Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T4906: Fix show vpn ipsec connections data #1745

Merged
merged 1 commit into from
Jan 10, 2023
Merged

T4906: Fix show vpn ipsec connections data #1745

merged 1 commit into from
Jan 10, 2023

Conversation

sever-sever
Copy link
Member

Change Summary

We get incorrect data when show connections
As we get a list of all connections, we should compare the connection name with entries in the list and set the correct data if they match, and "continue" if connection doesn't match

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Component(s) name

Proposed changes

How to test

current output

root@r1:/home/vyos# ./ipsec.py show_connections
Connection         State    Type    Remote address    Local TS        Remote TS     Local id                Remote id         Proposal
-----------------  -------  ------  ----------------  --------------  ------------  ----------------------  ----------------  ----------
OFFICE-B           down     IKEv1   192.0.2.2         -               -             192.0.2.1.local.peer-b  192.0.2.2.peer-b  -
OFFICE-B-tunnel-0  down     IPsec   192.0.2.2         192.168.0.0/24  10.0.0.0/21   192.0.2.1.local.peer-b  192.0.2.2.peer-b  -
OFFICE-C           down     IKEv2   192.0.2.3         -               -             192.0.2.1.local.peer-c  192.0.2.3.peer-c  -
OFFICE-C-tunnel-0  down     IPsec   192.0.2.3         192.168.2.0/24  10.0.0.0/21   192.0.2.1.local.peer-c  192.0.2.3.peer-c  -
OFFICE-D           down     IKEv2   192.0.2.5         -               -             192.0.2.1.local.peer-d  192.0.2.5.peer-d  -
OFFICE-D-tunnel-0  down     IPsec   192.0.2.5         192.168.5.0/24  10.0.50.0/24  192.0.2.1.local.peer-d  192.0.2.5.peer-d  -
root@r1:/home/vyos#

Fixed output:

root@r1:/home/vyos# /usr/libexec/vyos/op_mode/ipsec.py show_connections
Connection         State    Type    Remote address    Local TS        Remote TS     Local id                Remote id         Proposal
-----------------  -------  ------  ----------------  --------------  ------------  ----------------------  ----------------  ---------------------------------------
OFFICE-B           up       IKEv1   192.0.2.2         -               -             192.0.2.1.local.peer-b  192.0.2.2.peer-b  AES_CBC/256/HMAC_SHA2_256_128/MODP_2048
OFFICE-B-tunnel-0  up       IPsec   192.0.2.2         192.168.0.0/24  10.0.0.0/21   192.0.2.1.local.peer-b  192.0.2.2.peer-b  AES_CBC/128/HMAC_SHA1_96/MODP_2048
OFFICE-C           up       IKEv2   192.0.2.3         -               -             192.0.2.1.local.peer-c  192.0.2.3.peer-c  AES_CBC/128/HMAC_SHA1_96/MODP_1024
OFFICE-C-tunnel-0  up       IPsec   192.0.2.3         192.168.2.0/24  10.0.0.0/21   192.0.2.1.local.peer-c  192.0.2.3.peer-c  AES_CBC/256/HMAC_SHA2_256_128/None
OFFICE-D           down     IKEv2   192.0.2.5         -               -             192.0.2.1.local.peer-d  192.0.2.5.peer-d  -
OFFICE-D-tunnel-0  down     IPsec   192.0.2.5         192.168.5.0/24  10.0.50.0/24  192.0.2.1.local.peer-d  192.0.2.5.peer-d  -
root@r1:/home/vyos#

Real data from swanctl
Phase1:
OFFICE-B, OFFICE-C established
OFFICE-D not established
Phase2:
OFFICE-B, OFFICE-C installed

root@r1:/home/vyos# sudo swanctl -l
OFFICE-D: #3, CONNECTING, IKEv2, eaf9ca8cc93a6ad1_i* 0000000000000000_r
  local  '%any' @ 192.0.2.1[500]
  remote '%any' @ 192.0.2.5[500]
  active:  IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
OFFICE-C: #2, ESTABLISHED, IKEv2, af88b0f57d59e101_i* 95586d5e18ced6e8_r
  local  '192.0.2.1.local.peer-c' @ 192.0.2.1[4500]
  remote '192.0.2.3.peer-c' @ 192.0.2.3[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
  established 26s ago, rekeying in 3531s
  OFFICE-C-tunnel-0: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 26s ago, rekeying in 3574s, expires in 1774s
    in  cf46d59e,      0 bytes,     0 packets
    out cb296e9f,      0 bytes,     0 packets
    local  192.168.2.0/24
    remote 10.0.0.0/21
OFFICE-B: #1, ESTABLISHED, IKEv1, b259b522ee162430_i* 8ef895d0b4fcd325_r
  local  '192.0.2.1.local.peer-b' @ 192.0.2.1[500]
  remote '192.0.2.2.peer-b' @ 192.0.2.2[500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 26s ago, rekeying in 3378s
  OFFICE-B-tunnel-0: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 26s ago, rekeying in 3574s, expires in 1774s
    in  c0d93128,      0 bytes,     0 packets
    out c8e2c4a9,      0 bytes,     0 packets
    local  192.168.0.0/24
    remote 10.0.0.0/21
root@r1:/home/vyos#

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@sever-sever
T4906: Fix show vpn ipsec connections data
584e783 
We get incorrect data when shows connections
As we get list of all connections we should compare the connection
name with entries in list and set correct data if they match
@c-po c-po requested review from a team, dmbaturin, sarthurdev, zdc, jestabro and c-po and removed request for a team January 10, 2023 12:46
@c-po c-po merged commit de686b3 into vyos:current Jan 10, 2023
@sever-sever sever-sever deleted the T4906 branch January 17, 2023 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarthurdev sarthurdev sarthurdev approved these changes

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@c-po c-po Awaiting requested review from c-po c-po is a code owner automatically assigned from vyos/reviewers

Assignees

@sever-sever sever-sever

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sever-sever @sarthurdev @c-po