Page MenuHomeVyOS Platform
Create Task
Maniphest T2816

Rewrite IPsec scripts with the new XML/Python approach
Open, Requires assessmentPublic
Actions

Description

IPsec is one of the oldest, most complicated, and most bug-ridden components. We need to rewrite it and also improve its CLI as we go.

  • CLI design
  • Implementation design
  • Rewrite of ipsec.pl
  • Rewrite of DMVPN
  • Rewrite of L2TP/IPsec

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT2816 Rewrite IPsec scripts with the new XML/Python approach
 ResolvedBUGzsdcT2728 Protocol option ignored for IPSec peers in transport mode
 OpenBUGNoneT1534 IPSec w/ IKEv2 Invalid local-address "any"
 OpenFEATURE REQUESTNoneT1549 ipsec ikev2 multi usergroup roadwarrior configuration
 OpenFEATURE REQUESTNoneT1856 Support configuring IPSec SA bytes
 OpenBUGNoneT1925 DMVPN is always listed as down in "show vpn ipsec sa"
 OpenBUGNoneT2606 ikev2 mobike commit failed
OpenENHANCEMENTdmbaturinT57 Make it possible to disable the entire IPsec peer
 OpenENHANCEMENTNoneT66 IPSec v6 over v6 support
 OpenFEATURE REQUESTdmbaturinT71 Add charon settings to 1.2.x configuration CLI
 ResolvedBUGdmbaturinT628 StrongSwan requires configuration change for proper routing over VTI.
 OpenFEATURE REQUESTDmitryT440 VTI/IPSec with dynamic peer
 OpenBUGzsdcT406 VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel.
 Needs testingBUGNoneT627 IPSec configuration directive deletion fails, causes bad IPSec state on reboot.
OpenFEATURE REQUESTDmitryT645 Allow multiple prefixes in ipsec tunnel
 OpenFEATURE REQUESTNoneT842 Adopt VyOS CLI to latest StrongSwan options and deprecated Keywords
 Needs testingNoneT1070 SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer
 OpenBUGUnicronNLT1101 Spoke site dynamic IP over NAT connect to Hub site
 OpenFEATURE REQUESTNoneT1210 About IKEv2 IPSec VPN remote access
 Needs testingBUGzsdcT1233 ipsec vpn sa showing down
 OpenBUGUnicronNLT1501 VPN Commit Errors
 In progressFEATURE REQUESTNoneT2049 Update strongSwan cipher suites list for IPSec settings
 ResolvedBUGjestabroT2164 Package libstrongswan-standard-plugins missing from image
 OpenFEATURE REQUESTNoneT2620 Add ipsec peer-name to log to simplifies grepping and troubleshooting
 OpenFEATURE REQUESTNoneT2639 sort output of show vpn ipsec sa
OpenFEATURE REQUESTDmitryT2641 Rewrite vpn ipsec OP commands in new style XML syntax
 OpenNoneT2806 ipsec generates false warning on commit when local prefix is sourced from loopback
 OpenFEATURE REQUESTNoneT1251 IKEv2 Agile VPN Support

Event Timeline

dmbaturin created this task.Aug 20 2020, 3:37 PM
dmbaturin added a subtask: T2728: Protocol option ignored for IPSec peers in transport mode.
dmbaturin added a subtask: T1534: IPSec w/ IKEv2 Invalid local-address "any".
dmbaturin added a subtask: T1549: ipsec ikev2 multi usergroup roadwarrior configuration.
dmbaturin added a subtask: T1856: Support configuring IPSec SA bytes.
dmbaturin added a subtask: T1925: DMVPN is always listed as down in "show vpn ipsec sa".
dmbaturin added a subtask: T2606: ikev2 mobike commit failed .Aug 20 2020, 3:40 PM
dmbaturin added a subtask: T57: Make it possible to disable the entire IPsec peer.Aug 20 2020, 3:44 PM
dmbaturin added a subtask: T66: IPSec v6 over v6 support.
dmbaturin added a subtask: T71: Add charon settings to 1.2.x configuration CLI.
dmbaturin added a subtask: T440: VTI/IPSec with dynamic peer.
dmbaturin added a subtask: T406: VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel..
dmbaturin added a subtask: T627: IPSec configuration directive deletion fails, causes bad IPSec state on reboot. .Aug 20 2020, 3:46 PM
dmbaturin added a subtask: T645: Allow multiple prefixes in ipsec tunnel.
dmbaturin added a subtask: T842: Adopt VyOS CLI to latest StrongSwan options and deprecated Keywords.
dmbaturin added a subtask: T1070: SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer.
dmbaturin added a subtask: T1101: Spoke site dynamic IP over NAT connect to Hub site.
dmbaturin added a subtask: T1210: About IKEv2 IPSec VPN remote access.Aug 20 2020, 3:49 PM
dmbaturin added a subtask: T1233: ipsec vpn sa showing down.
cmsitv added a subscriber: cmsitv.Aug 20 2020, 3:53 PM
dmbaturin added a subtask: T1501: VPN Commit Errors.Aug 20 2020, 3:55 PM
dmbaturin added a subtask: T2049: Update strongSwan cipher suites list for IPSec settings.
dmbaturin added a subtask: T2620: Add ipsec peer-name to log to simplifies grepping and troubleshooting.
dmbaturin added a subtask: T2639: sort output of show vpn ipsec sa .
dmbaturin added a subtask: T2641: Rewrite vpn ipsec OP commands in new style XML syntax.
dmbaturin added a subtask: T2647: ipsec disableuniqreqids generate a wrong ipsec.conf.Aug 20 2020, 3:57 PM
cmsitv removed a subscriber: cmsitv.Aug 20 2020, 3:57 PM
dmbaturin removed a subtask: T2647: ipsec disableuniqreqids generate a wrong ipsec.conf.Aug 20 2020, 3:58 PM
dmbaturin added a subtask: T2806: ipsec generates false warning on commit when local prefix is sourced from loopback.
hammerstud added a subscriber: hammerstud.Aug 20 2020, 6:06 PM
pasik added a subscriber: pasik.Aug 21 2020, 7:36 AM
mpueschel added a subscriber: mpueschel.Aug 30 2020, 9:58 PM
syncer closed subtask T2728: Protocol option ignored for IPSec peers in transport mode as Resolved.Sep 9 2020, 1:45 PM
Dmitry added a subtask: T1251: IKEv2 Agile VPN Support.Sep 18 2020, 10:40 AM
Dmitry added a subscriber: Dmitry.