Page MenuHomeVyOS Platform
Create Task
Maniphest T3588

IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan
Closed, ResolvedPublic
Actions

Description

IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan

Options which are no longer available in strongSwan and should be removed from the CLI are:

https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection#Old-options-before-500

Before strongSwan 5.0.0, NAT discovery and traversal for IKEv1 had to be enabled by setting nat_traversal=yes in the config setup section of ipsec.conf. Otherwise, strongSwan 4.x's IKEv1 pluto daemon would not accept incoming IKE packets with a UDP source port different from 500. Since 5.0.0 IKEv1 traffic is handled by the charon daemon, which supports NAT traversal according to RFC 3947 (and some of its early drafts) without having to enable it explicitly (it can't be disabled either, though).

NOTE: This is also applicable for VyOS 1.3

VyOS 1.3 reports:

Jun  6 11:10:34 AC1 ipsec_starter[17766]: # deprecated keyword 'nat_traversal' in config setup
Jun  6 11:10:34 AC1 ipsec_starter[17766]: # deprecated keyword 'virtual_private' in config setup

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects
Search...

Event Timeline

c-po removed sarthurdev as the assignee of this task.May 30 2021, 8:54 AM
c-po triaged this task as Normal priority.
c-po created this task.
c-po created this object in space S1 VyOS Public.
c-po claimed this task.May 30 2021, 9:06 AM
c-po updated the task description. (Show Details)
c-po updated the task description. (Show Details)
c-po updated the task description. (Show Details)May 30 2021, 9:10 AM
c-po updated the task description. (Show Details)
c-po added a project: VyOS 1.3 Equuleus.
sarthurdev added a comment.May 30 2021, 9:46 AM

Also vpn ipsec site-to-site peer x tunnel x allow-nat-networks and vpn ipsec site-to-site peer x tunnel x allow-public-networks

Viacheslav renamed this task from IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in stringSwan to IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan.Jun 1 2021, 7:08 AM
Viacheslav updated the task description. (Show Details)
Viacheslav added a subscriber: Viacheslav.Jun 1 2021, 10:13 AM

https://phabricator.vyos.net/T842

c-po added a subtask: T842: Adopt VyOS CLI to latest StrongSwan options and deprecated Keywords.Jun 1 2021, 8:46 PM
c-po updated the task description. (Show Details)Jun 4 2021, 5:33 PM
c-po updated the task description. (Show Details)Jun 6 2021, 9:11 AM
c-po updated the task description. (Show Details)Jun 6 2021, 5:17 PM
c-po closed subtask T842: Adopt VyOS CLI to latest StrongSwan options and deprecated Keywords as Resolved.Jun 6 2021, 5:35 PM
sarthurdev added a comment.Jun 7 2021, 9:12 AM

Clarifying as requested by c-po:

allow-public-networks - Sets a value in ipsec.conf that was only ever valid in Openswan on kernel 2.6
allow-nat-networks - Also sets a value only valid in Openswan

c-po closed this task as Resolved.Jun 7 2021, 5:08 PM
c-po updated the task description. (Show Details)
c-po removed a project: VyOS 1.3 Equuleus.
c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Jun 13 2021, 11:23 AM