Page MenuHomeVyOS Platform

No support for the IPv6 VTI
Closed, ResolvedPublicBUG

Description

# set interfaces vti vti0 address 2001:db8:2::249/64

  "2001:db8:2::249/64" is not a valid value of type "ipv4net"
  Value validation failed
  Set failed

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.3-rolling-202005130117
Why the issue appeared?
Other
Is it a breaking change?
Perfectly compatible
Issue type
Improvement (missing useful functionality)

Related Objects

StatusSubtypeAssignedTask
OpenBUGNone
ResolvedBUGc-po

Event Timeline

VTI is secretly IPIP, so it doesn't support IPv6. The real issue is that we don't support the IPv6 variant of VTI yet.

dmbaturin renamed this task from Impossible to assign ipv6 address on VTI interface to No support for the IPv6 VTI.Jun 25 2020, 6:02 AM
erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 6:14 AM
erkin removed a subscriber: Active contributors.

VTI is secretly IPIP, so it doesn't support IPv6. The real issue is that we don't support the IPv6 variant of VTI yet.

What development effort needs to happen to enable IPv6 as the tunnel inner address? I'm keen to help sort it out for the use case of AWS IPv6 VPNs: https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-create-vpn-connection

c-po changed the task status from Open to In progress.EditedJul 1 2022, 8:51 AM
c-po claimed this task.
c-po triaged this task as Normal priority.
c-po edited projects, added VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus (1.3.0).
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Other.
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
c-po changed Issue type from Bug (incorrect behavior) to Improvement (missing useful functionality).

With recent versions of strongSwan and XFRM interface in VyOS 1.4 this is now possible.

Router 1

set interfaces vti vti1 address '100.64.0.0/31'
set interfaces vti vti1 address '2001:db8::1/64'

set vpn ipsec esp-group FOO-VPN compression 'disable'
set vpn ipsec esp-group FOO-VPN lifetime '3600'
set vpn ipsec esp-group FOO-VPN mode 'tunnel'
set vpn ipsec esp-group FOO-VPN pfs 'dh-group2'
set vpn ipsec esp-group FOO-VPN proposal 1 encryption 'aes256'
set vpn ipsec esp-group FOO-VPN proposal 1 hash 'sha1'
set vpn ipsec ike-group FOO-VPN dead-peer-detection action 'restart'
set vpn ipsec ike-group FOO-VPN dead-peer-detection interval '15'
set vpn ipsec ike-group FOO-VPN dead-peer-detection timeout '30'
set vpn ipsec ike-group FOO-VPN ikev2-reauth 'yes'
set vpn ipsec ike-group FOO-VPN key-exchange 'ikev2'
set vpn ipsec ike-group FOO-VPN lifetime '28800'
set vpn ipsec ike-group FOO-VPN proposal 1 dh-group '2'
set vpn ipsec ike-group FOO-VPN proposal 1 encryption 'aes256'
set vpn ipsec ike-group FOO-VPN proposal 1 hash 'sha1'

set vpn ipsec interface 'eth0.201'

set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 's3cr3t'
set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'respond'
set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'FOO-VPN'
set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10'
set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti1'
set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'FOO-VPN'

VyOS Router 2

set interfaces vti vti1 address '100.64.0.1/31'
set interfaces vti vti1 address '2001:db8::2/64'

set vpn ipsec esp-group FOO-VPN compression 'disable'
set vpn ipsec esp-group FOO-VPN lifetime '3600'
set vpn ipsec esp-group FOO-VPN mode 'tunnel'
set vpn ipsec esp-group FOO-VPN pfs 'dh-group2'
set vpn ipsec esp-group FOO-VPN proposal 1 encryption 'aes256'
set vpn ipsec esp-group FOO-VPN proposal 1 hash 'sha1'
set vpn ipsec ike-group FOO-VPN dead-peer-detection action 'restart'
set vpn ipsec ike-group FOO-VPN dead-peer-detection interval '15'
set vpn ipsec ike-group FOO-VPN dead-peer-detection timeout '30'
set vpn ipsec ike-group FOO-VPN ikev2-reauth 'yes'
set vpn ipsec ike-group FOO-VPN key-exchange 'ikev2'
set vpn ipsec ike-group FOO-VPN lifetime '28800'
set vpn ipsec ike-group FOO-VPN proposal 1 dh-group '2'
set vpn ipsec ike-group FOO-VPN proposal 1 encryption 'aes256'
set vpn ipsec ike-group FOO-VPN proposal 1 hash 'sha1'

set vpn ipsec interface 'eth0.202'

set vpn ipsec site-to-site peer 172.18.201.10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.18.201.10 authentication pre-shared-secret 's3cr3t'
set vpn ipsec site-to-site peer 172.18.201.10 connection-type 'respond'
set vpn ipsec site-to-site peer 172.18.201.10 ike-group 'FOO-VPN'
set vpn ipsec site-to-site peer 172.18.201.10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10'
set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti1'
set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'FOO-VPN'

Test

[email protected]# run ping 100.64.0.0 count 2
PING 100.64.0.0 (100.64.0.0) 56(84) bytes of data.
64 bytes from 100.64.0.0: icmp_seq=1 ttl=64 time=1.57 ms
64 bytes from 100.64.0.0: icmp_seq=2 ttl=64 time=1.51 ms

--- 100.64.0.0 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.512/1.542/1.573/0.030 ms
[email protected]# run ping 2001:db8::1 count 2
PING 2001:db8::1(2001:db8::1) 56 data bytes
64 bytes from 2001:db8::1: icmp_seq=1 ttl=64 time=1.02 ms
64 bytes from 2001:db8::1: icmp_seq=2 ttl=64 time=1.61 ms

--- 2001:db8::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.024/1.318/1.612/0.294 ms
[email protected]#  sudo tcpdump -ni vti1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vti1, link-type RAW (Raw IP), snapshot length 262144 bytes
10:54:58.837513 IP 100.64.0.1 > 100.64.0.0: ICMP echo request, id 48568, seq 1, length 64
10:54:58.837589 IP 100.64.0.0 > 100.64.0.1: ICMP echo reply, id 48568, seq 1, length 64
10:54:59.839581 IP 100.64.0.1 > 100.64.0.0: ICMP echo request, id 48568, seq 2, length 64
10:54:59.839630 IP 100.64.0.0 > 100.64.0.1: ICMP echo reply, id 48568, seq 2, length 64
10:55:07.113736 IP6 2001:db8::2 > 2001:db8::1: ICMP6, echo request, id 18741, seq 1, length 64
10:55:07.113811 IP6 2001:db8::1 > 2001:db8::2: ICMP6, echo reply, id 18741, seq 1, length 64
10:55:08.115561 IP6 2001:db8::2 > 2001:db8::1: ICMP6, echo request, id 18741, seq 2, length 64
10:55:08.115631 IP6 2001:db8::1 > 2001:db8::2: ICMP6, echo reply, id 18741, seq 2, length 64

Also add IPv6 link local address support to auto generate a link-local address as on any other type of interface.

[email protected]# run ping fe80::f8b4:e2ff:fe5f:cb6 interface vti1
/bin/ping6: Warning: source address might be selected on device other than: vti1
PING fe80::f8b4:e2ff:fe5f:cb6(fe80::f8b4:e2ff:fe5f:cb6) from :: vti1: 56 data bytes
64 bytes from fe80::f8b4:e2ff:fe5f:cb6%vti1: icmp_seq=1 ttl=64 time=1.66 ms
64 bytes from fe80::f8b4:e2ff:fe5f:cb6%vti1: icmp_seq=2 ttl=64 time=1.63 ms