Page MenuHomeVyOS Platform

generate invalid configuration files
Closed, DuplicatePublic

Description

Here's configuration of 3 routers (one - gateway, others - points of IPSec connection)
Gateway

set system host-name Gateway
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth1 address '192.168.0.1/24'
set interfaces ethernet eth1 description 'LAN1'
set interfaces ethernet eth2 address '192.168.1.1/24'
set interfaces ethernet eth2 description 'LAN2'
set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 default-router '192.168.0.1'
set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 dns-server '192.168.0.1'
set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 domain-name 'vyos.net'
set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 lease '86400'
set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 range 0 start 192.168.0.9
set service dhcp-server shared-network-name LAN1 subnet 192.168.0.0/24 range 0 stop '192.168.0.254'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.0.0/23'
set nat source rule 100 translation address masquerade

R1

set system host-name R1
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'gateway'
set interfaces ethernet eth1 address '172.16.0.1/24'
set interfaces ethernet eth1 description 'LAN'
set vpn ipsec esp-group london-berlin-esp compression 'disable'
set vpn ipsec esp-group london-berlin-esp lifetime '1800'
set vpn ipsec esp-group london-berlin-esp mode 'tunnel'
set vpn ipsec esp-group london-berlin-esp pfs 'enable'
set vpn ipsec esp-group london-berlin-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group london-berlin-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group london-berlin-ike ikev2-reauth 'no'
set vpn ipsec ike-group london-berlin-ike key-exchange 'ikev1'
set vpn ipsec ike-group london-berlin-ike lifetime '3600'
set vpn ipsec ike-group london-berlin-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group london-berlin-ike proposal 1 hash 'sha1'
set vpn ipsec ike-group london-berlin-ike proposal 1 dh-group 2
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 192.168.1.2 authentication id @R1
set vpn ipsec site-to-site peer 192.168.1.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.1.2 authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer 192.168.1.2 ike-group 'london-berlin-ike'
set vpn ipsec site-to-site peer 192.168.1.2 connection-type initiate
set vpn ipsec site-to-site peer 192.168.1.2 dhcp-interface 'eth0'
set vpn ipsec site-to-site peer 192.168.1.2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 192.168.1.2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 192.168.1.2 tunnel 0 esp-group 'london-berlin-esp'
set vpn ipsec site-to-site peer 192.168.1.2 tunnel 0 local prefix '172.16.0.0/24'
set vpn ipsec site-to-site peer 192.168.1.2 tunnel 0 remote prefix '10.10.10.0/24'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '172.16.0.0/24'
set nat source rule 100 translation address masquerade
set protocols static route 0.0.0.0/0 next-hop 192.168.0.1

R2

set system host-name R2
set interfaces ethernet eth0 address '192.168.1.2/24'
set interfaces ethernet eth0 description 'gateway'
set interfaces ethernet eth1 address '10.10.10.1/24'
set interfaces ethernet eth1 description 'LAN'
set vpn ipsec esp-group london-berlin-esp compression 'disable'
set vpn ipsec esp-group london-berlin-esp lifetime '1800'
set vpn ipsec esp-group london-berlin-esp mode 'tunnel'
set vpn ipsec esp-group london-berlin-esp pfs 'enable'
set vpn ipsec esp-group london-berlin-esp proposal 1 encryption 'aes256'
set vpn ipsec esp-group london-berlin-esp proposal 1 hash 'sha1'
set vpn ipsec ike-group london-berlin-ike ikev2-reauth 'no'
set vpn ipsec ike-group london-berlin-ike key-exchange 'ikev1'
set vpn ipsec ike-group london-berlin-ike lifetime '3600'
set vpn ipsec ike-group london-berlin-ike proposal 1 encryption 'aes256'
set vpn ipsec ike-group london-berlin-ike proposal 1 hash 'sha1'
set vpn ipsec ike-group london-berlin-ike proposal 1 dh-group 2
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer @R1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer @R1 authentication pre-shared-secret 'SomePreSharedKey'
set vpn ipsec site-to-site peer @R1 ike-group 'london-berlin-ike'
set vpn ipsec site-to-site peer @R1 connection-type respond
set vpn ipsec site-to-site peer @R1 authentication remote-id @R1
set vpn ipsec site-to-site peer @R1 local-address '192.168.1.2'
set vpn ipsec site-to-site peer @R1 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer @R1 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer @R1 tunnel 0 esp-group 'london-berlin-esp'
set vpn ipsec site-to-site peer @R1 tunnel 0 local prefix '10.10.10.0/24'
set vpn ipsec site-to-site peer @R1 tunnel 0 remote prefix '172.16.0.0/24'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '10.10.10.0/24'
set nat source rule 100 translation address masquerade
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1

