Page MenuHomeVyOS Platform
Create Task
Maniphest T2816

Rewrite IPsec scripts with the new XML/Python approach
Needs testing, NormalPublic
Actions

Description

IPsec is one of the oldest, most complicated, and most bug-ridden components. We need to rewrite it and also improve its CLI as we go.

  • CLI design
  • Implementation design
  • Rewrite of ipsec.pl
  • Rewrite of DMVPN
  • Rewrite of L2TP/IPsec

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)

Related Objects
Search...

StatusSubtypeAssignedTask
 Needs testingsdevT2816 Rewrite IPsec scripts with the new XML/Python approach
 ResolvedBUGzsdcT2728 Protocol option ignored for IPSec peers in transport mode
 ResolvedBUGNoneT1534 IPSec w/ IKEv2 Invalid local-address "any"
 OpenFEATURE REQUESTNoneT1549 ipsec ikev2 multi usergroup roadwarrior configuration
 OpenFEATURE REQUESTNoneT1856 Support configuring IPSec SA bytes
 OpenBUGNoneT1925 DMVPN is always listed as down in "show vpn ipsec sa"
 InvalidBUGNoneT2606 ikev2 mobike commit failed
ResolvedENHANCEMENTsdevT57 Make it possible to disable the entire IPsec peer
 ResolvedENHANCEMENTdmbaturinT66 IPSec v6 over v6 support
 OpenFEATURE REQUESTdmbaturinT71 Add charon settings to 1.2.x configuration CLI
 ResolvedBUGdmbaturinT628 StrongSwan requires configuration change for proper routing over VTI.
 OpenFEATURE REQUESTDmitryT440 VTI/IPSec with dynamic peer
 ResolvedBUGzsdcT406 VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel.
 ResolvedBUGerkinT627 IPSec configuration directive deletion fails, causes bad IPSec state on reboot.
OpenFEATURE REQUESTDmitryT645 Allow multiple prefixes in ipsec tunnel
 Needs testingNoneT1070 SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer
 OpenBUGUnicronNLT1101 Spoke site dynamic IP over NAT connect to Hub site
 ResolvedFEATURE REQUESTc-poT1210 About IKEv2 IPSec VPN remote access
 Needs testingBUGzsdcT1233 ipsec vpn sa showing down
 ResolvedBUGUnicronNLT1501 VPN Commit Errors
 ResolvedFEATURE REQUESTzsdcT2049 Update strongSwan cipher suites list for IPSec settings
 ResolvedBUGjestabroT2164 Package libstrongswan-standard-plugins missing from image
 ResolvedFEATURE REQUESTViacheslavT2620 Add ipsec peer-name to log to simplifies grepping and troubleshooting
 ResolvedFEATURE REQUESTViacheslavT2639 sort output of show vpn ipsec sa
ResolvedFEATURE REQUESTsdevT2641 Rewrite vpn ipsec OP commands in new style XML syntax
 ResolvedBUGViacheslavT3333 "show vpn ipsec sa" reports ESP tunnels to be up when they are not.
 ResolvedViacheslavT2806 ipsec generates false warning on commit when local prefix is sourced from loopback
 DuplicateFEATURE REQUESTNoneT1251 IKEv2 Agile VPN Support
 ResolvedBUGjack9603301T3055 op-mode incorrect naming for ipsec policy-based tunnels
ResolvedViacheslavT3093 Add xml for vpn ipsec
 ResolvedFEATURE REQUESTc-poT2173 Add the ability to use VRF on VTI interfaces
 Resolvedc-poT1513 Move OSPF and RIP interface configuration under protocols
 Resolvedc-poT3588 IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan
 ResolvedFEATURE REQUESTc-poT842 Adopt VyOS CLI to latest StrongSwan options and deprecated Keywords
 ResolvedBUGsdevT3594 Disable by default service strongswan-starter
 Resolvedc-poT3595 Cannot create new VTI interface
 OpenFEATURE REQUESTNoneT3613 Selectors for route-based IPsec tunnel (vti)
Restricted Maniphest Task
 OpenBUGsdevT3643 show vpn ipsec sa doesn't show tunnels in "down" state
 OpenBUGNoneT3678 VyOS 1.4: Invalid error message while deleting ipsec vpn configuration
 ResolvedBUGc-poT3718 VPN IPsec IKE group by default not use DH-group 2
 ResolvedBUGc-poT3719 Restart vpn shows some missed files
 ResolvedBUGc-poT3720 IPSec set vti secondary address cause interface disable
 OpenBUGNoneT3722 op-mode IPSec show vpn ike sa always shows L-TIME 0
 OpenBUGNoneT3723 op-mode IPSec show vpn ipsec sa output with underscores
 ResolvedBUGsdevT3727 VPN IPsec ESP proposal and ESP presented in config missmatch
 ResolvedFEATURE REQUESTc-poT3745 op-mode IPSec show vpn ipse sa sorting
 ResolvedBUGc-poT3764 Unconfigurable IKE and ESP lifetime

