Change Details

IPSec site-to-site generates unexpected passthrough option, after [[ https://github.com/vyos/vyos-1x/commit/e8a637eec0cc398f78a877ece6b9c7cdca418970 | commit ]] As result tunnel not working ``` set interfaces dummy dum0 address '10.10.0.2/32' set interfaces ethernet eth2 address '192.0.2.2/30' set interfaces tunnel tun0 address '10.0.0.2/30' set interfaces tunnel tun0 encapsulation 'gre' set interfaces tunnel tun0 multicast 'disable' set interfaces tunnel tun0 remote '10.10.0.1' set interfaces tunnel tun0 source-address '10.10.0.2' set vpn ipsec esp-group ESP-GRP compression 'disable' set vpn ipsec esp-group ESP-GRP lifetime '3600' set vpn ipsec esp-group ESP-GRP mode 'tunnel' set vpn ipsec esp-group ESP-GRP pfs 'dh-group14' set vpn ipsec esp-group ESP-GRP proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-GRP proposal 1 hash 'sha256' set vpn ipsec ike-group IKE-GRP close-action 'none' set vpn ipsec ike-group IKE-GRP dead-peer-detection action 'restart' set vpn ipsec ike-group IKE-GRP dead-peer-detection interval '30' set vpn ipsec ike-group IKE-GRP dead-peer-detection timeout '120' set vpn ipsec ike-group IKE-GRP ikev2-reauth 'no' set vpn ipsec ike-group IKE-GRP key-exchange 'ikev2' set vpn ipsec ike-group IKE-GRP lifetime '28800' set vpn ipsec ike-group IKE-GRP proposal 1 dh-group '14' set vpn ipsec ike-group IKE-GRP proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-GRP proposal 1 hash 'sha256' set vpn ipsec interface 'eth2' set vpn ipsec site-to-site peer 192.0.2.1 authentication id '192.0.2.2' set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'SuperPA$$swd' set vpn ipsec site-to-site peer 192.0.2.1 connection-type 'initiate' set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'IKE-GRP' set vpn ipsec site-to-site peer 192.0.2.1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2' set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group 'ESP-GRP' set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix '10.10.0.2/32' set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix '10.10.0.1/32' ``` Generated configuration: ``` vyos@tstrtr2# sudo cat /etc/swanctl/swanctl.conf | grep children -A 20 children { peer_192-0-2-1_tunnel_1 { esp_proposals = aes256-sha256-modp2048 life_time = 3600s local_ts = 10.10.0.2/32 remote_ts = 10.10.0.1/32 ipcomp = no mode = tunnel start_action = start dpd_action = restart close_action = none } peer_192-0-2-1_tunnel_1_passthough { local_ts = remote_ts = start_action = trap mode = pass } } } ``` As result we don't see outbound packets: ``` peer_192-0-2-1: #1, ESTABLISHED, IKEv2, be2a04e3a6e22022_i* 6b07c0ef01f6c28e_r local '192.0.2.2' @ 192.0.2.2[4500] remote '192.0.2.1' @ 192.0.2.1[4500] AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 304s ago, rekeying in 26719s peer_192-0-2-1_tunnel_1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128 installed 304s ago, rekeying in 3296s, expires in 3296s in c35c85cf, 546 bytes, 4 packets out ce0b767f, 0 bytes, 0 packets local 10.10.0.2/32 remote 10.10.0.1/32 ```

IPSec site-to-site generates unexpected passthrough option, after [[ https://github.com/vyos/vyos-1x/commit/e8a637eec0cc398f78a877ece6b9c7cdca418970 | commit ]] As result tunnel not working ``` set interfaces dummy dum0 address '10.10.0.2/32' set interfaces ethernet eth2 address '192.0.2.2/30' set interfaces tunnel tun0 address '10.0.0.2/30' set interfaces tunnel tun0 encapsulation 'gre' set interfaces tunnel tun0 multicast 'disable' set interfaces tunnel tun0 remote '10.10.0.1' set interfaces tunnel tun0 source-address '10.10.0.2' set vpn ipsec esp-group ESP-GRP compression 'disable' set vpn ipsec esp-group ESP-GRP lifetime '3600' set vpn ipsec esp-group ESP-GRP mode 'tunnel' set vpn ipsec esp-group ESP-GRP pfs 'dh-group14' set vpn ipsec esp-group ESP-GRP proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-GRP proposal 1 hash 'sha256' set vpn ipsec ike-group IKE-GRP close-action 'none' set vpn ipsec ike-group IKE-GRP dead-peer-detection action 'restart' set vpn ipsec ike-group IKE-GRP dead-peer-detection interval '30' set vpn ipsec ike-group IKE-GRP dead-peer-detection timeout '120' set vpn ipsec ike-group IKE-GRP ikev2-reauth 'no' set vpn ipsec ike-group IKE-GRP key-exchange 'ikev2' set vpn ipsec ike-group IKE-GRP lifetime '28800' set vpn ipsec ike-group IKE-GRP proposal 1 dh-group '14' set vpn ipsec ike-group IKE-GRP proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-GRP proposal 1 hash 'sha256' set vpn ipsec interface 'eth2' set vpn ipsec site-to-site peer 192.0.2.1 authentication id '192.0.2.2' set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'SuperPA$$swd' set vpn ipsec site-to-site peer 192.0.2.1 connection-type 'initiate' set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'IKE-GRP' set vpn ipsec site-to-site peer 192.0.2.1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2' set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group 'ESP-GRP' set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix '10.10.0.2/32' set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix '10.10.0.1/32' ``` Generated configuration (unexpected option `peer_192-0-2-1_tunnel_1_passthough`): ``` vyos@tstrtr2# sudo cat /etc/swanctl/swanctl.conf | grep children -A 20 children { peer_192-0-2-1_tunnel_1 { esp_proposals = aes256-sha256-modp2048 life_time = 3600s local_ts = 10.10.0.2/32 remote_ts = 10.10.0.1/32 ipcomp = no mode = tunnel start_action = start dpd_action = restart close_action = none } peer_192-0-2-1_tunnel_1_passthough { local_ts = remote_ts = start_action = trap mode = pass } } } ``` As result we don't see outbound packets: ``` peer_192-0-2-1: #1, ESTABLISHED, IKEv2, be2a04e3a6e22022_i* 6b07c0ef01f6c28e_r local '192.0.2.2' @ 192.0.2.2[4500] remote '192.0.2.1' @ 192.0.2.1[4500] AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 304s ago, rekeying in 26719s peer_192-0-2-1_tunnel_1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128 installed 304s ago, rekeying in 3296s, expires in 3296s in c35c85cf, 546 bytes, 4 packets out ce0b767f, 0 bytes, 0 packets local 10.10.0.2/32 remote 10.10.0.1/32 ```

