Page MenuHomeVyOS Platform

IPsec syntax overhaul
Closed, ResolvedPublic

Description

Since we are rewriting IPsec scripts, we may also take a chance to refactor the CLI syntax.

Some issues I noticed:

Boolean nodes

First, there are lots of nodes whose possible values are "<enable|disable>". Just like all similar boolean nodes, the value doesn't add any new information, and that structure makes

Current: set vpn ipsec esp-group Foo compression enable

vs
Proposed: set vpn ipsec esp-group Foo enable-compression

The second option makes it immediately obvious what the default it, and it's also faster to enter.

Peer IDs

Right now, local peer ID is specified under authentication id. The remote peer ID, however, is specified by prepending a @ character to the peer, e.g. set vpn ipsec site-to-site peer @mypeer.

That's a batshit insane scheme that clearly arose when someone in the old days of Vyatta first designed that syntax with an assumption that peer ID is always its address, and then added a band-aid fix after realizing that it's not the case.

It's incredibly counter-intuitive and deeply problematic if the remote ID is dictated by the peer and you can't convince them to add a @ to it.

It would be better to make the peer node name purely informational and put the actual remote address and peer IDs inside it.

We already have an authentication remote-id option that, as I remember, overrides the peer @id given in the node name, which only adds more confusion.

set vpn ipsec site-to-site peer MyCoolPeer remote-address 192.0.2.1

set vpn ipsec site-to-site peer MyCoolPeer authentication local-id OurSideID

set vpn ipsec site-to-site peer MyCoolPeer authentication remote-id TheirSideID

Second,

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Improvement (missing useful functionality)

Event Timeline

PR https://github.com/vyos/vyos-1x/pull/1463
PR https://github.com/vyos/vyatta-cfg-system/pull/184

Migration and Change boolean nodes "enable/disable" to
disable-xxxx, enable-xxxx and just xxx for VPN IPsec
configurations

  - IKE changes:
      - replace 'ipsec ike-group <tag> mobike disable'
             => 'ipsec ike-group <tag> disable-mobike'
      - replace 'ipsec ike-group <tag> ikev2-reauth yes|no'
             => 'ipsec ike-group <tag> ikev2-reauth'
  - ESP changes:
      - replace 'ipsec esp-group <tag> compression enable'
             => 'ipsec esp-group <tag> compression'
  - PEER changes:
      - replace: 'peer <tag> id xxx'
              => 'peer <tag> local-id xxx'
      - replace: 'peer <tag> force-encapsulation enable'
              => 'peer <tag> force-udp-encapsulation'
      - add option: 'peer <tag> remote-address x.x.x.x'

If peer name is IPv4 or IPv6 address add remote-address via
migration script
Viacheslav changed the task status from Open to In progress.Sep 16 2022, 12:24 PM
Viacheslav changed the task status from In progress to Needs testing.Sep 16 2022, 6:04 PM

Hello sir,

Plz check out this issue https://phabricator.vyos.net/T4823

I am not sure that it is a bug or I miss something about this breaking change.

Thanks

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.