IPsec IKE-group proposals limit of 10 pieces
Closed, ResolvedPublicFEATURE REQUEST
Actions

Assigned To

Unknown Object (User)

Authored By

	Unknown Object (User)
	Dec 20 2021, 2:51 AM

Description

Tested in:
VyOS 1.2.8
VyOS 1.3-beta-202112120443

There is a limit of 10 proposals per IKE group:

VPN configuration error: A total of 13 proposals have been configured for IKE group "IKEv1gr". The maximum proposals allowed for an IKE group is 10

To reproduce:

set vpn ipsec ike-group IKEv1gr ikev2-reauth 'no'
set vpn ipsec ike-group IKEv1gr key-exchange 'ikev1'
set vpn ipsec ike-group IKEv1gr lifetime '86400'
set vpn ipsec ike-group IKEv1gr proposal 100 encryption 'aes256'
set vpn ipsec ike-group IKEv1gr proposal 100 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 100 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 1000 encryption '3des'
set vpn ipsec ike-group IKEv1gr proposal 1000 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 1000 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 1100 encryption '3des'
set vpn ipsec ike-group IKEv1gr proposal 1100 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 1100 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 1200 encryption '3des'
set vpn ipsec ike-group IKEv1gr proposal 1200 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 1200 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 200 encryption 'aes256'
set vpn ipsec ike-group IKEv1gr proposal 200 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 200 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 300 encryption 'aes256'
set vpn ipsec ike-group IKEv1gr proposal 300 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 300 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 400 encryption 'aes192'
set vpn ipsec ike-group IKEv1gr proposal 400 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 400 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 500 encryption 'aes192'
set vpn ipsec ike-group IKEv1gr proposal 500 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 500 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 600 encryption 'aes192'
set vpn ipsec ike-group IKEv1gr proposal 600 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 600 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 700 encryption 'aes128'
set vpn ipsec ike-group IKEv1gr proposal 700 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 700 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 800 encryption 'aes128'
set vpn ipsec ike-group IKEv1gr proposal 800 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 800 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 900 encryption 'aes128'
set vpn ipsec ike-group IKEv1gr proposal 900 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 900 dh-group '2'

commit

Details

Difficulty level: Unknown (require assessment)
Version: 1.3-beta-202112120443, 1.2.8
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Related Objects

Mentioned In: 1.2.9
1.3.3
1.3.1

Event Timeline

Unknown Object (User) created this task.Dec 20 2021, 2:51 AM

Unknown Object (User) created this object in space S1 VyOS Public.

@Viacheslav found the source of the restriction:

sudo nano -c +34 /opt/vyatta/sbin/vpn-config.pl

pasik added a subscriber: pasik.Dec 20 2021, 8:12 AM

There is a reason https://github.com/vyos/vyatta-cfg-vpn/blob/de19cb9b03b78c4e3da93e014764bb2400ffe8a6/scripts/vpn-config.pl#L34

Viacheslav changed the subtype of this task from "Task" to "Feature Request".Dec 20 2021, 1:17 PM

Viacheslav removed a project: VyOS 1.2 Crux.Dec 21 2021, 8:07 PM

Viacheslav assigned this task to Unknown Object (User).Dec 27 2021, 5:32 PM

PR for 1.3:
https://github.com/vyos/vyatta-cfg-vpn/pull/54

PR for 1.2:
https://github.com/vyos/vyatta-cfg-vpn/pull/55

Could you also create a pr for 1.4?
Or 1.4 doesn’t have such limits?

Viacheslav changed the task status from Open to Needs testing.Jan 9 2022, 7:45 AM

VyOS 1.4-rolling-202201041316 - works well.

Viacheslav closed this task as Resolved.Feb 7 2022, 10:27 AM

Viacheslav edited projects, added VyOS 1.2 Crux (VyOS 1.2.9), VyOS 1.3 Equuleus ( 1.3.1); removed VyOS 1.4 Sagitta, VyOS 1.3 Equuleus.

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.

Viacheslav moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.9) board.

dmbaturin mentioned this in 1.3.1.Jun 11 2022, 8:40 AM

dmbaturin mentioned this in 1.3.3.Sep 22 2022, 10:56 AM

dmbaturin mentioned this in 1.2.9.Feb 23 2023, 5:20 PM

IPsec IKE-group proposals limit of 10 pieces Closed, ResolvedPublicFEATURE REQUESTActions

Description

Details

Related Objects

Event Timeline

IPsec IKE-group proposals limit of 10 pieces
Closed, ResolvedPublicFEATURE REQUEST
Actions