Page MenuHomeVyOS Platform

VTI/IPSec with dynamic peer
Closed, WontfixPublicFEATURE REQUEST

Description

At the moment VTI/IPsec is not possible in VyOS (1.1.7 and 1.2) with dynamic VPN peers (peers with FQDN). Only peers with fix IP address are possible. There are other commercial IPSec implementations where VTI and dyn.peers are possible.

Details

Difficulty level
Hard (possibly days)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)

Event Timeline

Do we know why it‘s not possible? Is it due to a missing configuration option in VyOS or is it due to non availability in the underlying Linux Components e.g. Strongswan?

VyOS doesn't allow this configuration variant. You get an appropriate message if you try. In EdgeOS it's the same. I don't know if it's possible in Strongswan V5.3.5.

I believe StrongSwan does support some version of the functionality. strongSwan ipsec.conf
It looks like fqdn is resolved everytime the conf file is checked. See Below

left|right = <ip address> | <fqdn> | %any | range | subnet

The IP address of the participant's public-network interface or one of several magic values.
The value %any for the local endpoint signifies an address to be filled in
(by automatic keying) during negotiation. If the local peer initiates the connection setup the routing table
will be queried to determine the correct local IP address. In case the local peer is responding to a connection
setup then any IP address that is assigned to a local interface will be accepted.

Prior to 5.0.0 specifying %any for the local endpoint was not supported for IKEv1 connections, instead
the keyword %defaultroute could be used, causing the value to be filled in automatically with the local
address of the default-route interface (as determined at IPsec startup time and during configuration
update). Either left or right may be %defaultroute, but not both.

The prefix % in front of a fully-qualified domain name or an IP address will implicitly set left|rightallowany=yes.

If %any is used for the remote endpoint it literally means any IP address.

If an FQDN is assigned it is resolved every time a configuration lookup is done. If DNS resolution times out,
the lookup is delayed for that time.

Thanks Brandon for your findings. IPSec with dynamic peer is no problem in VyOS. We use some of that with x.509 auth. Only VTI with dynamic peer is not allowed by VyOS. Do you know more about VTI and dynamic peer with strongswan on other linux installations (not VyOS)? Is it possible there?

syncer triaged this task as Normal priority.Dec 21 2017, 9:22 PM

are there any new possibilities with the new kernel 4.14 and strongswan 5.6.2 in V1.2.0-rolling for this case here?

I can confirm that this seems to only affect VTI's. Regular IPSec will take dynamic peer just fine. Any update on what the limitation is with VTI's?

Version: VyOS 1.2.0-rc11

VPN VTI configuration error: The peer "fqdn.goes.here" is invalid, an ip address must be specified for VTIs.

syncer reassigned this task from dmbaturin to Unknown Object (User).Mar 10 2020, 12:53 AM
syncer added a subscriber: dmbaturin.
dmbaturin changed Difficulty level from Unknown (require assessment) to Hard (possibly days).Jan 27 2021, 6:43 PM
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
dmbaturin set Issue type to Improvement (missing useful functionality).Sep 3 2021, 7:25 AM
syncer reassigned this task from Unknown Object (User) to Viacheslav.Jul 16 2023, 9:30 PM
syncer added a subscriber: Unknown Object (User).

Implemented in 1.4
Wontfix for 1.3 due to old backend.