No support for the IPv6 VTI
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	Viacheslav
	May 13 2020, 11:24 AM

Description

# set interfaces vti vti0 address 2001:db8:2::249/64

  "2001:db8:2::249/64" is not a valid value of type "ipv4net"
  Value validation failed
  Set failed

Details

Difficulty level: Easy (less than an hour)
Version: VyOS 1.3-rolling-202005130117
Why the issue appeared?: Other
Is it a breaking change?: Perfectly compatible
Issue type: Improvement (missing useful functionality)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved	BUG	Viacheslav	T2353 Interface [conf_mode] errors parent task
		Resolved	BUG	c-po	T2455 No support for the IPv6 VTI

Event Timeline

Viacheslav created this task.May 13 2020, 11:24 AM

Viacheslav added a parent task: T2353: Interface [conf_mode] errors parent task.May 13 2020, 12:12 PM

pasik added a subscriber: pasik.May 13 2020, 4:25 PM

VTI is secretly IPIP, so it doesn't support IPv6. The real issue is that we don't support the IPv6 variant of VTI yet.

dmbaturin renamed this task from Impossible to assign ipv6 address on VTI interface to No support for the IPv6 VTI.Jun 25 2020, 6:02 AM

erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 6:14 AM

erkin removed a subscriber: Active contributors.

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:24 AM

jmbwell added a subscriber: jmbwell.Jan 11 2022, 3:25 AM

paulgear added a subscriber: paulgear.Jun 30 2022, 6:45 AM

In T2455#68732, @dmbaturin wrote:

VTI is secretly IPIP, so it doesn't support IPv6. The real issue is that we don't support the IPv6 variant of VTI yet.

What development effort needs to happen to enable IPv6 as the tunnel inner address? I'm keen to help sort it out for the use case of AWS IPv6 VPNs: https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-create-vpn-connection

https://docs.strongswan.org/docs/5.9/config/IPv6.html
https://docs.strongswan.org/docs/5.9/features/routeBasedVpn.html

With recent versions of strongSwan and XFRM interface in VyOS 1.4 this is now possible.

Router 1

set interfaces vti vti1 address '100.64.0.0/31'
set interfaces vti vti1 address '2001:db8::1/64'

set vpn ipsec esp-group FOO-VPN compression 'disable'
set vpn ipsec esp-group FOO-VPN lifetime '3600'
set vpn ipsec esp-group FOO-VPN mode 'tunnel'
set vpn ipsec esp-group FOO-VPN pfs 'dh-group2'
set vpn ipsec esp-group FOO-VPN proposal 1 encryption 'aes256'
set vpn ipsec esp-group FOO-VPN proposal 1 hash 'sha1'
set vpn ipsec ike-group FOO-VPN dead-peer-detection action 'restart'
set vpn ipsec ike-group FOO-VPN dead-peer-detection interval '15'
set vpn ipsec ike-group FOO-VPN dead-peer-detection timeout '30'
set vpn ipsec ike-group FOO-VPN ikev2-reauth 'yes'
set vpn ipsec ike-group FOO-VPN key-exchange 'ikev2'
set vpn ipsec ike-group FOO-VPN lifetime '28800'
set vpn ipsec ike-group FOO-VPN proposal 1 dh-group '2'
set vpn ipsec ike-group FOO-VPN proposal 1 encryption 'aes256'
set vpn ipsec ike-group FOO-VPN proposal 1 hash 'sha1'

set vpn ipsec interface 'eth0.201'

set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 's3cr3t'
set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'respond'
set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'FOO-VPN'
set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10'
set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti1'
set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'FOO-VPN'

