Change Details

Hi, Could you add support for specifying selectors for route-based IPsec tunnels that use VTI interfaces? At the moment it is not possible and VyOS always uses 0.0.0.0/0 <-> 0.0.0.0/0. https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-traffic-selectors-in-route-based-vpns.html We have multiple connections including VPN tunnels to many 3rd parties. Most of them require the selectors to be non 0.0.0.0/0. As we use zone-based policies to make traffic management easier therefore we have to use VTI for IPsec to be able to add it to a zone. This should be easy to do as strongswan/libreswan already supports it. I've edited the ipsec.conf file manually and it works. conn peer-x.x.x.x-tunnel-vti-1 left=y.y.y.y right=x.x.x.x rightsubnet=192.168.100.0/24 leftsubnet=10.0.252.112/29 ike=aes256-sha256-modp1024! keyexchange=ikev1 aggressive=no ikelifetime=86400s closeaction=none esp=aes256-sha256! keylife=3600s rekeymargin=540s type=tunnel compress=no authby=secret mark=9437185 leftupdown="/usr/lib/ipsec/vti-up-down vti1" auto=start keyingtries=%forever #conn peer-x.x.x.x-tunnel-vti-1 conn peer-x.x.x.x-tunnel-vti-2 left=y.y.y.y right=x.x.x.x rightsubnet=192.168.100.0/24 leftsubnet=10.0.252.112/29 ike=aes256-sha256-modp1024! keyexchange=ikev1 aggressive=no ikelifetime=86400s closeaction=none esp=aes256-sha256! keylife=3600s rekeymargin=540s type=tunnel compress=no authby=secret mark=9437185 leftupdown="/usr/lib/ipsec/vti-up-down vti1" auto=start keyingtries=%forever #conn peer-x.x.x.x-tunnel-vti-2 $ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- x.x.x.x y.y.y.y State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv1 aes256 sha256_128 2(MODP_1024) no 18000 86400 $ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------- peer-x.x.x.x-tunnel-vti-1 up 4h33m35s 40K/336B 496/4 x.x.x.x N/A AES_CBC_256/HMAC_SHA2_256_128 peer-x.x.x.x-tunnel-vti-2 up 4h33m35s 252B/252B 3/3 x.x.x.x N/A AES_CBC_256/HMAC_SHA2_256_128 Thanks, Damian

Hi, Could you add support for specifying selectors for route-based IPsec tunnels that use VTI interfaces? At the moment it is not possible and VyOS always uses 0.0.0.0/0 <-> 0.0.0.0/0. https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-traffic-selectors-in-route-based-vpns.html We have multiple connections including VPN tunnels to many 3rd parties. Most of them require the selectors to be non 0.0.0.0/0. As we use zone-based policies to make traffic management easier therefore we have to use VTI for IPsec to be able to add it to a zone. This should be easy to do as strongswan/libreswan already supports it. I've edited the ipsec.conf file manually and it works. ``` conn peer-x.x.x.x-tunnel-vti-1 left=y.y.y.y right=x.x.x.x rightsubnet=192.168.100.0/24 leftsubnet=10.0.252.112/29 ike=aes256-sha256-modp1024! keyexchange=ikev1 aggressive=no ikelifetime=86400s closeaction=none esp=aes256-sha256! keylife=3600s rekeymargin=540s type=tunnel compress=no authby=secret mark=9437185 leftupdown="/usr/lib/ipsec/vti-up-down vti1" auto=start keyingtries=%forever #conn peer-x.x.x.x-tunnel-vti-1 conn peer-x.x.x.x-tunnel-vti-2 left=y.y.y.y right=x.x.x.x rightsubnet=192.168.100.0/24 leftsubnet=10.0.252.112/29 ike=aes256-sha256-modp1024! keyexchange=ikev1 aggressive=no ikelifetime=86400s closeaction=none esp=aes256-sha256! keylife=3600s rekeymargin=540s type=tunnel compress=no authby=secret mark=9437185 leftupdown="/usr/lib/ipsec/vti-up-down vti1" auto=start keyingtries=%forever #conn peer-x.x.x.x-tunnel-vti-2 ``` ``` $ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- x.x.x.x y.y.y.y State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv1 aes256 sha256_128 2(MODP_1024) no 18000 86400 $ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------- peer-x.x.x.x-tunnel-vti-1 up 4h33m35s 40K/336B 496/4 x.x.x.x N/A AES_CBC_256/HMAC_SHA2_256_128 peer-x.x.x.x-tunnel-vti-2 up 4h33m35s 252B/252B 3/3 x.x.x.x N/A AES_CBC_256/HMAC_SHA2_256_128 ``` Thanks, Damian

Hi, Could you add support for specifying selectors for route-based IPsec tunnels that use VTI interfaces? At the moment it is not possible and VyOS always uses 0.0.0.0/0 <-> 0.0.0.0/0. https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-traffic-selectors-in-route-based-vpns.html We have multiple connections including VPN tunnels to many 3rd parties. Most of them require the selectors to be non 0.0.0.0/0. As we use zone-based policies to make traffic management easier therefore we have to use VTI for IPsec to be able to add it to a zone. This should be easy to do as strongswan/libreswan already supports it. I've edited the ipsec.conf file manually and it works. ``` conn peer-x.x.x.x-tunnel-vti-1 left=y.y.y.y right=x.x.x.x rightsubnet=192.168.100.0/24 leftsubnet=10.0.252.112/29 ike=aes256-sha256-modp1024! keyexchange=ikev1 aggressive=no ikelifetime=86400s closeaction=none esp=aes256-sha256! keylife=3600s rekeymargin=540s type=tunnel compress=no authby=secret mark=9437185 leftupdown="/usr/lib/ipsec/vti-up-down vti1" auto=start keyingtries=%forever #conn peer-x.x.x.x-tunnel-vti-1 conn peer-x.x.x.x-tunnel-vti-2 left=y.y.y.y right=x.x.x.x rightsubnet=192.168.100.0/24 leftsubnet=10.0.252.112/29 ike=aes256-sha256-modp1024! keyexchange=ikev1 aggressive=no ikelifetime=86400s closeaction=none esp=aes256-sha256! keylife=3600s rekeymargin=540s type=tunnel compress=no authby=secret mark=9437185 leftupdown="/usr/lib/ipsec/vti-up-down vti1" auto=start keyingtries=%forever #conn peer-x.x.x.x-tunnel-vti-2 ``` ``` $ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- x.x.x.x y.y.y.y State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv1 aes256 sha256_128 2(MODP_1024) no 18000 86400 $ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------------------------- ------- -------- -------------- ---------------- ---------------- ----------- ----------------------------- peer-x.x.x.x-tunnel-vti-1 up 4h33m35s 40K/336B 496/4 x.x.x.x N/A AES_CBC_256/HMAC_SHA2_256_128 peer-x.x.x.x-tunnel-vti-2 up 4h33m35s 252B/252B 3/3 x.x.x.x N/A AES_CBC_256/HMAC_SHA2_256_128 ``` Thanks, Damian