Page MenuHomeVyOS Platform
Create Task
Maniphest T2816

Rewrite IPsec scripts with the new XML/Python approach
Needs testing, NormalPublic
Actions

Description

IPsec is one of the oldest, most complicated, and most bug-ridden components. We need to rewrite it and also improve its CLI as we go.

  • CLI design
  • Implementation design
  • Rewrite of ipsec.pl
  • Rewrite of DMVPN
  • Rewrite of L2TP/IPsec

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)

Related Objects
Search...

StatusSubtypeAssignedTask
 Needs testingsdevT2816 Rewrite IPsec scripts with the new XML/Python approach
 ResolvedBUGzsdcT2728 Protocol option ignored for IPSec peers in transport mode
 ResolvedBUGNoneT1534 IPSec w/ IKEv2 Invalid local-address "any"
 OpenFEATURE REQUESTNoneT1549 ipsec ikev2 multi usergroup roadwarrior configuration
 OpenFEATURE REQUESTNoneT1856 Support configuring IPSec SA bytes
 OpenBUGNoneT1925 DMVPN is always listed as down in "show vpn ipsec sa"
 OpenBUGNoneT2606 ikev2 mobike commit failed
OpenENHANCEMENTdmbaturinT57 Make it possible to disable the entire IPsec peer
 OpenENHANCEMENTNoneT66 IPSec v6 over v6 support
 OpenFEATURE REQUESTdmbaturinT71 Add charon settings to 1.2.x configuration CLI
 ResolvedBUGdmbaturinT628 StrongSwan requires configuration change for proper routing over VTI.
 OpenFEATURE REQUESTDmitryT440 VTI/IPSec with dynamic peer
 ResolvedBUGzsdcT406 VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel.
 ResolvedBUGerkinT627 IPSec configuration directive deletion fails, causes bad IPSec state on reboot.
OpenFEATURE REQUESTDmitryT645 Allow multiple prefixes in ipsec tunnel
 Needs testingNoneT1070 SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer
 OpenBUGUnicronNLT1101 Spoke site dynamic IP over NAT connect to Hub site
 OpenFEATURE REQUESTNoneT1210 About IKEv2 IPSec VPN remote access
 Needs testingBUGzsdcT1233 ipsec vpn sa showing down
 OpenBUGUnicronNLT1501 VPN Commit Errors
 ResolvedFEATURE REQUESTzsdcT2049 Update strongSwan cipher suites list for IPSec settings
 ResolvedBUGjestabroT2164 Package libstrongswan-standard-plugins missing from image
 ResolvedFEATURE REQUESTViacheslavT2620 Add ipsec peer-name to log to simplifies grepping and troubleshooting
 ResolvedFEATURE REQUESTViacheslavT2639 sort output of show vpn ipsec sa
ResolvedFEATURE REQUESTsdevT2641 Rewrite vpn ipsec OP commands in new style XML syntax
 ResolvedBUGViacheslavT3333 "show vpn ipsec sa" reports ESP tunnels to be up when they are not.
 ResolvedViacheslavT2806 ipsec generates false warning on commit when local prefix is sourced from loopback
 OpenFEATURE REQUESTNoneT1251 IKEv2 Agile VPN Support
 ResolvedBUGjack9603301T3055 op-mode incorrect naming fo ipsec policy-based tunnels
ResolvedViacheslavT3093 Add xml for vpn ipsec
 ResolvedFEATURE REQUESTc-poT2173 Add the ability to use VRF on VTI interfaces
 Resolvedc-poT1513 Move OSPF and RIP interface configuration under protocols
 Resolvedc-poT3588 IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan
 ResolvedFEATURE REQUESTc-poT842 Adopt VyOS CLI to latest StrongSwan options and deprecated Keywords
 ResolvedBUGsdevT3594 Disable by default service strongswan-starter
 Resolvedc-poT3595 Cannot create new VTI interface
 OpenFEATURE REQUESTNoneT3613 Selectors for route-based IPsec tunnel (vti)
Restricted Maniphest Task