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
c-po closed subtask T3093: Add xml for vpn ipsec as Resolved.May 30 2021, 12:21 PM
c-po closed subtask T2641: Rewrite vpn ipsec OP commands in new style XML syntax as Resolved.
Viacheslav closed subtask T406: VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel. as Resolved.Jun 1 2021, 8:51 AM
sdev changed the status of subtask T3594: Disable by default service strongswan-starter from Open to In progress.Jun 1 2021, 1:28 PM
c-po closed subtask T3594: Disable by default service strongswan-starter as Resolved.Jun 1 2021, 7:09 PM
Viacheslav added a subtask: T3595: Cannot create new VTI interface.Jun 2 2021, 7:52 PM
c-po changed the status of subtask T3595: Cannot create new VTI interface from Open to Confirmed.Jun 3 2021, 7:40 AM
c-po closed subtask T3595: Cannot create new VTI interface as Resolved.Jun 4 2021, 5:34 PM
c-po closed subtask T842: Adopt VyOS CLI to latest StrongSwan options and deprecated Keywords as Resolved.Jun 6 2021, 5:35 PM
c-po closed subtask T3588: IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan as Resolved.Jun 7 2021, 5:10 PM
Viacheslav changed the status of subtask T2620: Add ipsec peer-name to log to simplifies grepping and troubleshooting from Open to Needs testing.Jun 8 2021, 9:14 AM
c-po updated the task description. (Show Details)Jun 8 2021, 5:53 PM
Viacheslav closed subtask T2620: Add ipsec peer-name to log to simplifies grepping and troubleshooting as Resolved.Jun 10 2021, 8:16 PM
Viacheslav added a subtask: T3613: Selectors for route-based IPsec tunnel (vti).Jun 10 2021, 8:36 PM
acrane1 added a subtask: Restricted Maniphest Task.Jun 11 2021, 7:47 PM
c-po closed subtask T1534: IPSec w/ IKEv2 Invalid local-address "any" as Resolved.Jun 12 2021, 9:13 PM
c-po closed subtask T2173: Add the ability to use VRF on VTI interfaces as Resolved.Jun 13 2021, 9:27 AM
sdev added a comment.Jun 15 2021, 8:43 AM

Swanctl migration PR: https://github.com/vyos/vyos-1x/pull/881

SrividyaA added a subscriber: SrividyaA.Jun 17 2021, 6:18 PM

Tested with basic ipsec configuration and it does not seem to work when 3des encryption is configured. It works with default (aes128) and aes192.
Version

Version:          VyOS 1.4-rolling-202106151212
Release Train:    sagitta

Built by:         autobuild@vyos.net
Built on:         Tue 15 Jun 2021 11:57 UTC
Build UUID:       aca2a1be-7e7c-49c5-81f8-35df11d65aeb
Build Commit ID:  e5a2250f2d0145

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:
Hardware UUID:    54e778d8-8701-4a6a-95a0-ca658269c598

Copyright:        VyOS maintainers and contributors

Config:

set vpn ipsec esp-group espN compression 'disable'
set vpn ipsec esp-group espN lifetime '3600'
set vpn ipsec esp-group espN proposal 1 encryption '3des'
set vpn ipsec esp-group espN proposal 1 hash 'sha1'
set vpn ipsec ike-group ikeN proposal 1 dh-group '2'
set vpn ipsec ike-group ikeN proposal 1 encryption '3des'
set vpn ipsec ike-group ikeN proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.0.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.0.0.2 authentication pre-shared-secret 'Vyos@123'
set vpn ipsec site-to-site peer 10.0.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.0.0.2 ike-group 'ikeN'
set vpn ipsec site-to-site peer 10.0.0.2 local-address '10.0.0.1'
set vpn ipsec site-to-site peer 10.0.0.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 10.0.0.2 vti esp-group 'espN'

Error:

vyos@vyos#  run sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.0.0.2 10.0.0.2                       10.0.0.1 10.0.0.1
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 68, in <module>
    ike_sa(args.peer, args.nat)
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 52, in ike_sa
    encryption = f'{s(sa["encr-alg"])}_{s(sa["encr-keysize"])}' if 'encr-alg' in sa else 'n/a'
KeyError: 'encr-keysize'

Works in 1.2.7 version.

