yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #96147
[Bug 2116723] [NEW] VPN Perfect Forward Secrecy (PFS) is deactivated although configured as active
Public bug reported:
openstack 5.8.0
OSISM Version 8.1.0
ubuntu 11.4.0-1ubuntu1~22.04
I notice that although PFS is activated, the peer gateway receives in the SA parameters that PFS is deactivated. This means that the tunnel cannot be established stably. If PFS is deactivated on the peer gateway, the VPN IPSec tunnel is established stably.
However, without extended security using PFS. On the openstack side, PFS is still activated.
==> Extract of the log on the peer gateway:
```
.
..
0:VPN-A:11909809: received create-child request
0:VPN-A:11909809: responder received CREATE_CHILD exchange
0:VPN-A:11909809: responder creating new child
0:VPN-A:11909809:53834102: peer proposal:
0:VPN-A:11909809:53834102: TSi_1 xxxxxxxxxxxxxxxxx
0:VPN-A:11909809:53834102: TSr_0 xxxxxxxxxxxxxxxxx
0:VPN-A:11909809:53834102: TSr_1 xxxxxxxxxxxxxxxxx
0:VPN-A:11909809:VPN-A-0:53834102: comparing selectors
0:VPN-A:11909809:VPN-A-0:53834102: matched by rfc-rule-2
0:VPN-A:11909809:VPN-A-0:53834102: phase2 matched by subset
0:VPN-A:11909809:53834102: local narrowing exactly matches static selector
0:VPN-A:11909809:VPN-A-0:53834102: accepted proposal:
0:VPN-A:11909809:VPN-A-0:53834102: TSi_0 xxxxxxxxxxxxxxxx
0:VPN-A:11909809:VPN-A-0:53834102: TSr_0 xxxxxxxxxxxxxxxx
0:VPN-A:11909809:VPN-A-0:53834102: autokey
0:VPN-A:11909809:VPN-A-0:53834102: incoming child SA proposal:
0:VPN-A:11909809:VPN-A-0:53834102: proposal id = 1:
0:VPN-A:11909809:VPN-A-0:53834102: protocol = ESP:
0:VPN-A:11909809:VPN-A-0:53834102: encapsulation = TUNNEL
0:VPN-A:11909809:VPN-A-0:53834102: type=ENCR, val=AES_CBC (key_len = 256)
0:VPN-A:11909809:VPN-A-0:53834102: type=INTEGR, val=SHA256
0:VPN-A:11909809:VPN-A-0:53834102: type=DH_GROUP, val=MODP2048
0:VPN-A:11909809:VPN-A-0:53834102: type=ESN, val=NO
0:VPN-A:11909809:VPN-A-0:53834102: proposal id = 2:
0:VPN-A:11909809:VPN-A-0:53834102: protocol = ESP:
0:VPN-A:11909809:VPN-A-0:53834102: encapsulation = TUNNEL
0:VPN-A:11909809:VPN-A-0:53834102: type=ENCR, val=AES_CBC (key_len = 256)
0:VPN-A:11909809:VPN-A-0:53834102: type=ENCR, val=AES_CBC (key_len = 192)
0:VPN-A:11909809:VPN-A-0:53834102: type=ENCR, val=AES_CBC (key_len = 128)
0:VPN-A:11909809:VPN-A-0:53834102: type=INTEGR, val=5
0:VPN-A:11909809:VPN-A-0:53834102: type=INTEGR, val=SHA
0:VPN-A:11909809:VPN-A-0:53834102: type=INTEGR, val=SHA512
0:VPN-A:11909809:VPN-A-0:53834102: type=INTEGR, val=SHA384
0:VPN-A:11909809:VPN-A-0:53834102: type=INTEGR, val=SHA256
0:VPN-A:11909809:VPN-A-0:53834102: type=ESN, val=NO
>>>0:VPN-A:11909809:VPN-A-0:53834102: PFS is disabled
0:VPN-A:11909809:VPN-A-0:53834102: proposal id = 3:
0:VPN-A:11909809:VPN-A-0:53834102: protocol = ESP:
..
.
