Page MenuHomePhabricator

1.2.0 epa2 - IPsec VPN initiation
Open, LowPublicBUG

Description

I am attempting to establish a routed IKEv2 IPsec VPN with my IPsec interface having a DHCP address.

I am unable to commit my configuration because dhcp-interface and local-address within the vpn component are mutually exclusive. However, I am unable to commit any vpn configuration without the declaration of a specific IP address, as it is required for VTI bound IPsec connections.

Interface config:

interfaces {
    ethernet eth0 {
        address dhcp
        description "Cust: pr140002 [10Mbit] (Internet:AT&T)"
        duplex auto
        hw-id 0c:c4:7a:db:ef:8c
        smp-affinity auto
        speed auto
    }

Error when vpn dhcp-interface and vpn local-address are set:

[ vpn ipsec site-to-site peer x.x.x.x ]
VPN configuration error: Only one of local-address or dhcp-interface may be defined


[[vpn]] failed
Commit failed

Error when only vpn dhcp-interface is set:

[ vpn ]
VPN VTI configuration error: local-address not defined.

[[vpn]] failed
Commit failed
[edit]

Error when local-address is set to any:

[ vpn ]
VPN VTI configuration error: Invalid local-address "any", an ip address must be specified for VTIs.

[[vpn]] failed
Commit failed
[edit]

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-epa2
Why the issue appeared?
Will be filled on close

Event Timeline

ekim created this task.Jan 9 2019, 7:22 PM
pasik added a subscriber: pasik.Jan 11 2019, 12:09 PM
syncer assigned this task to dmbaturin.Jan 12 2019, 6:32 PM
syncer triaged this task as High priority.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-EPA3); removed VyOS 1.2 Crux.
danpro added a subscriber: danpro.EditedJan 14 2019, 9:31 PM

I don't know whether it can be helpful but I have a similar configuration working in OCI (Oracle Cloud Infrastructure).
eth0 interface is configured as follows :

set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'

while the VPN is defined like this :

set vpn ipsec ipsec-interfaces interface 'eth0'

...

set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> authentication id '<YOUR_PUBLIC_IP_OR_NATIP>'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> authentication pre-shared-secret '<PRESHARED>'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> connection-type 'initiate'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> default-esp-group 'ESP-AWS01'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> ike-group 'IKE-AWS01'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> local-address '<YOUR_CURRENT_DHCP_IP_ADDRESS>'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> vti bind 'vti0'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> vti esp-group 'ESP-AWS01'

and the vti interface :

set interfaces vti vti0 address '169.254.10.2/30'
set interfaces vti vti0 mtu '1436'

There is also a DHCP reservation for the VyOS VM that makes things easier as the DHCP gives always the same IP to the VM.

syncer reassigned this task from dmbaturin to Unicron.
syncer added a subscriber: dmbaturin.

Can you try without dhcp-interface and set 0.0.0.0 as local-address?

ekim added a comment.Feb 5 2019, 9:34 PM

No. The configuration 'dhcp-interface' and 'local-address' are mutually exclusive , so attempting to commit a configuration with both results in a commit error.

[ vpn ipsec site-to-site peer x.x.x.x ]
VPN configuration error: Only one of local-address or dhcp-interface may be defined

@ekim rephrased: remove the DHCP-interface option and only use and configure the local-address to 0.0.0.0.

ekim added a comment.Feb 7 2019, 5:40 PM

Ah, I misread, my apologies. Let me try.

ekim added a comment.Feb 7 2019, 6:33 PM

Received the following commit error:

vyos@hostname-1# delete vpn ipsec site-to-site peer x.x.x.x dhcp-interface
[edit]
vyos@hostname-1# set vpn ipsec site-to-site peer x.x.x.x local-address 0.0.0.0
[edit]
vyos@hostname-1# commit
[ vpn ]
VPN VTI configuration error: Invalid local-address "0.0.0.0", an ip address must be specified for VTIs.

[[vpn]] failed
Commit failed
syncer reassigned this task from Unicron to UnicronNL.
syncer lowered the priority of this task from High to Low.
syncer added a subscriber: Unicron.