Page MenuHomeVyOS Platform

1.2.0 epa2 - IPsec VPN initiation
Closed, ResolvedPublicBUG

Description

I am attempting to establish a routed IKEv2 IPsec VPN with my IPsec interface having a DHCP address.

I am unable to commit my configuration because dhcp-interface and local-address within the vpn component are mutually exclusive. However, I am unable to commit any vpn configuration without the declaration of a specific IP address, as it is required for VTI bound IPsec connections.

Interface config:

interfaces {
    ethernet eth0 {
        address dhcp
        description "Cust: pr140002 [10Mbit] (Internet:AT&T)"
        duplex auto
        hw-id 0c:c4:7a:db:ef:8c
        smp-affinity auto
        speed auto
    }

Error when vpn dhcp-interface and vpn local-address are set:

[ vpn ipsec site-to-site peer x.x.x.x ]
VPN configuration error: Only one of local-address or dhcp-interface may be defined


[[vpn]] failed
Commit failed

Error when only vpn dhcp-interface is set:

[ vpn ]
VPN VTI configuration error: local-address not defined.

[[vpn]] failed
Commit failed
[edit]

Error when local-address is set to any:

[ vpn ]
VPN VTI configuration error: Invalid local-address "any", an ip address must be specified for VTIs.

[[vpn]] failed
Commit failed
[edit]

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-epa2
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

syncer triaged this task as High priority.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-EPA3); removed VyOS 1.2 Crux.

I don't know whether it can be helpful but I have a similar configuration working in OCI (Oracle Cloud Infrastructure).
eth0 interface is configured as follows :

set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'

while the VPN is defined like this :

set vpn ipsec ipsec-interfaces interface 'eth0'

...

set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> authentication id '<YOUR_PUBLIC_IP_OR_NATIP>'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> authentication pre-shared-secret '<PRESHARED>'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> connection-type 'initiate'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> default-esp-group 'ESP-AWS01'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> ike-group 'IKE-AWS01'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> local-address '<YOUR_CURRENT_DHCP_IP_ADDRESS>'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> vti bind 'vti0'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> vti esp-group 'ESP-AWS01'

and the vti interface :

set interfaces vti vti0 address '169.254.10.2/30'
set interfaces vti vti0 mtu '1436'

There is also a DHCP reservation for the VyOS VM that makes things easier as the DHCP gives always the same IP to the VM.

syncer reassigned this task from dmbaturin to Unknown Object (User).Feb 5 2019, 3:07 PM
syncer added a subscriber: dmbaturin.

Can you try without dhcp-interface and set 0.0.0.0 as local-address?

No. The configuration 'dhcp-interface' and 'local-address' are mutually exclusive , so attempting to commit a configuration with both results in a commit error.

[ vpn ipsec site-to-site peer x.x.x.x ]
VPN configuration error: Only one of local-address or dhcp-interface may be defined

@ekim rephrased: remove the DHCP-interface option and only use and configure the local-address to 0.0.0.0.

Ah, I misread, my apologies. Let me try.

Received the following commit error:

vyos@hostname-1# delete vpn ipsec site-to-site peer x.x.x.x dhcp-interface
[edit]
vyos@hostname-1# set vpn ipsec site-to-site peer x.x.x.x local-address 0.0.0.0
[edit]
vyos@hostname-1# commit
[ vpn ]
VPN VTI configuration error: Invalid local-address "0.0.0.0", an ip address must be specified for VTIs.

[[vpn]] failed
Commit failed
syncer reassigned this task from Unknown Object (User) to UnicronNL.Mar 17 2019, 3:45 AM
syncer lowered the priority of this task from High to Low.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux (VyOS 1.2.2).
syncer added a subscriber: Unknown Object (User).
Viacheslav added a subscriber: Viacheslav.
set vpn ipsec site-to-site peer 100.64.0.2 dhcp-interface eth1
erkin set Is it a breaking change? to Unspecified (possibly destroys the router).Tue, Aug 31, 6:58 PM
erkin set Issue type to Bug (incorrect behavior).