At the moment VTI/IPsec is not possible in VyOS (1.1.7 and 1.2) with dynamic VPN peers (peers with FQDN). Only peers with fix IP address are possible. There are other commercial IPSec implementations where VTI and dyn.peers are possible.
- Difficulty level
- Hard (possibly days)
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Unspecified (possibly destroys the router)
- Issue type
- Improvement (missing useful functionality)
|Needs testing||sdev||T2816 Rewrite IPsec scripts with the new XML/Python approach|
|Open||FEATURE REQUEST||Dmitry||T440 VTI/IPSec with dynamic peer|
I believe StrongSwan does support some version of the functionality. strongSwan ipsec.conf
It looks like fqdn is resolved everytime the conf file is checked. See Below
left|right = <ip address> | <fqdn> | %any | range | subnet
The IP address of the participant's public-network interface or one of several magic values.
The value %any for the local endpoint signifies an address to be filled in
(by automatic keying) during negotiation. If the local peer initiates the connection setup the routing table
will be queried to determine the correct local IP address. In case the local peer is responding to a connection
setup then any IP address that is assigned to a local interface will be accepted.
Prior to 5.0.0 specifying %any for the local endpoint was not supported for IKEv1 connections, instead
the keyword %defaultroute could be used, causing the value to be filled in automatically with the local
address of the default-route interface (as determined at IPsec startup time and during configuration
update). Either left or right may be %defaultroute, but not both.
The prefix % in front of a fully-qualified domain name or an IP address will implicitly set left|rightallowany=yes.
If %any is used for the remote endpoint it literally means any IP address.
If an FQDN is assigned it is resolved every time a configuration lookup is done. If DNS resolution times out,
the lookup is delayed for that time.
Thanks Brandon for your findings. IPSec with dynamic peer is no problem in VyOS. We use some of that with x.509 auth. Only VTI with dynamic peer is not allowed by VyOS. Do you know more about VTI and dynamic peer with strongswan on other linux installations (not VyOS)? Is it possible there?
I can confirm that this seems to only affect VTI's. Regular IPSec will take dynamic peer just fine. Any update on what the limitation is with VTI's?
Version: VyOS 1.2.0-rc11
VPN VTI configuration error: The peer "fqdn.goes.here" is invalid, an ip address must be specified for VTIs.