Page MenuHomeVyOS Platform

Feature Request: IPsec Multiple local/remote prefix for the tunnel
Closed, ResolvedPublic

Description

Tested in VyOS 1.3.0-epa3
There is no way to configure multiple 'local prefix' (or 'remote prefix') for an IPsec tunnel:

[email protected]# set vpn ipsec site-to-site peer PEER tunnel 0 local prefix 10.1.0.0/24
[email protected]# set vpn ipsec site-to-site peer PEER tunnel 0 local prefix 10.2.0.0/24
[email protected]# set vpn ipsec site-to-site peer PEER tunnel 0 local prefix 10.3.0.0/24
[email protected]# compare
+vpn {
+    ipsec {
+        site-to-site {
+            peer PEER {
+                connection-type initiate
+                ikev2-reauth inherit
+                tunnel 0 {
+                    allow-nat-networks disable
+                    allow-public-networks disable
+                    local {
+                        prefix 10.3.0.0/24
+                    }
+                }
+            }
+        }
+    }
+}

in VyOS VyOS 1.4-rolling-202110310317 it works:

[email protected]# set vpn ipsec site-to-site peer 1.1.1.2 tunnel 10 local prefix '10.0.0.0/24'
[email protected]# set vpn ipsec site-to-site peer 1.1.1.2 tunnel 10 local prefix '10.1.0.0/24'
[email protected]# set vpn ipsec site-to-site peer 1.1.1.2 tunnel 10 local prefix '10.2.0.0/24'
[email protected]# compare
[edit vpn ipsec site-to-site peer 1.1.1.2 tunnel 10 local]
+prefix 10.0.0.0/24
+prefix 10.1.0.0/24
+prefix 10.2.0.0/24

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3.0-epa3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)

Event Timeline

NikolayP renamed this task from Feature Request: IPsec Multiple local prefix for the tunnel to Feature Request: IPsec Multiple local/remote prefix for the tunnel.Nov 13 2021, 6:33 AM
NikolayP updated the task description. (Show Details)

For 1.4 it was implemented in T645
IPSec was completely rewritten in 1.4

Viacheslav claimed this task.