Page MenuHomePhabricator

IPSec w/ IKEv2 Invalid local-address "any"
Open, Requires assessmentPublicBUG

Description

vyos@vyos# set vpn ipsec site-to-site peer 160.20.145.16 local-address
Possible completions:
   <x.x.x.x>    IPv4 address of a local interface for VPN
   <h:h:h:h:h:h:h:h>
                IPv6 address of a local interface for VPN
   any          Allow any IPv4 address present on the system to be used for VPN
vyos@vyos# show vpn
ipsec {
    esp-group ESP_DEFAULT {
        compression disable
        lifetime 3600
        mode tunnel
        pfs dh-group19
        proposal 10 {
            encryption aes256gcm128
            hash sha256
        }
    }
    ike-group IKEv2_DEFAULT {
        dead-peer-detection {
            action hold
            interval 30
            timeout 120
        }
        ikev2-reauth no
        key-exchange ikev2
        lifetime 10800
        mobike disable
        proposal 10 {
            dh-group 19
            encryption aes256gcm128
            hash sha256
        }
    }
    ipsec-interfaces {
        interface eth2
    }
    site-to-site {
        peer 1.2.4.6 {
            authentication {
                id 193.168.189.149
                mode pre-shared-secret
                pre-shared-secret secretkey
                remote-id 1.2.4.6
            }
            connection-type initiate
            ike-group IKEv2_DEFAULT
            ikev2-reauth inherit
            local-address any
            vti {
                bind vti10
                esp-group ESP_DEFAULT
            }
        }
    }
}
vyos@vyos# commit
[ vpn ]
VPN VTI configuration error: Invalid local-address "any", an ip address must be specified for VTIs.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.2
Why the issue appeared?
Will be filled on close

Event Timeline

c-po created this task.Jul 18 2019, 8:30 PM