Page MenuHomeVyOS Platform

Ability to set priority to site to site IPSec vpn tunnels
Closed, ResolvedPublicFEATURE REQUEST

Description

There is useful in cases when the same local/remote prefixes are assigned to different peers:

                203.0.113.1
              /
203.0.113.254 
              \
                203.0.113.2

For example, we have 2 VPN peers and both peers send the same prefixes with policy-based VPN.

set vpn ipsec site-to-site peer 203.0.113.1 tunnel 0 local prefix '172.16.0.0/24'
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 0 remote prefix '10.0.0.0/24'

set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 local prefix '172.16.0.0/24'
set vpn ipsec site-to-site peer 203.0.113.2 tunnel 0 remote prefix '10.0.0.0/24'

Strongswan supports connections.<conn>.children.<child>.priority https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf

Suggested syntax:

set vpn ipsec site-to-site peer 203.0.113.1 tunnel 0 cost X

or

set vpn ipsec site-to-site peer 203.0.113.1 tunnel 0 priority X

The routes with the lowest value are more preferable.

Optional fixed priority for IPsec policies. This could be useful to install high-priority drop policies. The default of 0 uses dynamically calculated priorities based on the size of the traffic selectors.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

PR https://github.com/vyos/vyos-1x/pull/1129

set vpn ipsec site-to-site peer 192.0.2.14 tunnel 0 local prefix '172.16.0.0/24'
set vpn ipsec site-to-site peer 192.0.2.14 tunnel 0 priority '100'
set vpn ipsec site-to-site peer 192.0.2.14 tunnel 0 remote prefix '10.0.0.0/24'

set vpn ipsec site-to-site peer 203.0.113.14 tunnel 0 local prefix '172.16.0.0/24'
set vpn ipsec site-to-site peer 203.0.113.14 tunnel 0 priority '1'
set vpn ipsec site-to-site peer 203.0.113.14 tunnel 0 remote prefix '10.0.0.0/24'

Expected route with from peer with the lowest priority, i.e 203.0.113.14

vyos@r11-roll# run show ip route table 220
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF default table 220:
K>* 10.0.0.0/24 [0/0] via 203.0.113.14, eth1, src 172.16.0.1, 00:23:30
[edit]
vyos@r11-roll#
Viacheslav changed the task status from Open to Needs testing.Dec 31 2021, 3:44 PM

It can't be implemented in 1.3, as it doesn't use swanctl.conf for peers configuration
I didn't find this option for ipsec.conf

Viacheslav renamed this task from Ability to set priority to site to site IPSec tunnels to Ability to set priority to site to site IPSec vpn tunnels.Dec 31 2021, 3:45 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.