```
==> Configuration neutron:
ike policy:
```
+-------------------------------+--------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------+
| Authentication Algorithm | sha512 |
| Description | |
| Encryption Algorithm | aes-256 |
| ID | <ID> |
| IKE Version | v2 |
| Lifetime | {'units': 'seconds', 'value': 86400} |
| Name | <NAME> |
| Perfect Forward Secrecy (PFS) | group14 |
| Phase1 Negotiation Mode | main |
| Project | <PROJECTID> |
+-------------------------------+--------------------------------------+
```
ipsec policy:
```
+-------------------------------+--------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------+
| Authentication Algorithm | sha256 |
| Description | |
| Encapsulation Mode | tunnel |
| Encryption Algorithm | aes-256 |
| ID | <ID> |
| Lifetime | {'units': 'seconds', 'value': 3600} |
| Name | <NAME> |
| Perfect Forward Secrecy (PFS) | group14 |
| Project | <PROJECT-ID> |
| Transform Protocol | esp |
+-------------------------------+--------------------------------------+
```
ipsec site connection:
```
+--------------------------+------------------------------------------------------+
| Field | Value |
+--------------------------+------------------------------------------------------+
| Authentication Algorithm | psk |
| DPD | {'action': 'restart', 'interval': 20, 'timeout': 60} |
| Description | |
| ID | <ID> |
| IKE Policy | <IKE-POLICY-ID> |
| IPSec Policy | <IPSEC-POLICY-ID> |
| Initiator | bi-directional |
| Local Endpoint Group ID | <LOCAL-ENDPOINT-GROUP-ID> |
| Local ID | |
| MTU | 1500 |
| Name | <NAME> |
| Peer Address | <PEER ADDRESS IP> |
| Peer CIDRs | |
| Peer Endpoint Group ID | <PEER-ENDPOINT-GROUP-ID> |
| Peer ID | <PEER ADDRESS IP> |
| Pre-shared Key | <PRE-SHARED-KEY> |
| Project | <PROJECT-ID> |
| Route Mode | static |
| State | True |
| Status | ACTIVE |
| VPN Service | <VPN-SERVICE-ID> |
+--------------------------+------------------------------------------------------+
```
** Affects: neutron
Importance: Undecided
Status: New
** Tags: vpnaas
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2116723
Title:
VPN Perfect Forward Secrecy (PFS) is deactivated although configured
as active
Status in neutron:
New
Bug description:
openstack 5.8.0
OSISM Version 8.1.0
ubuntu 11.4.0-1ubuntu1~22.04
I notice that although PFS is activated, the peer gateway receives in the SA parameters that PFS is deactivated. This means that the tunnel cannot be established stably. If PFS is deactivated on the peer gateway, the VPN IPSec tunnel is established stably.
However, without extended security using PFS. On the openstack side, PFS is still activated.
==> Extract of the log on the peer gateway:
```
.
..
0:VPN-A:11909809: received create-child request
0:VPN-A:11909809: responder received CREATE_CHILD exchange
0:VPN-A:11909809: responder creating new child
0:VPN-A:11909809:53834102: peer proposal:
0:VPN-A:11909809:53834102: TSi_1 xxxxxxxxxxxxxxxxx
0:VPN-A:11909809:53834102: TSr_0 xxxxxxxxxxxxxxxxx
0:VPN-A:11909809:53834102: TSr_1 xxxxxxxxxxxxxxxxx
0:VPN-A:11909809:VPN-A-0:53834102: comparing selectors
0:VPN-A:11909809:VPN-A-0:53834102: matched by rfc-rule-2
0:VPN-A:11909809:VPN-A-0:53834102: phase2 matched by subset
0:VPN-A:11909809:53834102: local narrowing exactly matches static selector
0:VPN-A:11909809:VPN-A-0:53834102: accepted proposal:
0:VPN-A:11909809:VPN-A-0:53834102: TSi_0 xxxxxxxxxxxxxxxx
0:VPN-A:11909809:VPN-A-0:53834102: TSr_0 xxxxxxxxxxxxxxxx