Tunnel is up

vyos@R1:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
192.168.1.2 192.168.1.2                 192.168.0.9 R1

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Te
    -----  ------  -------      ----          ---------      -----  ------  ----
    up     IKEv1   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     30      0

vyos@R1:~$ show vpn ipsec sa
Connection                 State    Uptime    Bytes In/Out    Packets In/Out   l
-------------------------  -------  --------  --------------  ---------------- -
peer-192.168.1.2-tunnel-0  up       37s       0B/0B           0/0              4

Here's what we have from sudo swanctl -L

peer-192.168.1.2-tunnel-0: , no reauthentication, no rekeying
  local:  ['192.168.0.9/24'
  local:  fe80::5210:ff:fe02:0/64
  local:  ]
  remote: 192.168.1.2
  local pre-shared key authentication:
    id: R1
  remote pre-shared key authentication:
    id: 192.168.1.2
  peer-192.168.1.2-tunnel-0: TUNNEL, rekeying every 1260s
    local:  172.16.0.0/24
    remote: 10.10.10.0/24

And sudo ip -6 a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 fe80::200:ff:fe00:0/64 scope link
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::5210:ff:fe02:0/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::5210:ff:fe02:1/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::5210:ff:fe02:2/64 scope link
       valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::5210:ff:fe02:3/64 scope link
       valid_lft forever preferred_lft forever

Also files:
/etc/ipsec.conf

# Created by VyOS - manual changes will be overwritten


config setup
    charondebug = ""
    uniqueids = yes

conn peer-192.168.1.2
    authby = secret
    left = ['192.168.0.9/24', 'fe80::5210:ff:fe02:0/64'] # dhcp:eth0
    leftid = "@R1"
    right = 192.168.1.2
    keylife = 3600s
    rekeymargin = 540s
    keyexchange = ikev1
    ike = aes256-sha1-modp1024!
    ikelifetime = 3600s
    reauth = no
    closeaction = none

conn peer-192.168.1.2-tunnel-0
    also = peer-192.168.1.2
    leftsubnet = 172.16.0.0/24[%any/%any]
    rightsubnet = 10.10.10.0/24[%any/%any]
    esp = aes256-sha1-modp1024!
    keylife = 1800s
    compress = no
    type = tunnel

    auto = start
    keyingtries = %forever
conn peer-192.168.1.2-tunnel-0-passthough
    left = ['192.168.0.9/24', 'fe80::5210:ff:fe02:0/64']
    right = 192.168.1.2
    leftsubnet = 172.16.0.0/24
    rightsubnet = 172.16.0.0/24
    type = passthrough
    authby = never
    auto = route

and /etc/ipsec.secret

# Created by VyOS - manual changes will be overwritten

['192.168.0.9/24', 'fe80::5210:ff:fe02:0/64'] 192.168.1.2 @R1 : PSK "SomePreSharedKey" # dhcp:eth0

Details

Difficulty level
Unknown (require assessment)
Version
1.4-rolling-202106102016
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

acrane1 changed the task status from Open to Confirmed.Jun 11 2021, 7:11 PM
acrane1 created this task.
acrane1 created this object in space S1 VyOS Public.
acrane1 closed this task as a duplicate of Restricted Maniphest Task.