libreswan unconfigures vti interfaces in temporary network outage
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libreswan (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
On a Ubuntu 17.10 system, if a temporary network outage occurs, such as a firmware upgrade on an Ethernet switch in the network path or temporarily disconnecting the interface via the virtualization platform or failing to configure AWS's recommended lifetime and/or dead peer detection settings, libreswan will unconfigure the vti interfaces during the temporary failure and not reconfigure them when the temporary failure is over, resulting in not recovering from the outage until systemctl restart ipsec is run manually. (The vti interfaces disappear from the output of ``ip addr'' during the temporary failure and the vti interfaces do not reappear in the output of ``ip addr'' until after ``systemctl restart ipsec'' is run.) Additionally, libreswan doesn't seem to successfully configure the vti interfaces at boot time, but manually running systemctl restart ipsec shortly after a reboot works. (Given that I'm relying on systemd-networkd to configure the dummy0 interface with the globally routable IP address being used, there's a chance that libreswan might be starting before dummy0 gets configured.)
left=, right=, and leftvti= values have been redacted for posting in this bug report, and I have only included one of the several connections here, but the rest of the configuration below reflects what I have in /etc/ipsec.
Additionally, the documentation suggested that I could set mark to -1 for all tunnels to automatically get a unique mark for each one, but I found that some of the tunnels failed to work when I used -1 and started working when I manually assigned a unique mark value to each.
I am using bird to run BGP across these tunnels.
conn aws-base
fragmentat
dpdaction=
dpddelay=10
dpdtimeout=30
ikelifetim
salifetime
auto=start
authby=secret
ike=
phase2=esp
phase2alg=
type=tunnel
vti-routing=no
left=
leftsubnet
rightsubne
conn aws-1
also=aws-base
vti-
leftvti=
right=
mark=
Upgrading from Ubuntu 17.10 to 18.04 appears to have fixed the problem with the vti interfaces disappearing from the output of ip addr during a network glitch.
However, I still see a failure of the vti interfaces to come up automatically at boot without manually running systemctl start ipsec, and I still find that after a temporary network glitch, the tunnels do not promptly resume passing traffic.