Page MenuHomeVyOS Platform

Feature Request: IPsec transport mode. VyOS can not use local-subnet or remote-subnet when using transport mode
Needs testing, NormalPublicFEATURE REQUEST

Description

Tested in VyOS 1.3.0-epa3

Configure IPsec ("transport mode") using local-subnet and remote-subnet. An error occurs:

# commit
[ vpn ipsec site-to-site peer TST2 tunnel 0 ]
VPN configuration error: Can not use local-subnet or remote-subnet when using transport mode

To reproduce:

set interfaces ethernet eth0 address '192.168.2.2/24'
set interfaces ethernet eth1 address '10.2.2.2/24'
set protocols static route 0.0.0.0/0 next-hop 192.168.2.100

set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '1800'
set vpn ipsec esp-group ESP mode 'transport'
set vpn ipsec esp-group ESP pfs 'enable'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP proposal 1 hash 'sha1'

set vpn ipsec ike-group IKEv2gr close-action 'none'
set vpn ipsec ike-group IKEv2gr ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2gr key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2gr lifetime '86400'
set vpn ipsec ike-group IKEv2gr mobike 'disable'
set vpn ipsec ike-group IKEv2gr proposal 2 dh-group '2'
set vpn ipsec ike-group IKEv2gr proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKEv2gr proposal 2 hash 'sha1'

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer TST2 authentication id '192.168.2.2'
set vpn ipsec site-to-site peer TST2 authentication remote-id '192.168.1.1'
set vpn ipsec site-to-site peer TST2 connection-type 'initiate'
set vpn ipsec site-to-site peer TST2 force-encapsulation 'enable'
set vpn ipsec site-to-site peer TST2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer TST2 authentication pre-shared-secret 'VyOS'
set vpn ipsec site-to-site peer TST2 local-address '192.168.2.2'
set vpn ipsec site-to-site peer TST2 ike-group 'IKEv2gr'
set vpn ipsec site-to-site peer TST2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer TST2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer TST2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer TST2 tunnel 0 esp-group 'ESP'
set vpn ipsec site-to-site peer TST2 tunnel 0 local prefix '10.2.2.0/24'
set vpn ipsec site-to-site peer TST2 tunnel 0 remote prefix '10.1.1.0/24'

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3.0-epa3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

Unknown Object (User) created this task.Nov 17 2021, 11:39 AM
Unknown Object (User) created this object in space S1 VyOS Public.
Viacheslav changed the subtype of this task from "Task" to "Feature Request".Feb 20 2022, 3:18 PM
Viacheslav changed the task status from Open to Needs testing.Jan 20 2024, 10:31 AM
Viacheslav assigned this task to a.hajiyev.
Viacheslav triaged this task as Normal priority.
Viacheslav added a subscriber: Viacheslav.

Still relevant for 1.3.5

vyos@r1# commit
[ vpn ipsec site-to-site peer TST2 tunnel 0 ]
VPN configuration error: Can not use local-subnet or remote-subnet when using transport mode



[[vpn]] failed
Commit failed
[edit]
vyos@r1#

Needs to re-check for 1.4/1.5