VyOS Router 2

set interfaces vti vti1 address '100.64.0.1/31'
set interfaces vti vti1 address '2001:db8::2/64'

set vpn ipsec esp-group FOO-VPN compression 'disable'
set vpn ipsec esp-group FOO-VPN lifetime '3600'
set vpn ipsec esp-group FOO-VPN mode 'tunnel'
set vpn ipsec esp-group FOO-VPN pfs 'dh-group2'
set vpn ipsec esp-group FOO-VPN proposal 1 encryption 'aes256'
set vpn ipsec esp-group FOO-VPN proposal 1 hash 'sha1'
set vpn ipsec ike-group FOO-VPN dead-peer-detection action 'restart'
set vpn ipsec ike-group FOO-VPN dead-peer-detection interval '15'
set vpn ipsec ike-group FOO-VPN dead-peer-detection timeout '30'
set vpn ipsec ike-group FOO-VPN ikev2-reauth 'yes'
set vpn ipsec ike-group FOO-VPN key-exchange 'ikev2'
set vpn ipsec ike-group FOO-VPN lifetime '28800'
set vpn ipsec ike-group FOO-VPN proposal 1 dh-group '2'
set vpn ipsec ike-group FOO-VPN proposal 1 encryption 'aes256'
set vpn ipsec ike-group FOO-VPN proposal 1 hash 'sha1'

set vpn ipsec interface 'eth0.202'

set vpn ipsec site-to-site peer 172.18.201.10 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.18.201.10 authentication pre-shared-secret 's3cr3t'
set vpn ipsec site-to-site peer 172.18.201.10 connection-type 'respond'
set vpn ipsec site-to-site peer 172.18.201.10 ike-group 'FOO-VPN'
set vpn ipsec site-to-site peer 172.18.201.10 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10'
set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti1'
set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'FOO-VPN'

Test

cpo@R2# run ping 100.64.0.0 count 2
PING 100.64.0.0 (100.64.0.0) 56(84) bytes of data.
64 bytes from 100.64.0.0: icmp_seq=1 ttl=64 time=1.57 ms
64 bytes from 100.64.0.0: icmp_seq=2 ttl=64 time=1.51 ms

--- 100.64.0.0 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.512/1.542/1.573/0.030 ms

cpo@R2# run ping 2001:db8::1 count 2
PING 2001:db8::1(2001:db8::1) 56 data bytes
64 bytes from 2001:db8::1: icmp_seq=1 ttl=64 time=1.02 ms
64 bytes from 2001:db8::1: icmp_seq=2 ttl=64 time=1.61 ms

--- 2001:db8::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.024/1.318/1.612/0.294 ms

cpo@R1#  sudo tcpdump -ni vti1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vti1, link-type RAW (Raw IP), snapshot length 262144 bytes
10:54:58.837513 IP 100.64.0.1 > 100.64.0.0: ICMP echo request, id 48568, seq 1, length 64
10:54:58.837589 IP 100.64.0.0 > 100.64.0.1: ICMP echo reply, id 48568, seq 1, length 64
10:54:59.839581 IP 100.64.0.1 > 100.64.0.0: ICMP echo request, id 48568, seq 2, length 64
10:54:59.839630 IP 100.64.0.0 > 100.64.0.1: ICMP echo reply, id 48568, seq 2, length 64
10:55:07.113736 IP6 2001:db8::2 > 2001:db8::1: ICMP6, echo request, id 18741, seq 1, length 64
10:55:07.113811 IP6 2001:db8::1 > 2001:db8::2: ICMP6, echo reply, id 18741, seq 1, length 64
10:55:08.115561 IP6 2001:db8::2 > 2001:db8::1: ICMP6, echo request, id 18741, seq 2, length 64
10:55:08.115631 IP6 2001:db8::1 > 2001:db8::2: ICMP6, echo reply, id 18741, seq 2, length 64

Also add IPv6 link local address support to auto generate a link-local address as on any other type of interface.

cpo@R1# run ping fe80::f8b4:e2ff:fe5f:cb6 interface vti1
/bin/ping6: Warning: source address might be selected on device other than: vti1
PING fe80::f8b4:e2ff:fe5f:cb6(fe80::f8b4:e2ff:fe5f:cb6) from :: vti1: 56 data bytes
64 bytes from fe80::f8b4:e2ff:fe5f:cb6%vti1: icmp_seq=1 ttl=64 time=1.66 ms
64 bytes from fe80::f8b4:e2ff:fe5f:cb6%vti1: icmp_seq=2 ttl=64 time=1.63 ms

c-po closed this task as Resolved.Jul 1 2022, 9:12 AM

No support for the IPv6 VTIClosed, ResolvedPublicBUGActions