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
dmbaturin added a subtask: T2728: Protocol option ignored for IPSec peers in transport mode.Aug 20 2020, 3:38 PM
dmbaturin added a subtask: T1534: IPSec w/ IKEv2 Invalid local-address "any".
dmbaturin added a subtask: T1549: ipsec ikev2 multi usergroup roadwarrior configuration.
dmbaturin added a subtask: T1856: Support configuring IPSec SA bytes.
dmbaturin added a subtask: T1925: DMVPN is always listed as down in "show vpn ipsec sa".
dmbaturin added a subtask: T2606: ikev2 mobike commit failed .
dmbaturin added a subtask: T57: Make it possible to disable the entire IPsec peer.Aug 20 2020, 3:44 PM
dmbaturin added a subtask: T66: IPSec v6 over v6 support.
dmbaturin added a subtask: T71: Add charon settings to 1.2.x configuration CLI.
dmbaturin added a subtask: T440: VTI/IPSec with dynamic peer.
dmbaturin added a subtask: T406: VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel..
dmbaturin added a subtask: T627: IPSec configuration directive deletion fails, causes bad IPSec state on reboot. .Aug 20 2020, 3:46 PM
dmbaturin added a subtask: T645: Allow multiple prefixes in ipsec tunnel.
dmbaturin added a subtask: T842: Adopt VyOS CLI to latest StrongSwan options and deprecated Keywords.
dmbaturin added a subtask: T1070: SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer.
dmbaturin added a subtask: T1101: Spoke site dynamic IP over NAT connect to Hub site.
dmbaturin added a subtask: T1210: About IKEv2 IPSec VPN remote access.Aug 20 2020, 3:49 PM
dmbaturin added a subtask: T1233: ipsec vpn sa showing down.
cmsitv added a subscriber: cmsitv.Aug 20 2020, 3:53 PM
dmbaturin added a subtask: T1501: VPN Commit Errors.Aug 20 2020, 3:55 PM
dmbaturin added a subtask: T2049: Update strongSwan cipher suites list for IPSec settings.
dmbaturin added a subtask: T2620: Add ipsec peer-name to log to simplifies grepping and troubleshooting.
dmbaturin added a subtask: T2639: sort output of show vpn ipsec sa .
dmbaturin added a subtask: T2641: Rewrite vpn ipsec OP commands in new style XML syntax.
dmbaturin added a subtask: T2647: ipsec disableuniqreqids generate a wrong ipsec.conf.Aug 20 2020, 3:57 PM
cmsitv removed a subscriber: cmsitv.Aug 20 2020, 3:57 PM
dmbaturin removed a subtask: T2647: ipsec disableuniqreqids generate a wrong ipsec.conf.Aug 20 2020, 3:58 PM
dmbaturin added a subtask: T2806: ipsec generates false warning on commit when local prefix is sourced from loopback.
hammerstud added a subscriber: hammerstud.Aug 20 2020, 6:06 PM
pasik added a subscriber: pasik.Aug 21 2020, 7:36 AM
mpueschel added a subscriber: mpueschel.Aug 30 2020, 9:58 PM
syncer closed subtask T2728: Protocol option ignored for IPSec peers in transport mode as Resolved.Sep 9 2020, 1:45 PM
Dmitry added a subtask: T1251: IKEv2 Agile VPN Support.Sep 18 2020, 10:40 AM
Dmitry added a subscriber: Dmitry.
Viacheslav changed the status of subtask T3093: Add xml for vpn ipsec from Open to Needs testing.Dec 1 2020, 5:26 PM
Viacheslav changed the status of subtask T2639: sort output of show vpn ipsec sa from Open to Needs testing.Jan 5 2021, 3:33 PM
erkin closed subtask T627: IPSec configuration directive deletion fails, causes bad IPSec state on reboot. as Resolved.Feb 3 2021, 11:58 AM
Viacheslav closed subtask T2639: sort output of show vpn ipsec sa as Resolved.Mar 25 2021, 9:26 PM
Viacheslav changed the status of subtask T3055: op-mode incorrect naming fo ipsec policy-based tunnels from Open to Needs testing.Mar 29 2021, 7:31 PM
Viacheslav closed subtask T3055: op-mode incorrect naming fo ipsec policy-based tunnels as Resolved.Apr 14 2021, 1:04 PM
Viacheslav closed subtask T2806: ipsec generates false warning on commit when local prefix is sourced from loopback as Resolved.May 15 2021, 11:43 AM
Viacheslav closed subtask T2049: Update strongSwan cipher suites list for IPSec settings as Resolved.May 15 2021, 12:03 PM
sdev added a subscriber: sdev.Wed, May 19, 5:38 PM
sdev added a comment.Thu, May 27, 5:09 PM

