T5355:IPSec:op cmd:"sh vpn ike status" not working #2090
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change Summary
"show vpn ike sa" shows as "IPsec Process NOT Running" even though the process is running.
Same output show for the sub command as well "sh vpn ike sa peer "
Types of changes
Related Task(s)
Component(s) name
ipsec
Proposed changes
The strongswan service is changed from charon to charon-systemd that's why the process is not running error
is received, so updated the service.
How to test
Configure the ipsec setting on both peers:
set vpn ipsec authentication psk test id 'x.x.x.x'
set vpn ipsec authentication psk test secret 'vyos'
set vpn ipsec esp-group ESP-GROUP lifetime '1800'
set vpn ipsec esp-group ESP-GROUP mode 'tunnel'
set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GROUP lifetime '3600'
set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha1'
set vpn ipsec interface 'x'
set vpn ipsec site-to-site peer test authentication local-id 'x.x.x.x'
set vpn ipsec site-to-site peer test authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer test authentication remote-id 'x.x.x.x'
set vpn ipsec site-to-site peer test connection-type 'initiate'
set vpn ipsec site-to-site peer test default-esp-group 'ESP-GROUP'
set vpn ipsec site-to-site peer test ike-group 'IKE-GROUP'
set vpn ipsec site-to-site peer test local-address 'x.x.x.x'
set vpn ipsec site-to-site peer test remote-address 'x.x.x.x'
set vpn ipsec site-to-site peer test vti bind 'vti0'
set interfaces vti vti0 address 'x.x.x.x'
Once committed, run the command "show vp ike status" to check the status
Checklist: