How to get the traffic-selectors of an IPsec SPI

mweidner · November 6, 2018, 5:14pm

Hi all,

I have a problem while debugging an IPsec VPN.

The VPN has multiple traffic selectors defined for the child SAs:

/ip ipsec export
...
add address=1.2.3.4/32 secret=really_secret
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.0.0/24 level=unique sa-dst-address=1.2.3.4 sa-src-address=5.6.7.8 src-address=192.168.5.0/24 tunnel=yes
add dst-address=192.168.0.0/24 level=unique sa-dst-address=1.2.3.4 sa-src-address=5.6.7.8 src-address=192.168.6.0/24 tunnel=yes
....

When I look with ‘/ip ipsec installed-sa print’ I get only the SPI and the IP addresses of the VPN gateways but not the traffic selectors:

/ip ipsec installed-sa print detail
Flags: H - hw-aead, A - AH, E - ESP 
 0  E spi=0x8D5D697 src-address=1.2.3.4 dst-address=5.6.7.8 state=dying auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key="361c22ef4a7e04e329bcdf73219815e7feb642e9" 
      enc-key="20463475312c7567600fc70cde22132c0138d7923dbf953a565ebce769b34d1b" addtime=feb/06/1970 08:16:08 expires-in=5m57s add-lifetime=48m/1h current-bytes=348744 current-packets=4179 replay=128 

 1  E spi=0x11D600AE src-address=5.6.7.8 dst-address=1.2.3.4 state=dying auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key="8cf41b9a048103c48c83d6ae0e50cdd99d645184" 
      enc-key="7bd7eb21c14128a635186f4589b8343db995ec59f0d10a2d2bfcf5b71f9e4900" addtime=feb/06/1970 08:16:08 expires-in=5m57s add-lifetime=48m/1h current-bytes=1031578 current-packets=3953 replay=128

Is there a way to determine, what SPI of the VPN is for what traffic selector?

Thanks for your help.
Mathias

mweidner · November 7, 2018, 3:28pm

OK, I have found a solution that will work for me.

I wil add the following to the log settings:

/system logging add topics=ipsec,!debug

Then I get something like this in the logs:

13:54:37 ipsec respond new phase 2 negotiation: 1.2.3.4[500]<=>5.6.7.8[500] 
13:54:37 ipsec searching for policy for selector: 192.168.0.0/24 <=> 192.168.5.0/24 
13:54:37 ipsec using strict match: 192.168.0.0/24 <=> 192.168.5.0/24 
13:54:37 ipsec sent phase2 packet 1.2.3.4[500]<=>5.6.7.8[500] 39410291243a51ee:5799a8c9c3f9ca3b:d6b31ba3 
13:54:37 ipsec IPsec-SA established: ESP/Tunnel 5.6.7.8[500]->1.2.3.4[500] spi=0xb986f48 
13:54:37 ipsec IPsec-SA established: ESP/Tunnel 1.2.3.4[500]->5.6.7.8[500] spi=0x832f2af5 
...
14:42:37 ipsec IPsec-SA expired: ESP/Tunnel 5.6.7.8[500]->1.2.3.4[500] spi=0xb986f48 
14:42:37 ipsec IPsec-SA expired: ESP/Tunnel 1.2.3.4[500]->5.6.7.8[500] spi=0x832f2af5 
...
14:54:37 ipsec IPsec-SA expired: ESP/Tunnel 5.6.7.8[500]->1.2.3.4[500] spi=0xb986f48 
14:54:37 ipsec IPsec-SA expired: ESP/Tunnel 1.2.3.4[500]->5.6.7.8[500] spi=0x832f2af5

All I have to do is to keep track of the negotiation messages and the SPIs.
Maybe a script will do this.

Thanks for your patience.
Mathias

mweidner · November 12, 2018, 10:34am

Unfortunately my solution only works for Child-SA initiated by the peer.
If I want to get the traffic selectors for SAs initiated by my side I have to resort to debug logging.
Then I get the following:

13:42:22 ipsec initiate new phase 2 negotiation: 1.2.3.4[500]<=>5.6.7.8[500] 
...
13:42:22 ipsec,debug use local ID type IPv4_subnet 
13:42:22 ipsec,debug use remote ID type IPv4_subnet 
13:42:22 ipsec,debug IDci: 
13:42:22 ipsec,debug 04000000 0ca80000 ffffff00 
13:42:22 ipsec,debug IDcr: 
13:42:22 ipsec,debug 04000000 0ca80500 ffffff00

While I could deal easily with the hex values in a script, I don’t want to turn on debug logging permanently.

Is there any other solution?

Kind regards,
Mathias