IPSec site-to-site generates unexpected passthrough option, after [[ https://github.com/vyos/vyos-1x/commit/e8a637eec0cc398f78a877ece6b9c7cdca418970 | commit ]] As result tunnel not working ``` set interfaces dummy dum0 address '10.10.0.2/32' set interfaces ethernet eth2 address '192.0.2.2/30' set interfaces tunnel tun0 address '10.0.0.2/30' set interfaces tunnel tun0 encapsulation 'gre' set interfaces tunnel tun0 multicast 'disable' set interfaces tunnel tun0 remote '10.10.0.1' set interfaces tunnel tun0 source-address '10.10.0.2' set vpn ipsec esp-group ESP-GRP compression 'disable' set vpn ipsec esp-group ESP-GRP lifetime '3600' set vpn ipsec esp-group ESP-GRP mode 'tunnel' set vpn ipsec esp-group ESP-GRP pfs 'dh-group14' set vpn ipsec esp-group ESP-GRP proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-GRP proposal 1 hash 'sha256' set vpn ipsec ike-group IKE-GRP close-action 'none' set vpn ipsec ike-group IKE-GRP dead-peer-detection action 'restart' set vpn ipsec ike-group IKE-GRP dead-peer-detection interval '30' set vpn ipsec ike-group IKE-GRP dead-peer-detection timeout '120' set vpn ipsec ike-group IKE-GRP ikev2-reauth 'no' set vpn ipsec ike-group IKE-GRP key-exchange 'ikev2' set vpn ipsec ike-group IKE-GRP lifetime '28800' set vpn ipsec ike-group IKE-GRP proposal 1 dh-group '14' set vpn ipsec ike-group IKE-GRP proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-GRP proposal 1 hash 'sha256' set vpn ipsec interface 'eth2' set vpn ipsec site-to-site peer 192.0.2.1 authentication id '192.0.2.2' set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'SuperPA$$swd' set vpn ipsec site-to-site peer 192.0.2.1 connection-type 'initiate' set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'IKE-GRP' set vpn ipsec site-to-site peer 192.0.2.1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2' set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group 'ESP-GRP' set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix '10.10.0.2/32' set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix '10.10.0.1/32' ``` Generated configuration (unexpected option `peer_192-0-2-1_tunnel_1_passthough`): ``` vyos@tstrtr2# sudo cat /etc/swanctl/swanctl.conf | grep children -A 20 children { peer_192-0-2-1_tunnel_1 { esp_proposals = aes256-sha256-modp2048 life_time = 3600s local_ts = 10.10.0.2/32 remote_ts = 10.10.0.1/32 ipcomp = no mode = tunnel start_action = start dpd_action = restart close_action = none } peer_192-0-2-1_tunnel_1_passthough { local_ts = remote_ts = start_action = trap mode = pass } } } ``` As result we don't see outbound packets: ``` peer_192-0-2-1: #1, ESTABLISHED, IKEv2, be2a04e3a6e22022_i* 6b07c0ef01f6c28e_r local '192.0.2.2' @ 192.0.2.2[4500] remote '192.0.2.1' @ 192.0.2.1[4500] AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 304s ago, rekeying in 26719s peer_192-0-2-1_tunnel_1: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128 installed 304s ago, rekeying in 3296s, expires in 3296s in c35c85cf, 546 bytes, 4 packets out ce0b767f, 0 bytes, 0 packets local 10.10.0.2/32 remote 10.10.0.1/32 ```