sdev added a comment.Jun 17 2021, 7:58 PM

@SrividyaA Fixed in PR: https://github.com/vyos/vyos-1x/pull/884

c-po changed the status of subtask Restricted Maniphest Task from Confirmed to Needs testing.Jun 19 2021, 11:26 AM
SrividyaA added a comment.Jun 21 2021, 7:01 PM

In fresh/new setup, the output of the command "show vpn ike sa" is throwing an exception error:

vyos@vyos:~$ sh vpn ike sa
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 70, in <module>
    ike_sa(args.peer, args.nat)
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 34, in ike_sa
    session = vici.Session()
  File "/usr/lib/python3/dist-packages/vici/session.py", line 12, in __init__
    sock.connect("/var/run/charon.vici")
FileNotFoundError: [Errno 2] No such file or directory
vyos@vyos:~$ sh vpn ipsec sa
IPSec process not running

In older version:

vyos@vyos:~$ sh vpn ike sa
vyos@vyos:~$ sh vpn ipsec sa
IPSec Process NOT Running
Viacheslav added a subtask: T3643: show vpn ipsec sa doesn't show tunnels in "down" state.Jun 21 2021, 8:57 PM
sdev added a comment.Jun 22 2021, 7:45 AM

@SrividyaA Fixed in PR https://github.com/vyos/vyos-1x/pull/894

SrividyaA mentioned this in T3656: IPSec 1.4 : "show vpn ike sa" does not show the correct default ike version.Jun 28 2021, 4:37 PM
c-po closed subtask T57: Make it possible to disable the entire IPsec peer as Resolved.Jul 3 2021, 5:22 PM
c-po changed the status of subtask T1210: About IKEv2 IPSec VPN remote access from Open to Needs testing.Jul 11 2021, 1:12 PM
SrividyaA mentioned this in T3678: VyOS 1.4: Invalid error message while deleting ipsec vpn configuration.Jul 13 2021, 3:29 PM
Viacheslav added a subtask: T3678: VyOS 1.4: Invalid error message while deleting ipsec vpn configuration.Jul 13 2021, 3:54 PM
c-po closed subtask T1210: About IKEv2 IPSec VPN remote access as Resolved.Jul 30 2021, 6:12 PM
Viacheslav added a subtask: T3718: VPN IPsec IKE group by default not use DH-group 2.Aug 3 2021, 3:14 PM
Viacheslav added a subtask: T3719: Restart vpn shows some missed files.Aug 3 2021, 3:19 PM
Viacheslav added a subtask: T3720: IPSec set vti secondary address cause interface disable.Aug 3 2021, 3:29 PM
c-po changed the status of subtask T3718: VPN IPsec IKE group by default not use DH-group 2 from Open to Confirmed.Aug 3 2021, 7:25 PM
c-po closed subtask T3718: VPN IPsec IKE group by default not use DH-group 2 as Resolved.Aug 4 2021, 6:50 PM
Viacheslav added a subtask: T3722: op-mode IPSec show vpn ike sa always shows L-TIME 0.Aug 5 2021, 8:14 AM
Viacheslav added a subtask: T3723: op-mode IPSec show vpn ipsec sa output with underscores.Aug 5 2021, 8:20 AM
c-po closed subtask T3719: Restart vpn shows some missed files as Resolved.Aug 5 2021, 2:55 PM
dmbaturin closed subtask T66: IPSec v6 over v6 support as Resolved.Aug 7 2021, 7:52 AM
Viacheslav added a subtask: T3727: VPN IPsec ESP proposal and ESP presented in config missmatch.Aug 9 2021, 7:41 AM
Viacheslav closed subtask T2606: ikev2 mobike commit failed as Invalid.Aug 9 2021, 8:42 AM
UnicronNL closed subtask T1501: VPN Commit Errors as Resolved.Aug 9 2021, 2:09 PM
c-po closed subtask T3720: IPSec set vti secondary address cause interface disable as Resolved.Aug 9 2021, 7:06 PM
Viacheslav added a subtask: T3745: op-mode IPSec show vpn ipse sa sorting.Aug 12 2021, 9:54 AM
Viacheslav closed subtask T3727: VPN IPsec ESP proposal and ESP presented in config missmatch as Resolved.Aug 13 2021, 11:53 AM
c-po changed the status of subtask T3745: op-mode IPSec show vpn ipse sa sorting from Open to Needs testing.Aug 14 2021, 5:02 PM
c-po closed subtask T3745: op-mode IPSec show vpn ipse sa sorting as Resolved.Aug 14 2021, 6:17 PM
Viacheslav added a subtask: T3764: Unconfigurable IKE and ESP lifetime.Aug 18 2021, 1:24 PM
c-po closed subtask T3764: Unconfigurable IKE and ESP lifetime as Resolved.Aug 19 2021, 10:03 AM