Page MenuHomeVyOS Platform

Protocol option ignored for IPSec peers in transport mode
Closed, ResolvedPublicBUG

Description

It is possible to set protocol for IPSec tunnel, but if a IPSec peer configured to use transport mode ESP profile, it will not be added into the actual configuration. For example:

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec esp-group ESP1 compression 'disable'
set vpn ipsec esp-group ESP1 lifetime '3600'
set vpn ipsec esp-group ESP1 mode 'transport'
set vpn ipsec esp-group ESP1 pfs 'dh-group2'
set vpn ipsec esp-group ESP1 proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP1 proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE1 dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE1 dead-peer-detection interval '15'
set vpn ipsec ike-group IKE1 dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE1 ikev2-reauth 'no'
set vpn ipsec ike-group IKE1 key-exchange 'ikev1'
set vpn ipsec ike-group IKE1 lifetime '28800'
set vpn ipsec ike-group IKE1 proposal 1 dh-group '2'
set vpn ipsec ike-group IKE1 proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE1 proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer 192.0.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.2 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 192.0.2.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.0.2.2 default-esp-group 'ESP1'
set vpn ipsec site-to-site peer 192.0.2.2 ike-group 'IKE1'
set vpn ipsec site-to-site peer 192.0.2.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.0.2.2 local-address '192.0.2.1'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 protocol 'ipencap'

Will generate the next ipsec.conf:

# generated by /opt/vyatta/sbin/vpn-config.pl

config setup
	

conn %default
	keyexchange=ikev1


conn peer-192.0.2.2-tunnel-1
	left=192.0.2.1
	right=192.0.2.2
	ike=aes128-sha1-modp1024!
	keyexchange=ikev1
	ikelifetime=28800s
	dpddelay=15s
	dpdtimeout=30s
	dpdaction=restart
	closeaction=none
	esp=aes128-sha1-modp1024!
	keylife=3600s
	rekeymargin=540s
	type=transport
	compress=no
	authby=secret
	auto=start
	keyingtries=%forever
#conn peer-192.0.2.2-tunnel-1

So, protocol 'ipencap' was completely ignored. A proper one version should look like this:

# generated by /opt/vyatta/sbin/vpn-config.pl

config setup
	

conn %default
	keyexchange=ikev1


conn peer-192.0.2.2-tunnel-1
	left=192.0.2.1
	right=192.0.2.2
        leftsubnet=192.0.2.1[ipencap]
        rightsubnet=192.0.2.2[ipencap]
	ike=aes128-sha1-modp1024!
	keyexchange=ikev1
	ikelifetime=28800s
	dpddelay=15s
	dpdtimeout=30s
	dpdaction=restart
	closeaction=none
	esp=aes128-sha1-modp1024!
	keylife=3600s
	rekeymargin=540s
	type=transport
	compress=no
	authby=secret
	auto=start
	keyingtries=%forever
#conn peer-192.0.2.2-tunnel-1

We need to add proper processing of such configurations.

Details

Difficulty level
Normal (likely a few hours)
Version
1.3-rolling-202007240117
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Perfectly compatible

Event Timeline

zsdc created this task.Jul 24 2020, 3:42 PM
pasik added a subscriber: pasik.Jul 24 2020, 4:52 PM
zsdc changed the task status from Open to In progress.Jul 24 2020, 9:05 PM
zsdc claimed this task.
dmbaturin changed the task status from In progress to Needs testing.Jul 30 2020, 5:08 PM
dmbaturin changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
dmbaturin changed Why the issue appeared? from Will be filled on close to Implementation mistake.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Sep 9 2020, 1:22 PM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.6) board.
syncer closed this task as Resolved.Sep 9 2020, 1:45 PM