Hi,
Could you add support for specifying selectors for route-based IPsec tunnels that use VTI interfaces? At the moment it is not possible and VyOS always uses 0.0.0.0/0 <-> 0.0.0.0/0.
https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-traffic-selectors-in-route-based-vpns.html
We have multiple connections including VPN tunnels to many 3rd parties. Most of them require the selectors to be non 0.0.0.0/0. As we use zone-based policies to make traffic management easier therefore we have to use VTI for IPsec to be able to add it to a zone.
This should be easy to do as strongswan/libreswan already supports it. I've edited the ipsec.conf file manually and it works.
conn peer-x.x.x.x-tunnel-vti-1
left=y.y.y.y
right=x.x.x.x
rightsubnet=192.168.100.0/24
leftsubnet=10.0.252.112/29
ike=aes256-sha256-modp1024!
keyexchange=ikev1
aggressive=no
ikelifetime=86400s
closeaction=none
esp=aes256-sha256!
keylife=3600s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
mark=9437185
leftupdown="/usr/lib/ipsec/vti-up-down vti1"
auto=start
keyingtries=%forever
#conn peer-x.x.x.x-tunnel-vti-1
conn peer-x.x.x.x-tunnel-vti-2
left=y.y.y.y
right=x.x.x.x
rightsubnet=192.168.100.0/24
leftsubnet=10.0.252.112/29
ike=aes256-sha256-modp1024!
keyexchange=ikev1
aggressive=no
ikelifetime=86400s
closeaction=none
esp=aes256-sha256!
keylife=3600s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
mark=9437185
leftupdown="/usr/lib/ipsec/vti-up-down vti1"
auto=start
keyingtries=%forever
#conn peer-x.x.x.x-tunnel-vti-2
$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
x.x.x.x y.y.y.y
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv1 aes256 sha256_128 2(MODP_1024) no 18000 86400
$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
------------------------------- ------- -------- -------------- ---------------- ---------------- ----------- -----------------------------
peer-x.x.x.x-tunnel-vti-1 up 4h33m35s 40K/336B 496/4 x.x.x.x N/A AES_CBC_256/HMAC_SHA2_256_128
peer-x.x.x.x-tunnel-vti-2 up 4h33m35s 252B/252B 3/3 x.x.x.x N/A AES_CBC_256/HMAC_SHA2_256_128
Thanks,
Damian