Page MenuHomeVyOS Platform
Create Task
Maniphest T777

Misleading Help Text for IPSEC Connection Type
Closed, ResolvedPublicBUG
Actions

Description

Command completion text is misleading compared to the underlying config generated for IPSec:

set vpn ipsec site-to-site peer x.x.x.x connection-type [tab]
Possible completions:
initiate This endpoint can initiate or respond to a connection
respond This endpoint will only respond to a connection

initiate results in auto=start in /etc/ipsec.conf
respond results in auto=route in /etc/ipsec.conf

The wiki page for this in strongswan states:

auto = ignore | add | route | start
what operation, if any, should be done automatically at IPsec startup. add loads a connection without
starting it. route loads a connection and installs kernel traps. If traffic is detected between
leftsubnet and rightsubnet, a connection is established. start loads a connection and brings
it up immediately. ignore ignores the connection. This is equal to deleting a connection from the config
file. Relevant only locally, other end need not agree on it.

At a minimum, the completion help text needs to be updated to reflect actual behavior.

From a config perspetive, it seems that the /etc/ipsec.conf file should end up with auto=add for "respond".

Adding a new 3rd connection-type of on-demand (or similar) that sets auto=route would then complete the available options in /etc/ipsec.conf

The EdgeOS forums have a thread (https://community.ubnt.com/t5/EdgeRouter-Beta/IPSec-connection-type-initiate-not-working/td-p/1399870) that's reporting the same background info with the same suggestions. I'm copying/documenting it here as I think the config commands should match actual function.

Details

Difficulty level
Easy (less than an hour)
Version
1.1.8 confirmed, others likely
Why the issue appeared?
Implementation mistake

Event Timeline

mpoublon created this task.Aug 15 2018, 3:13 AM
mpoublon updated the task description. (Show Details)
mpoublon updated the task description. (Show Details)Aug 15 2018, 3:15 AM
syncer triaged this task as Normal priority.Sep 1 2018, 2:53 PM
syncer edited projects, added VyOS 1.2 Crux; removed VyOS 1.1.x (1.1.8).
syncer added a subscriber: syncer.

@mpoublon please confirm is same in 1.2
not likely that we going to fix it in 1.1.x

dmbaturin claimed this task.Sep 2 2018, 9:44 PM
dmbaturin edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux.
dmbaturin changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
dmbaturin moved this task from Needs Triage to In Progress on the VyOS 1.2 Crux (VyOS 1.2.0-rc1) board.Oct 2 2018, 4:09 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc2); removed VyOS 1.2 Crux (VyOS 1.2.0-rc1).Oct 9 2018, 6:43 AM
syncer moved this task from Needs Triage to In Progress on the VyOS 1.2 Crux (VyOS 1.2.0-rc2) board.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc3); removed VyOS 1.2 Crux (VyOS 1.2.0-rc2).Oct 13 2018, 9:27 AM
syncer moved this task from Needs Triage to In Progress on the VyOS 1.2 Crux (VyOS 1.2.0-rc3) board.
pasik added a subscriber: pasik.Oct 15 2018, 9:52 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux (VyOS 1.2.0-rc3).Oct 15 2018, 10:15 PM
syncer moved this task from Needs Triage to In Progress on the VyOS 1.2 Crux (VyOS 1.2.0-rc4) board.
dmbaturin edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 21 2018, 4:50 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc7); removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 6 2018, 12:57 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc8); removed VyOS 1.2 Crux (VyOS 1.2.0-rc7).Nov 13 2018, 3:48 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc9); removed VyOS 1.2 Crux (VyOS 1.2.0-rc8).Nov 20 2018, 12:44 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc10); removed VyOS 1.2 Crux (VyOS 1.2.0-rc9).Nov 27 2018, 12:03 AM
syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-rc11); removed VyOS 1.2 Crux (VyOS 1.2.0-rc10).Dec 5 2018, 11:58 PM
mpoublon added a comment.Dec 18 2018, 9:38 PM

I've confirmed that the same is true for 1.2 RC11 as for 1.1.8

#set vpn ipsec site-to-site peer [PEERIP] connection-type
Possible completions:
 initiate     This endpoint can initiate or respond to a connection
 respond      This endpoint will only respond to a connection

connection-type initiate results in auto=start, while respond results in auto=route

syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-EPA); removed VyOS 1.2 Crux ( VyOS 1.2.0-rc11).Dec 21 2018, 10:07 AM
dmbaturin closed this task as Resolved.Dec 31 2018, 12:20 PM
dmbaturin edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-EPA2); removed VyOS 1.2 Crux ( VyOS 1.2.0-EPA).
dmbaturin changed Why the issue appeared? from Will be filled on close to Implementation mistake.
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-EPA2) board.Jan 3 2019, 1:54 PM
syncer added a project: VyOS-1.2.0-GA.Jan 25 2019, 2:38 PM