# set interfaces vti vti0 address 2001:db8:2::249/64 "2001:db8:2::249/64" is not a valid value of type "ipv4net" Value validation failed Set failed
Description
Description
Details
Details
- Difficulty level
- Easy (less than an hour)
- Version
- VyOS 1.3-rolling-202005130117
- Why the issue appeared?
- Other
- Is it a breaking change?
- Perfectly compatible
- Issue type
- Improvement (missing useful functionality)
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | BUG | None | T2353 Interface [conf_mode] errors parent task | ||
| Resolved | BUG | c-po | T2455 No support for the IPv6 VTI |
Event Timeline
Comment Actions
VTI is secretly IPIP, so it doesn't support IPv6. The real issue is that we don't support the IPv6 variant of VTI yet.
Comment Actions
What development effort needs to happen to enable IPv6 as the tunnel inner address? I'm keen to help sort it out for the use case of AWS IPv6 VPNs: https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-create-vpn-connection
Comment Actions
With recent versions of strongSwan and XFRM interface in VyOS 1.4 this is now possible.
Router 1
set interfaces vti vti1 address '100.64.0.0/31' set interfaces vti vti1 address '2001:db8::1/64' set vpn ipsec esp-group FOO-VPN compression 'disable' set vpn ipsec esp-group FOO-VPN lifetime '3600' set vpn ipsec esp-group FOO-VPN mode 'tunnel' set vpn ipsec esp-group FOO-VPN pfs 'dh-group2' set vpn ipsec esp-group FOO-VPN proposal 1 encryption 'aes256' set vpn ipsec esp-group FOO-VPN proposal 1 hash 'sha1' set vpn ipsec ike-group FOO-VPN dead-peer-detection action 'restart' set vpn ipsec ike-group FOO-VPN dead-peer-detection interval '15' set vpn ipsec ike-group FOO-VPN dead-peer-detection timeout '30' set vpn ipsec ike-group FOO-VPN ikev2-reauth 'yes' set vpn ipsec ike-group FOO-VPN key-exchange 'ikev2' set vpn ipsec ike-group FOO-VPN lifetime '28800' set vpn ipsec ike-group FOO-VPN proposal 1 dh-group '2' set vpn ipsec ike-group FOO-VPN proposal 1 encryption 'aes256' set vpn ipsec ike-group FOO-VPN proposal 1 hash 'sha1' set vpn ipsec interface 'eth0.201' set vpn ipsec site-to-site peer 172.18.202.10 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.18.202.10 authentication pre-shared-secret 's3cr3t' set vpn ipsec site-to-site peer 172.18.202.10 connection-type 'respond' set vpn ipsec site-to-site peer 172.18.202.10 ike-group 'FOO-VPN' set vpn ipsec site-to-site peer 172.18.202.10 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 172.18.202.10 local-address '172.18.201.10' set vpn ipsec site-to-site peer 172.18.202.10 vti bind 'vti1' set vpn ipsec site-to-site peer 172.18.202.10 vti esp-group 'FOO-VPN'
VyOS Router 2
set interfaces vti vti1 address '100.64.0.1/31' set interfaces vti vti1 address '2001:db8::2/64' set vpn ipsec esp-group FOO-VPN compression 'disable' set vpn ipsec esp-group FOO-VPN lifetime '3600' set vpn ipsec esp-group FOO-VPN mode 'tunnel' set vpn ipsec esp-group FOO-VPN pfs 'dh-group2' set vpn ipsec esp-group FOO-VPN proposal 1 encryption 'aes256' set vpn ipsec esp-group FOO-VPN proposal 1 hash 'sha1' set vpn ipsec ike-group FOO-VPN dead-peer-detection action 'restart' set vpn ipsec ike-group FOO-VPN dead-peer-detection interval '15' set vpn ipsec ike-group FOO-VPN dead-peer-detection timeout '30' set vpn ipsec ike-group FOO-VPN ikev2-reauth 'yes' set vpn ipsec ike-group FOO-VPN key-exchange 'ikev2' set vpn ipsec ike-group FOO-VPN lifetime '28800' set vpn ipsec ike-group FOO-VPN proposal 1 dh-group '2' set vpn ipsec ike-group FOO-VPN proposal 1 encryption 'aes256' set vpn ipsec ike-group FOO-VPN proposal 1 hash 'sha1' set vpn ipsec interface 'eth0.202' set vpn ipsec site-to-site peer 172.18.201.10 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.18.201.10 authentication pre-shared-secret 's3cr3t' set vpn ipsec site-to-site peer 172.18.201.10 connection-type 'respond' set vpn ipsec site-to-site peer 172.18.201.10 ike-group 'FOO-VPN' set vpn ipsec site-to-site peer 172.18.201.10 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 172.18.201.10 local-address '172.18.202.10' set vpn ipsec site-to-site peer 172.18.201.10 vti bind 'vti1' set vpn ipsec site-to-site peer 172.18.201.10 vti esp-group 'FOO-VPN'
Test
[email protected]# run ping 100.64.0.0 count 2 PING 100.64.0.0 (100.64.0.0) 56(84) bytes of data. 64 bytes from 100.64.0.0: icmp_seq=1 ttl=64 time=1.57 ms 64 bytes from 100.64.0.0: icmp_seq=2 ttl=64 time=1.51 ms --- 100.64.0.0 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 1.512/1.542/1.573/0.030 ms
[email protected]# run ping 2001:db8::1 count 2 PING 2001:db8::1(2001:db8::1) 56 data bytes 64 bytes from 2001:db8::1: icmp_seq=1 ttl=64 time=1.02 ms 64 bytes from 2001:db8::1: icmp_seq=2 ttl=64 time=1.61 ms --- 2001:db8::1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 1.024/1.318/1.612/0.294 ms
[email protected]# sudo tcpdump -ni vti1 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on vti1, link-type RAW (Raw IP), snapshot length 262144 bytes 10:54:58.837513 IP 100.64.0.1 > 100.64.0.0: ICMP echo request, id 48568, seq 1, length 64 10:54:58.837589 IP 100.64.0.0 > 100.64.0.1: ICMP echo reply, id 48568, seq 1, length 64 10:54:59.839581 IP 100.64.0.1 > 100.64.0.0: ICMP echo request, id 48568, seq 2, length 64 10:54:59.839630 IP 100.64.0.0 > 100.64.0.1: ICMP echo reply, id 48568, seq 2, length 64 10:55:07.113736 IP6 2001:db8::2 > 2001:db8::1: ICMP6, echo request, id 18741, seq 1, length 64 10:55:07.113811 IP6 2001:db8::1 > 2001:db8::2: ICMP6, echo reply, id 18741, seq 1, length 64 10:55:08.115561 IP6 2001:db8::2 > 2001:db8::1: ICMP6, echo request, id 18741, seq 2, length 64 10:55:08.115631 IP6 2001:db8::1 > 2001:db8::2: ICMP6, echo reply, id 18741, seq 2, length 64
Comment Actions
Also add IPv6 link local address support to auto generate a link-local address as on any other type of interface.
[email protected]# run ping fe80::f8b4:e2ff:fe5f:cb6 interface vti1 /bin/ping6: Warning: source address might be selected on device other than: vti1 PING fe80::f8b4:e2ff:fe5f:cb6(fe80::f8b4:e2ff:fe5f:cb6) from :: vti1: 56 data bytes 64 bytes from fe80::f8b4:e2ff:fe5f:cb6%vti1: icmp_seq=1 ttl=64 time=1.66 ms 64 bytes from fe80::f8b4:e2ff:fe5f:cb6%vti1: icmp_seq=2 ttl=64 time=1.63 ms