Page MenuHomeVyOS Platform
Create Task
Maniphest T1048

[IPSec] Protocol all does not work in IPSec Tunnel
Closed, ResolvedPublicBUG
Actions

Description

The following simple configuration does not work anymore:

vpn {
    ipsec {
        esp-group TEST-ESP {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group TEST-IKE {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28000
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        site-to-site {
            peer 10.131.0.101 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret abc
                }
                connection-type initiate
                ike-group TEST-IKE
                local-address 10.131.0.102
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group TEST-ESP
                    local {
                        prefix 192.168.20.0/24
                    }
                    protocol all
                    remote {
                        prefix 192.168.10.0/24
                    }
                }
            }
        }
    }
}

The following error occurred on the log file:

Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: # bad protocol: leftprotoport=all
Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]:   bad argument value in conn 'peer-10.131.0.101-tunnel-1'
Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: # bad protocol: rightprotoport=all
Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]:   bad argument value in conn 'peer-10.131.0.101-tunnel-1'
Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: # ignored conn 'peer-10.131.0.101-tunnel-1' due to 2 parsing errors
Nov 26 10:18:31 tst-vpn-ipsec1 ipsec_starter[5877]: ### 2 parsing errors (0 fatal) ###

When you change the protocol from all to ip it works.

set vpn ipsec site-to-site peer 10.131.0.101 tunnel 1 protocol ip

Looks like it's not working anymore when changed from Strongswan 4.x to 5.x

Regards
Markus

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.2.0-rc8
Why the issue appeared?
Will be filled on close

Event Timeline

adestis created this task.Nov 26 2018, 11:20 AM
adestis added a project: VyOS 1.2 Crux.Nov 27 2018, 8:07 AM
syncer assigned this task to hagbard.Nov 29 2018, 8:22 PM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc10); removed VyOS 1.2 Crux, vyatta-strongswan.
hagbard changed the task status from Open to In progress.Nov 29 2018, 10:53 PM
hagbard added a comment.Nov 29 2018, 11:50 PM

left|rightprotoport has been removed from strongswan since version 5.1. %.6 is running on the latest rolling. Protocols can now be defined via left|rightsubnet (leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53]) .

syncer edited projects, added VyOS 1.2 Crux ( VyOS 1.2.0-rc11); removed VyOS 1.2 Crux (VyOS 1.2.0-rc10).Dec 5 2018, 11:58 PM
hagbard added a comment.Dec 6 2018, 7:14 PM

Hi @adestis,

you can test it in the rolling release of Dec 7th. or manually install http://dev.packages.vyos.net/repositories/current/vyos/pool/main/v/vyatta-cfg-vpn/vyatta-cfg-vpn_0.12.105+vyos2+current4_all.deb. Please let me know if it works like expected.

hagbard changed the task status from In progress to Needs testing.Dec 6 2018, 7:14 PM
hagbard added a comment.Dec 11 2018, 7:48 PM

Hi @adestis ,

can you please test with the latest rolling if it fixes your issue?
https://downloads.vyos.io/rolling/current/amd64/vyos-1.2.0-rolling%2B201812110337-amd64.iso

hagbard closed this task as Resolved.Dec 12 2018, 6:57 PM

the new syntax is being applied to the config file.

pasik added a subscriber: pasik.Dec 19 2018, 7:35 AM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux ( VyOS 1.2.0-rc11) board.Dec 21 2018, 10:08 AM
syncer added a project: VyOS-1.2.0-GA.Jan 25 2019, 2:38 PM