Skip to content

T7489: Fix output state of ipsec passthrough child #4616

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 24, 2025
Merged

T7489: Fix output state of ipsec passthrough child #4616

merged 1 commit into from
Jul 24, 2025

Conversation

hedrok
Copy link
Contributor

@hedrok hedrok commented Jul 22, 2025
edited
Loading

Fix output state of ipsec passthrough child

Show state of passthrough tunnels as always up.

Passthrough children of connection have PASS mode but have no sa and are not shown in vici list_sas.

Fix by passing mode from vici list_connections to _get_child_sa_state and always return 'up' for child with PASS mode.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

How to test / Smoketest result

Setup VPN IPSEC with one network being subnetwork of another e.g.

topology-vpn-ipsec-passthrough 
For VyOS-central: 
    Public address of 203.0.113.2 on interface eth0
    Local private network of 10.1.1.0/24

For VyOS-remote:
    Public address of 203.0.113.27 on interface eth0
    Local private network of 10.1.1.100/30
    A VyOS router called vyos-remote

Commands to setup these machines:

VyOS-central:

    configure
    set system host-name vyos-central

    set interfaces ethernet eth0 address 203.0.113.2/24
    set interfaces ethernet eth0 description 'OUTSIDE'
    set interfaces ethernet eth1 address '10.1.1.1/24'
    set interfaces ethernet eth1 description 'LAN'

    set service dhcp-server shared-network-name LAN subnet 10.1.1.0/24 option default-router '10.1.1.1'
    set service dhcp-server shared-network-name LAN subnet 10.1.1.0/24 option name-server '10.1.1.1'
    set service dhcp-server shared-network-name LAN subnet 10.1.1.0/24 option domain-name 'central'
    set service dhcp-server shared-network-name LAN subnet 10.1.1.0/24 lease '86400'
    set service dhcp-server shared-network-name LAN subnet 10.1.1.0/24 range 0 start '10.1.1.9'
    set service dhcp-server shared-network-name LAN subnet 10.1.1.0/24 range 0 stop '10.1.1.254'
    set service dhcp-server shared-network-name LAN subnet 10.1.1.0/24 subnet-id '1'
    
    set service dns forwarding cache-size '0'
    set service dns forwarding listen-address '10.1.1.1'
    set service dns forwarding allow-from '10.1.1.0/24'

    set service ssh

    edit vpn ipsec
    set esp-group vyos-central-esp lifetime '1800'
    set esp-group vyos-central-esp mode 'tunnel'
    set esp-group vyos-central-esp pfs 'enable'
    set esp-group vyos-central-esp proposal 1 encryption 'aes256'
    set esp-group vyos-central-esp proposal 1 hash 'sha256'
    set ike-group vyos-central-ike key-exchange 'ikev1'
    set ike-group vyos-central-ike lifetime '3600'
    set ike-group vyos-central-ike proposal 1 encryption 'aes256'
    set ike-group vyos-central-ike proposal 1 hash 'sha256'
    set interface 'eth0'
    set authentication psk PSK-KEY id '203.0.113.27'
    set authentication psk PSK-KEY id '203.0.113.2'
    set authentication psk PSK-KEY secret 'not-so-secret'
    set site-to-site peer PEERREMOTE authentication mode 'pre-shared-secret'
    set site-to-site peer PEERREMOTE authentication local-id '203.0.113.2'
    set site-to-site peer PEERREMOTE authentication remote-id '203.0.113.27'
    set site-to-site peer PEERREMOTE ike-group 'vyos-central-ike'
    set site-to-site peer PEERREMOTE local-address '203.0.113.2'
    set site-to-site peer PEERREMOTE remote-address '203.0.113.27'
    set site-to-site peer PEERREMOTE tunnel 0 esp-group 'vyos-central-esp'
    set site-to-site peer PEERREMOTE tunnel 0 local prefix '10.1.1.0/24'
    set site-to-site peer PEERREMOTE tunnel 0 remote prefix '10.1.1.100/30'
    commit comment "ipsec configured"
    save

VyOS-remote

    configure
    set system host-name vyos-remote

    set interfaces ethernet eth0 address 203.0.113.27/24
    set interfaces ethernet eth0 description 'OUTSIDE'
    set interfaces ethernet eth1 address '10.1.1.101/30'
    set interfaces ethernet eth1 description 'LAN'

    set service dhcp-server shared-network-name LAN subnet 10.1.1.100/30 option default-router '10.1.1.101'
    set service dhcp-server shared-network-name LAN subnet 10.1.1.100/30 option name-server '10.1.1.101'
    set service dhcp-server shared-network-name LAN subnet 10.1.1.100/30 option domain-name 'remote'
    set service dhcp-server shared-network-name LAN subnet 10.1.1.100/30 lease '86400'
    set service dhcp-server shared-network-name LAN subnet 10.1.1.100/30 range 0 start '10.1.1.102'
    set service dhcp-server shared-network-name LAN subnet 10.1.1.100/30 range 0 stop '10.1.1.103'
    set service dhcp-server shared-network-name LAN subnet 10.1.1.100/30 subnet-id '2'
    
    set service dns forwarding cache-size '0'
    set service dns forwarding listen-address '10.1.1.101'
    set service dns forwarding allow-from '10.1.1.100/30'

