Page MenuHomeVyOS Platform

Rewrite IPsec authentication
Closed, ResolvedPublicFEATURE REQUEST

Description

We should rewrite strongswan authentication to reflect the structure from swanctl.conf
The most important change is that more than one local/remote ID in the same auth entry should be allowed.

One of the use cases it is requirement to work with Cisco Flex VPN

Current syntax:

set vpn ipsec site-to-site peer OFFICE-B authentication local-id 192.0.2.1
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication pre-shared-secret 'SSSeeccRetT'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id 192.0.2.2

Proposed syntax:

set vpn ipsec site-to-site peer OFFICE-B authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '192.0.2.2'
set vpn ipsec authentication psk OFFICE-B id '192.0.2.1'
set vpn ipsec authentication psk OFFICE-B id '192.0.2.2'
set vpn ipsec authentication psk OFFICE-B secret 'SSSeeccRetT'

Several psk's

set vpn ipsec site-to-site peer OFFICE-B authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '192.0.2.2'
set vpn ipsec authentication psk OFFICE-B1 id '192.0.2.1'
set vpn ipsec authentication psk OFFICE-B1 id '192.0.2.3'
set vpn ipsec authentication psk OFFICE-B1 id '192.0.2.4'
set vpn ipsec authentication psk OFFICE-B1 secret 'SSSeeccRetT1'
set vpn ipsec authentication psk OFFICE-B2 id '192.0.2.2'
set vpn ipsec authentication psk OFFICE-B2 id '192.0.2.5'
set vpn ipsec authentication psk OFFICE-B2 id '192.0.2.6'
set vpn ipsec authentication psk OFFICE-B2 secret 'SSSeeccRetT2'

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)