Page MenuHomeVyOS Platform

Rewrite IPsec scripts with the new XML/Python approach
Needs testing, NormalPublic

Description

IPsec is one of the oldest, most complicated, and most bug-ridden components. We need to rewrite it and also improve its CLI as we go.

  • CLI design
  • Implementation design
  • Rewrite of ipsec.pl
  • Rewrite of DMVPN
  • Rewrite of L2TP/IPsec

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)

Related Objects

StatusSubtypeAssignedTask
Needs testingsdev
ResolvedBUGzsdc
ResolvedBUGNone
OpenFEATURE REQUESTNone
OpenFEATURE REQUESTNone
OpenBUGNone
InvalidBUGNone
ResolvedENHANCEMENTsdev
ResolvedENHANCEMENTdmbaturin
OpenFEATURE REQUESTdmbaturin
ResolvedBUGdmbaturin
OpenFEATURE REQUESTDmitry
ResolvedBUGzsdc
ResolvedBUGerkin
OpenFEATURE REQUESTDmitry
Needs testingNone
OpenBUGUnicronNL
ResolvedFEATURE REQUESTc-po
Needs testingBUGzsdc
ResolvedBUGUnicronNL
ResolvedFEATURE REQUESTzsdc
ResolvedBUGjestabro
ResolvedFEATURE REQUESTViacheslav
ResolvedFEATURE REQUESTViacheslav
ResolvedFEATURE REQUESTsdev
ResolvedBUGViacheslav
ResolvedViacheslav
DuplicateFEATURE REQUESTNone
ResolvedBUGjack9603301
ResolvedViacheslav
ResolvedFEATURE REQUESTc-po
Resolvedc-po
Resolvedc-po
ResolvedFEATURE REQUESTc-po
ResolvedBUGsdev
Resolvedc-po
OpenFEATURE REQUESTNone
OpenBUGsdev
OpenBUGNone
ResolvedBUGc-po
ResolvedBUGc-po
ResolvedBUGc-po
OpenBUGNone
OpenBUGNone
ResolvedBUGsdev
ResolvedFEATURE REQUESTc-po
ResolvedBUGc-po

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
acrane1 added a subtask: Restricted Maniphest Task.Jun 11 2021, 7:47 PM

Tested with basic ipsec configuration and it does not seem to work when 3des encryption is configured. It works with default (aes128) and aes192.
Version

Version:          VyOS 1.4-rolling-202106151212
Release Train:    sagitta

Built by:         autobuild@vyos.net
Built on:         Tue 15 Jun 2021 11:57 UTC
Build UUID:       aca2a1be-7e7c-49c5-81f8-35df11d65aeb
Build Commit ID:  e5a2250f2d0145

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:
Hardware UUID:    54e778d8-8701-4a6a-95a0-ca658269c598

Copyright:        VyOS maintainers and contributors

Config:

set vpn ipsec esp-group espN compression 'disable'
set vpn ipsec esp-group espN lifetime '3600'
set vpn ipsec esp-group espN proposal 1 encryption '3des'
set vpn ipsec esp-group espN proposal 1 hash 'sha1'
set vpn ipsec ike-group ikeN proposal 1 dh-group '2'
set vpn ipsec ike-group ikeN proposal 1 encryption '3des'
set vpn ipsec ike-group ikeN proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.0.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.0.0.2 authentication pre-shared-secret 'Vyos@123'
set vpn ipsec site-to-site peer 10.0.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.0.0.2 ike-group 'ikeN'
set vpn ipsec site-to-site peer 10.0.0.2 local-address '10.0.0.1'
set vpn ipsec site-to-site peer 10.0.0.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 10.0.0.2 vti esp-group 'espN'

Error:

vyos@vyos#  run sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.0.0.2 10.0.0.2                       10.0.0.1 10.0.0.1
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 68, in <module>
    ike_sa(args.peer, args.nat)
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 52, in ike_sa
    encryption = f'{s(sa["encr-alg"])}_{s(sa["encr-keysize"])}' if 'encr-alg' in sa else 'n/a'
KeyError: 'encr-keysize'

Works in 1.2.7 version.

c-po changed the status of subtask Restricted Maniphest Task from Confirmed to Needs testing.Jun 19 2021, 11:26 AM

In fresh/new setup, the output of the command "show vpn ike sa" is throwing an exception error:

vyos@vyos:~$ sh vpn ike sa
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 70, in <module>
    ike_sa(args.peer, args.nat)
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 34, in ike_sa
    session = vici.Session()
  File "/usr/lib/python3/dist-packages/vici/session.py", line 12, in __init__
    sock.connect("/var/run/charon.vici")
FileNotFoundError: [Errno 2] No such file or directory
vyos@vyos:~$ sh vpn ipsec sa
IPSec process not running

In older version:

vyos@vyos:~$ sh vpn ike sa
vyos@vyos:~$ sh vpn ipsec sa
IPSec Process NOT Running