Page MenuHomeVyOS Platform

IPsec IKE-group proposals limit of 10 pieces
Closed, ResolvedPublicFEATURE REQUEST

Description

Tested in:
VyOS 1.2.8
VyOS 1.3-beta-202112120443

There is a limit of 10 proposals per IKE group:

VPN configuration error: A total of 13 proposals have been configured for IKE group "IKEv1gr". The maximum proposals allowed for an IKE group is 10

To reproduce:

set vpn ipsec ike-group IKEv1gr ikev2-reauth 'no'
set vpn ipsec ike-group IKEv1gr key-exchange 'ikev1'
set vpn ipsec ike-group IKEv1gr lifetime '86400'
set vpn ipsec ike-group IKEv1gr proposal 100 encryption 'aes256'
set vpn ipsec ike-group IKEv1gr proposal 100 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 100 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 1000 encryption '3des'
set vpn ipsec ike-group IKEv1gr proposal 1000 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 1000 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 1100 encryption '3des'
set vpn ipsec ike-group IKEv1gr proposal 1100 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 1100 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 1200 encryption '3des'
set vpn ipsec ike-group IKEv1gr proposal 1200 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 1200 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 200 encryption 'aes256'
set vpn ipsec ike-group IKEv1gr proposal 200 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 200 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 300 encryption 'aes256'
set vpn ipsec ike-group IKEv1gr proposal 300 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 300 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 400 encryption 'aes192'
set vpn ipsec ike-group IKEv1gr proposal 400 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 400 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 500 encryption 'aes192'
set vpn ipsec ike-group IKEv1gr proposal 500 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 500 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 600 encryption 'aes192'
set vpn ipsec ike-group IKEv1gr proposal 600 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 600 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 700 encryption 'aes128'
set vpn ipsec ike-group IKEv1gr proposal 700 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 700 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 800 encryption 'aes128'
set vpn ipsec ike-group IKEv1gr proposal 800 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 800 dh-group '2'
set vpn ipsec ike-group IKEv1gr proposal 900 encryption 'aes128'
set vpn ipsec ike-group IKEv1gr proposal 900 hash 'sha1'
set vpn ipsec ike-group IKEv1gr proposal 900 dh-group '2'

commit

Details

Difficulty level
Unknown (require assessment)
Version
1.3-beta-202112120443, 1.2.8
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Mentioned In
1.3.1

Event Timeline

@Viacheslav found the source of the restriction:

sudo nano -c +34 /opt/vyatta/sbin/vpn-config.pl
Viacheslav changed the subtype of this task from "Task" to "Feature Request".Dec 20 2021, 1:17 PM

Could you also create a pr for 1.4?
Or 1.4 doesn’t have such limits?

Viacheslav changed the task status from Open to Needs testing.Jan 9 2022, 7:45 AM

VyOS 1.4-rolling-202201041316 - works well.