Page MenuHomePhabricator

1.2.0 epa2 - IPsec VPN initiation
Open, LowPublicBUG

Description

I am attempting to establish a routed IKEv2 IPsec VPN with my IPsec interface having a DHCP address.

I am unable to commit my configuration because dhcp-interface and local-address within the vpn component are mutually exclusive. However, I am unable to commit any vpn configuration without the declaration of a specific IP address, as it is required for VTI bound IPsec connections.

Interface config:

interfaces {
    ethernet eth0 {
        address dhcp
        description "Cust: pr140002 [10Mbit] (Internet:AT&T)"
        duplex auto
        hw-id 0c:c4:7a:db:ef:8c
        smp-affinity auto
        speed auto
    }

Error when vpn dhcp-interface and vpn local-address are set:

[ vpn ipsec site-to-site peer x.x.x.x ]
VPN configuration error: Only one of local-address or dhcp-interface may be defined


[[vpn]] failed
Commit failed

Error when only vpn dhcp-interface is set:

[ vpn ]
VPN VTI configuration error: local-address not defined.

[[vpn]] failed
Commit failed
[edit]

Error when local-address is set to any:

[ vpn ]
VPN VTI configuration error: Invalid local-address "any", an ip address must be specified for VTIs.

[[vpn]] failed
Commit failed
[edit]

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-epa2
Why the issue appeared?
Will be filled on close

Event Timeline

ekim created this task.Jan 9 2019, 7:22 PM
pasik added a subscriber: pasik.Jan 11 2019, 12:09 PM
syncer assigned this task to dmbaturin.Jan 12 2019, 6:32 PM
syncer triaged this task as High priority.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-EPA3); removed VyOS 1.2 Crux.
danpro added a subscriber: danpro.EditedJan 14 2019, 9:31 PM

I don't know whether it can be helpful but I have a similar configuration working in OCI (Oracle Cloud Infrastructure).
eth0 interface is configured as follows :

set interfaces ethernet eth0 address 'dhcp'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 smp-affinity 'auto'
set interfaces ethernet eth0 speed 'auto'

while the VPN is defined like this :

set vpn ipsec ipsec-interfaces interface 'eth0'

...

set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> authentication id '<YOUR_PUBLIC_IP_OR_NATIP>'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> authentication pre-shared-secret '<PRESHARED>'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> connection-type 'initiate'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> default-esp-group 'ESP-AWS01'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> ike-group 'IKE-AWS01'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> local-address '<YOUR_CURRENT_DHCP_IP_ADDRESS>'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> vti bind 'vti0'
set vpn ipsec site-to-site peer <PEER-IP-ADDRESS> vti esp-group 'ESP-AWS01'

and the vti interface :

set interfaces vti vti0 address '169.254.10.2/30'
set interfaces vti vti0 mtu '1436'

There is also a DHCP reservation for the VyOS VM that makes things easier as the DHCP gives always the same IP to the VM.

syncer reassigned this task from dmbaturin to Unicron.Feb 5 2019, 3:07 PM
syncer added a subscriber: dmbaturin.

Can you try without dhcp-interface and set 0.0.0.0 as local-address?

ekim added a comment.Feb 5 2019, 9:34 PM

No. The configuration 'dhcp-interface' and 'local-address' are mutually exclusive , so attempting to commit a configuration with both results in a commit error.

[ vpn ipsec site-to-site peer x.x.x.x ]
VPN configuration error: Only one of local-address or dhcp-interface may be defined

@ekim rephrased: remove the DHCP-interface option and only use and configure the local-address to 0.0.0.0.

ekim added a comment.Feb 7 2019, 5:40 PM

Ah, I misread, my apologies. Let me try.

ekim added a comment.Feb 7 2019, 6:33 PM

Received the following commit error:

vyos@hostname-1# delete vpn ipsec site-to-site peer x.x.x.x dhcp-interface
[edit]
vyos@hostname-1# set vpn ipsec site-to-site peer x.x.x.x local-address 0.0.0.0
[edit]
vyos@hostname-1# commit
[ vpn ]
VPN VTI configuration error: Invalid local-address "0.0.0.0", an ip address must be specified for VTIs.

[[vpn]] failed
Commit failed
syncer reassigned this task from Unicron to UnicronNL.Mar 17 2019, 3:45 AM
syncer lowered the priority of this task from High to Low.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux (VyOS 1.2.2).
syncer added a subscriber: Unicron.