IPSec / DMVPN PR: https://github.com/vyos/vyos-1x/pull/856

c-po changed the task status from Open to In progress.Thu, May 27, 6:12 PM
c-po assigned this task to sdev.
c-po triaged this task as Normal priority.
c-po added a subtask: T2173: Add the ability to use VRF on VTI interfaces.Fri, May 28, 7:46 PM
c-po closed subtask T2173: Add the ability to use VRF on VTI interfaces as Resolved.
c-po reopened subtask T2173: Add the ability to use VRF on VTI interfaces as Open.Sat, May 29, 9:29 AM
c-po changed the task status from In progress to Needs testing.Sat, May 29, 9:00 PM
c-po edited projects, added VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus.
c-po closed subtask T3093: Add xml for vpn ipsec as Resolved.Sun, May 30, 12:21 PM
c-po closed subtask T2641: Rewrite vpn ipsec OP commands in new style XML syntax as Resolved.
Viacheslav closed subtask T406: VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel. as Resolved.Tue, Jun 1, 8:51 AM
sdev changed the status of subtask T3594: Disable by default service strongswan-starter from Open to In progress.Tue, Jun 1, 1:28 PM
c-po closed subtask T3594: Disable by default service strongswan-starter as Resolved.Tue, Jun 1, 7:09 PM
Viacheslav added a subtask: T3595: Cannot create new VTI interface.Wed, Jun 2, 7:52 PM
c-po changed the status of subtask T3595: Cannot create new VTI interface from Open to Confirmed.Thu, Jun 3, 7:40 AM
c-po closed subtask T3595: Cannot create new VTI interface as Resolved.Fri, Jun 4, 5:34 PM
c-po closed subtask T842: Adopt VyOS CLI to latest StrongSwan options and deprecated Keywords as Resolved.Sun, Jun 6, 5:35 PM
c-po closed subtask T3588: IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan as Resolved.Mon, Jun 7, 5:10 PM
Viacheslav changed the status of subtask T2620: Add ipsec peer-name to log to simplifies grepping and troubleshooting from Open to Needs testing.Tue, Jun 8, 9:14 AM
c-po updated the task description. (Show Details)Tue, Jun 8, 5:53 PM
Viacheslav closed subtask T2620: Add ipsec peer-name to log to simplifies grepping and troubleshooting as Resolved.Thu, Jun 10, 8:16 PM
Viacheslav added a subtask: T3613: Selectors for route-based IPsec tunnel (vti).Thu, Jun 10, 8:36 PM
acrane1 added a subtask: Restricted Maniphest Task.Fri, Jun 11, 7:47 PM
c-po closed subtask T1534: IPSec w/ IKEv2 Invalid local-address "any" as Resolved.Sat, Jun 12, 9:13 PM
c-po closed subtask T2173: Add the ability to use VRF on VTI interfaces as Resolved.Sun, Jun 13, 9:27 AM
sdev added a comment.Tue, Jun 15, 8:43 AM

Swanctl migration PR: https://github.com/vyos/vyos-1x/pull/881