    set service ssh

    edit vpn ipsec
    set esp-group vyos-remote-esp lifetime '1800'
    set esp-group vyos-remote-esp mode 'tunnel'
    set esp-group vyos-remote-esp pfs 'enable'
    set esp-group vyos-remote-esp proposal 1 encryption 'aes256'
    set esp-group vyos-remote-esp proposal 1 hash 'sha256'
    set ike-group vyos-remote-ike key-exchange 'ikev1'
    set ike-group vyos-remote-ike lifetime '3600'
    set ike-group vyos-remote-ike proposal 1 encryption 'aes256'
    set ike-group vyos-remote-ike proposal 1 hash 'sha256'
    set interface 'eth0'
    set authentication psk PSK-KEY id '203.0.113.27'
    set authentication psk PSK-KEY id '203.0.113.2'
    set authentication psk PSK-KEY secret 'not-so-secret'
    set site-to-site peer PEERCENTRAL authentication mode 'pre-shared-secret'
    set site-to-site peer PEERCENTRAL authentication local-id '203.0.113.27'
    set site-to-site peer PEERCENTRAL authentication remote-id '203.0.113.2'
    set site-to-site peer PEERCENTRAL ike-group 'vyos-remote-ike'
    set site-to-site peer PEERCENTRAL local-address '203.0.113.27'
    set site-to-site peer PEERCENTRAL remote-address '203.0.113.2'
    set site-to-site peer PEERCENTRAL tunnel 0 esp-group 'vyos-remote-esp'
    set site-to-site peer PEERCENTRAL tunnel 0 local prefix '10.1.1.100/30'
    set site-to-site peer PEERCENTRAL tunnel 0 remote prefix '10.1.1.0/24'

    commit comment "ipsec configure"
    save

Run on vyos-remote show vpn ipsec connections:

vyos@vyos-remote:~$ show vpn ipsec connections
Connection                        State    Type    Remote address    Local TS       Remote TS      Local id      Remote id    Proposal
--------------------------------  -------  ------  ----------------  -------------  -------------  ------------  -----------  ----------
PEERCENTRAL                       up       IKEv1   203.0.113.2       -              -              203.0.113.27  203.0.113.2  -
PEERCENTRAL-tunnel-0              up       IPsec   203.0.113.2       10.1.1.100/30  10.1.1.0/24    203.0.113.27  203.0.113.2  -
PEERCENTRAL-tunnel-0-passthrough  up       IPsec   203.0.113.2       10.1.1.100/30  10.1.1.100/30  203.0.113.27  203.0.113.2  -

Before the fix PEERCENTRAL-tunnel-0-passthrough was down. After fix it is up even if VPN is down as passthrough connection is available anyway.

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 22, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 22, 2025
edited
Loading

👍
No issues in PR Title / Commit Title

@hedrok hedrok force-pushed the T7489-fix-output-ipsec-passthrough branch from 69dfbb9 to afc4389 Compare July 23, 2025 05:32
@github-actions GitHub Actions
Copy link

Conflicts Found. This pull request has conflicts. Please resolve them before we can evaluate the pull request.

@hedrok
Copy link
Contributor Author

hedrok commented Jul 23, 2025

I have read the CLA Document and I hereby sign the CLA

@hedrok hedrok force-pushed the T7489-fix-output-ipsec-passthrough branch from afc4389 to 6d6b441 Compare July 23, 2025 05:47
@hedrok
T7489: Fix output state of ipsec passthrough child
6060c19 
Show state of passthrough tunnels as always up.

Passthrough children of connection have PASS mode but have no
sa and are not shown in vici list_sas.

Fix by passing mode from vici list_connections to _get_child_sa_state
and always return 'up' for child with PASS mode.
@hedrok hedrok force-pushed the T7489-fix-output-ipsec-passthrough branch from 6d6b441 to 6060c19 Compare July 23, 2025 08:15
@github-actions GitHub Actions
Copy link

Conflicts Resolved. Conflicts have been resolved. A maintainer will review the pull request shortly.

@sever-sever
Copy link
Member

recheck

@github-actions GitHub Actions
Copy link

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

sever-sever
sever-sever approved these changes Jul 23, 2025
View reviewed changes
Copy link
Member

@sever-sever sever-sever left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The passthrough mode is always up

@sever-sever sever-sever requested a review from dmbaturin July 23, 2025 10:35
vyosbot added a commit to vyos/vyos-cla-signatures that referenced this pull request Jul 23, 2025
@vyosbot
@hedrok has signed the CLA in vyos/vyos-1x#4616
85dc42c
dmbaturin
dmbaturin approved these changes Jul 24, 2025
View reviewed changes
Copy link
Member

@dmbaturin dmbaturin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Passthrough indeed has no state in the same sense as normal tunnels, no objections.

@dmbaturin dmbaturin added the bp/circinus Create automatic backport for circinus label Jul 24, 2025
@dmbaturin dmbaturin merged commit a24d129 into vyos:current Jul 24, 2025
18 of 19 checks passed
@vyosbot vyosbot added mirror-initiated This PR initiated for mirror sync workflow mirror-completed and removed mirror-initiated This PR initiated for mirror sync workflow labels Jul 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin dmbaturin approved these changes

@sever-sever sever-sever sever-sever approved these changes

Assignees

@hedrok hedrok

Labels
bp/circinus Create automatic backport for circinus current mirror-completed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hedrok @sever-sever @dmbaturin @vyosbot