 priority '90'
set high-availability vrrp group eth1-100 virtual-address '192.168.1.171/32'
set high-availability vrrp group eth1-100 vrid '100'
set interfaces ethernet eth0 description 'unused'
set interfaces ethernet eth0 disable
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id '00:0c:29:e4:67:96'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address '192.168.1.169/29'
set interfaces ethernet eth1 description 'VLAN365'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '00:0c:29:e4:67:a0'
set interfaces ethernet eth1 smp-affinity 'auto'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 address '192.168.1.181/29'
set interfaces ethernet eth2 description 'Internet_VLAN366'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 firewall local name 'from_Internet'
set interfaces ethernet eth2 hw-id '00:0c:29:e4:67:aa'
set interfaces ethernet eth2 smp-affinity 'auto'
set interfaces ethernet eth2 speed 'auto'
set interfaces vti vti20 description 'TEST-FFM'
set vpn ipsec esp-group TEST-FFM compression 'disable'
set vpn ipsec esp-group TEST-FFM lifetime '4000'
set vpn ipsec esp-group TEST-FFM mode 'tunnel'
set vpn ipsec esp-group TEST-FFM pfs 'dh-group2'
set vpn ipsec esp-group TEST-FFM proposal 1 encryption 'aes128'
set vpn ipsec esp-group TEST-FFM proposal 1 hash 'sha1'
set vpn ipsec esp-group TEST-FFM proposal 3 encryption 'aes128'
set vpn ipsec esp-group TEST-FFM proposal 3 hash 'sha1'
set vpn ipsec ike-group TEST-FFM ikev2-reauth 'no'
set vpn ipsec ike-group TEST-FFM key-exchange 'ikev1'
set vpn ipsec ike-group TEST-FFM lifetime '4000'
set vpn ipsec ike-group TEST-FFM proposal 1 dh-group '2'
set vpn ipsec ike-group TEST-FFM proposal 1 encryption '3des'
set vpn ipsec ike-group TEST-FFM proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth2'
set vpn ipsec logging log-level '1'
set vpn ipsec logging log-modes 'any'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 10.2.2.2 authentication id '192.168.1.181'
set vpn ipsec site-to-site peer 10.2.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.2.2.2 authentication pre-shared-secret '12345678'
set vpn ipsec site-to-site peer 10.2.2.2 authentication remote-id '10.2.2.2'
set vpn ipsec site-to-site peer 10.2.2.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.2.2.2 default-esp-group 'TEST-FFM'
set vpn ipsec site-to-site peer 10.2.2.2 ike-group 'TEST-FFM'
set vpn ipsec site-to-site peer 10.2.2.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 10.2.2.2 local-address '192.168.1.181'
set vpn ipsec site-to-site peer 10.2.2.2 vti bind 'vti20'
set vpn ipsec site-to-site peer 10.2.2.2 vti esp-group 'TEST-FFM'

Dmitry · November 1, 2019, 11:01am

Seems ipsec closeaction for peers might help ⚓ T1780 Adding ipsec ike closeaction

Crash99 · November 11, 2019, 6:43am

“close-action restart” resolved my problem.

Thank you Dmitry!

system · November 13, 2019, 6:43am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.