Page MenuHomeVyOS Platform

VTI/IPSec with dynamic peer
Open, NormalPublicFEATURE REQUEST

Description

At the moment VTI/IPsec is not possible in VyOS (1.1.7 and 1.2) with dynamic VPN peers (peers with FQDN). Only peers with fix IP address are possible. There are other commercial IPSec implementations where VTI and dyn.peers are possible.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

Line2 created this task.Oct 30 2017, 2:54 PM
c-po added a subscriber: c-po.Oct 30 2017, 3:57 PM

Do we know why it‘s not possible? Is it due to a missing configuration option in VyOS or is it due to non availability in the underlying Linux Components e.g. Strongswan?

Line2 added a comment.Oct 30 2017, 4:17 PM

VyOS doesn't allow this configuration variant. You get an appropriate message if you try. In EdgeOS it's the same. I don't know if it's possible in Strongswan V5.3.5.

bcrowe added a subscriber: bcrowe.Nov 3 2017, 11:17 PM

I believe StrongSwan does support some version of the functionality. strongSwan ipsec.conf
It looks like fqdn is resolved everytime the conf file is checked. See Below

left|right = <ip address> | <fqdn> | %any | range | subnet

The IP address of the participant's public-network interface or one of several magic values.
The value %any for the local endpoint signifies an address to be filled in
(by automatic keying) during negotiation. If the local peer initiates the connection setup the routing table
will be queried to determine the correct local IP address. In case the local peer is responding to a connection
setup then any IP address that is assigned to a local interface will be accepted.

Prior to 5.0.0 specifying %any for the local endpoint was not supported for IKEv1 connections, instead
the keyword %defaultroute could be used, causing the value to be filled in automatically with the local
address of the default-route interface (as determined at IPsec startup time and during configuration
update). Either left or right may be %defaultroute, but not both.

The prefix % in front of a fully-qualified domain name or an IP address will implicitly set left|rightallowany=yes.

If %any is used for the remote endpoint it literally means any IP address.

If an FQDN is assigned it is resolved every time a configuration lookup is done. If DNS resolution times out,
the lookup is delayed for that time.

Line2 added a comment.Nov 19 2017, 3:39 PM

Thanks Brandon for your findings. IPSec with dynamic peer is no problem in VyOS. We use some of that with x.509 auth. Only VTI with dynamic peer is not allowed by VyOS. Do you know more about VTI and dynamic peer with strongswan on other linux installations (not VyOS)? Is it possible there?

syncer triaged this task as Normal priority.Dec 21 2017, 9:22 PM

are there any new possibilities with the new kernel 4.14 and strongswan 5.6.2 in V1.2.0-rolling for this case here?

pasik added a subscriber: pasik.Oct 1 2018, 9:52 AM
syncer assigned this task to dmbaturin.Oct 13 2018, 7:17 PM

I can confirm that this seems to only affect VTI's. Regular IPSec will take dynamic peer just fine. Any update on what the limitation is with VTI's?

Version: VyOS 1.2.0-rc11

VPN VTI configuration error: The peer "fqdn.goes.here" is invalid, an ip address must be specified for VTIs.

syncer reassigned this task from dmbaturin to Dmitry.Mar 10 2020, 12:53 AM
syncer added a subscriber: dmbaturin.