Page MenuHomePhabricator

[IPSec] Protocol all does not work in IPSec Tunnel
Closed, ResolvedPublicBUG

Description

The following simple configuration does not work anymore:

vpn {
    ipsec {
        esp-group TEST-ESP {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group TEST-IKE {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28000
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        site-to-site {
            peer 10.131.0.101 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret abc
                }
                connection-type initiate
                ike-group TEST-IKE
                local-address 10.131.0.102
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group TEST-ESP
                    local {
                        prefix 192.168.20.0/24
                    }
                    protocol all
                    remote {
                        prefix 192.168.10.0/24
                    }
                }
            }
        }
    }
}

The following error occurred on the log file:

Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: # bad protocol: leftprotoport=all
Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]:   bad argument value in conn 'peer-10.131.0.101-tunnel-1'
Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: # bad protocol: rightprotoport=all
Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]:   bad argument value in conn 'peer-10.131.0.101-tunnel-1'
Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: # ignored conn 'peer-10.131.0.101-tunnel-1' due to 2 parsing errors
Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: ### 2 parsing errors (0 fatal) ###

When you change the protocol from all to ip it works.

set vpn ipsec site-to-site peer 10.131.0.101 tunnel 1 protocol ip

Looks like it's not working anymore when changed from Strongswan 4.x to 5.x

Regards
Markus

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.2.0-rc8
Why the issue appeared?
Will be filled on close

Event Timeline

adestis created this task.Nov 26 2018, 11:20 AM
syncer triaged this task as Normal priority.Nov 29 2018, 8:22 PM
syncer assigned this task to hagbard.
hagbard changed the task status from Open to In progress.Nov 29 2018, 10:53 PM

left|rightprotoport has been removed from strongswan since version 5.1. %.6 is running on the latest rolling. Protocols can now be defined via left|rightsubnet (leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53]) .

Hi @adestis,

you can test it in the rolling release of Dec 7th. or manually install http://dev.packages.vyos.net/repositories/current/vyos/pool/main/v/vyatta-cfg-vpn/vyatta-cfg-vpn_0.12.105+vyos2+current4_all.deb. Please let me know if it works like expected.

hagbard changed the task status from In progress to Needs testing.Dec 6 2018, 7:14 PM
hagbard closed this task as Resolved.Dec 12 2018, 6:57 PM

the new syntax is being applied to the config file.

pasik added a subscriber: pasik.Dec 19 2018, 7:35 AM