Page MenuHomeVyOS Platform

Protocol option ignored for IPSec peers in transport mode
Needs testing, Requires assessmentPublicBUG

Description

It is possible to set protocol for IPSec tunnel, but if a IPSec peer configured to use transport mode ESP profile, it will not be added into the actual configuration. For example:

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec esp-group ESP1 compression 'disable'
set vpn ipsec esp-group ESP1 lifetime '3600'
set vpn ipsec esp-group ESP1 mode 'transport'
set vpn ipsec esp-group ESP1 pfs 'dh-group2'
set vpn ipsec esp-group ESP1 proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP1 proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE1 dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE1 dead-peer-detection interval '15'
set vpn ipsec ike-group IKE1 dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE1 ikev2-reauth 'no'
set vpn ipsec ike-group IKE1 key-exchange 'ikev1'
set vpn ipsec ike-group IKE1 lifetime '28800'
set vpn ipsec ike-group IKE1 proposal 1 dh-group '2'
set vpn ipsec ike-group IKE1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE1 proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer 192.0.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.2 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 192.0.2.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.2.2 default-esp-group 'ESP1'
set vpn ipsec site-to-site peer 192.0.2.2 ike-group 'IKE1'
set vpn ipsec site-to-site peer 192.0.2.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.2.2 local-address '192.0.2.1'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 protocol 'ipencap'

Will generate the next ipsec.conf:

# generated by /opt/vyatta/sbin/vpn-config.pl

config setup
	

conn %default
	keyexchange=ikev1


conn peer-192.0.2.2-tunnel-1
	left=192.0.2.1
	right=192.0.2.2
	ike=aes128-sha1-modp1024!
	keyexchange=ikev1
	ikelifetime=28800s
	dpddelay=15s
	dpdtimeout=30s
	dpdaction=restart
	closeaction=none
	esp=aes128-sha1-modp1024!
	keylife=3600s
	rekeymargin=540s
	type=transport
	compress=no
	authby=secret
	auto=start
	keyingtries=%forever
#conn peer-192.0.2.2-tunnel-1

So, protocol 'ipencap' was completely ignored. A proper one version should look like this:

# generated by /opt/vyatta/sbin/vpn-config.pl

config setup
	

conn %default
	keyexchange=ikev1


conn peer-192.0.2.2-tunnel-1
	left=192.0.2.1
	right=192.0.2.2
        leftsubnet=192.0.2.1[ipencap]
        rightsubnet=192.0.2.2[ipencap]
	ike=aes128-sha1-modp1024!
	keyexchange=ikev1
	ikelifetime=28800s
	dpddelay=15s
	dpdtimeout=30s
	dpdaction=restart
	closeaction=none
	esp=aes128-sha1-modp1024!
	keylife=3600s
	rekeymargin=540s
	type=transport
	compress=no
	authby=secret
	auto=start
	keyingtries=%forever
#conn peer-192.0.2.2-tunnel-1

We need to add proper processing of such configurations.

Details

Difficulty level
Normal (likely a few hours)
Version
1.3-rolling-202007240117
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Perfectly compatible

Event Timeline

zsdc created this task.Fri, Jul 24, 3:42 PM
pasik added a subscriber: pasik.Fri, Jul 24, 4:52 PM
zsdc changed the task status from Open to In progress.Fri, Jul 24, 9:05 PM
zsdc claimed this task.
dmbaturin changed the task status from In progress to Needs testing.Thu, Jul 30, 5:08 PM
dmbaturin changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
dmbaturin changed Why the issue appeared? from Will be filled on close to Implementation mistake.