0:VPN-A:11909809:VPN-A-0:53834102: autokey
0:VPN-A:11909809:VPN-A-0:53834102: incoming child SA proposal:
0:VPN-A:11909809:VPN-A-0:53834102: proposal id = 1:
0:VPN-A:11909809:VPN-A-0:53834102: protocol = ESP:
0:VPN-A:11909809:VPN-A-0:53834102: encapsulation = TUNNEL
0:VPN-A:11909809:VPN-A-0:53834102: type=ENCR, val=AES_CBC (key_len = 256)
0:VPN-A:11909809:VPN-A-0:53834102: type=INTEGR, val=SHA256
0:VPN-A:11909809:VPN-A-0:53834102: type=DH_GROUP, val=MODP2048
0:VPN-A:11909809:VPN-A-0:53834102: type=ESN, val=NO
0:VPN-A:11909809:VPN-A-0:53834102: proposal id = 2:
0:VPN-A:11909809:VPN-A-0:53834102: protocol = ESP:
0:VPN-A:11909809:VPN-A-0:53834102: encapsulation = TUNNEL
0:VPN-A:11909809:VPN-A-0:53834102: type=ENCR, val=AES_CBC (key_len = 256)
0:VPN-A:11909809:VPN-A-0:53834102: type=ENCR, val=AES_CBC (key_len = 192)
0:VPN-A:11909809:VPN-A-0:53834102: type=ENCR, val=AES_CBC (key_len = 128)
0:VPN-A:11909809:VPN-A-0:53834102: type=INTEGR, val=5
0:VPN-A:11909809:VPN-A-0:53834102: type=INTEGR, val=SHA
0:VPN-A:11909809:VPN-A-0:53834102: type=INTEGR, val=SHA512
0:VPN-A:11909809:VPN-A-0:53834102: type=INTEGR, val=SHA384
0:VPN-A:11909809:VPN-A-0:53834102: type=INTEGR, val=SHA256
0:VPN-A:11909809:VPN-A-0:53834102: type=ESN, val=NO
>>>0:VPN-A:11909809:VPN-A-0:53834102: PFS is disabled
0:VPN-A:11909809:VPN-A-0:53834102: proposal id = 3:
0:VPN-A:11909809:VPN-A-0:53834102: protocol = ESP:
..
.
```
==> Configuration neutron:
ike policy:
```
+-------------------------------+--------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------+
| Authentication Algorithm | sha512 |
| Description | |
| Encryption Algorithm | aes-256 |
| ID | <ID> |
| IKE Version | v2 |
| Lifetime | {'units': 'seconds', 'value': 86400} |
| Name | <NAME> |
| Perfect Forward Secrecy (PFS) | group14 |
| Phase1 Negotiation Mode | main |
| Project | <PROJECTID> |
+-------------------------------+--------------------------------------+
```
ipsec policy:
```
+-------------------------------+--------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------+
| Authentication Algorithm | sha256 |
| Description | |
| Encapsulation Mode | tunnel |
| Encryption Algorithm | aes-256 |
| ID | <ID> |
| Lifetime | {'units': 'seconds', 'value': 3600} |
| Name | <NAME> |
| Perfect Forward Secrecy (PFS) | group14 |
| Project | <PROJECT-ID> |
| Transform Protocol | esp |
+-------------------------------+--------------------------------------+
```
ipsec site connection:
```
+--------------------------+------------------------------------------------------+
| Field | Value |
+--------------------------+------------------------------------------------------+
| Authentication Algorithm | psk |
| DPD | {'action': 'restart', 'interval': 20, 'timeout': 60} |
| Description | |
| ID | <ID> |
| IKE Policy | <IKE-POLICY-ID> |
| IPSec Policy | <IPSEC-POLICY-ID> |
| Initiator | bi-directional |
| Local Endpoint Group ID | <LOCAL-ENDPOINT-GROUP-ID> |
| Local ID | |
| MTU | 1500 |
| Name | <NAME> |
| Peer Address | <PEER ADDRESS IP> |
| Peer CIDRs | |
| Peer Endpoint Group ID | <PEER-ENDPOINT-GROUP-ID> |
| Peer ID | <PEER ADDRESS IP> |
| Pre-shared Key | <PRE-SHARED-KEY> |
| Project | <PROJECT-ID> |
| Route Mode | static |
| State | True |
| Status | ACTIVE |
| VPN Service | <VPN-SERVICE-ID> |
+--------------------------+------------------------------------------------------+
```
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2116723/+subscriptions
