Page MenuHomeVyOS Platform

Rewrite IPsec scripts with the new XML/Python approach
Closed, ResolvedPublic

Description

IPsec is one of the oldest, most complicated, and most bug-ridden components. We need to rewrite it and also improve its CLI as we go.

  • CLI design
  • Implementation design
  • Rewrite of ipsec.pl
  • Rewrite of DMVPN
  • Rewrite of L2TP/IPsec

Details

Version
-
Is it a breaking change?
Config syntax change (migratable)
Issue type
Unspecified (please specify)

Related Objects

StatusSubtypeAssignedTask
Resolvedsarthurdev
ResolvedBUGzsdc
ResolvedBUGNone
Not ApplicableFEATURE REQUESTNone
ResolvedFEATURE REQUESTViacheslav
ResolvedBUGViacheslav
InvalidBUGNone
ResolvedENHANCEMENTsarthurdev
ResolvedENHANCEMENTdmbaturin
ResolvedFEATURE REQUESTdmbaturin
ResolvedBUGdmbaturin
WontfixFEATURE REQUESTViacheslav
ResolvedBUGzsdc
ResolvedBUGerkin
ResolvedFEATURE REQUESTUnknown Object (User)
Needs testingNone
Not ApplicableBUGNone
ResolvedFEATURE REQUESTc-po
ResolvedBUGzsdc
ResolvedBUGUnicronNL
ResolvedFEATURE REQUESTzsdc
ResolvedBUGjestabro
ResolvedFEATURE REQUESTViacheslav
ResolvedFEATURE REQUESTViacheslav
ResolvedFEATURE REQUESTsarthurdev
ResolvedBUGViacheslav
ResolvedViacheslav
DuplicateFEATURE REQUESTNone
ResolvedBUGjack9603301
ResolvedViacheslav
ResolvedFEATURE REQUESTc-po
Resolvedc-po
Resolvedc-po
ResolvedFEATURE REQUESTc-po
ResolvedBUGsarthurdev
Resolvedc-po
ResolvedFEATURE REQUESTsarthurdev
ResolvedBUGsarthurdev
ResolvedBUGSrividyaA
ResolvedBUGc-po
ResolvedBUGc-po
ResolvedBUGc-po
ResolvedBUGa.apostoliuk
ResolvedBUGViacheslav
ResolvedBUGsarthurdev
ResolvedFEATURE REQUESTc-po
ResolvedBUGc-po

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Tested with basic ipsec configuration and it does not seem to work when 3des encryption is configured. It works with default (aes128) and aes192.
Version

Version:          VyOS 1.4-rolling-202106151212
Release Train:    sagitta

Built by:         autobuild@vyos.net
Built on:         Tue 15 Jun 2021 11:57 UTC
Build UUID:       aca2a1be-7e7c-49c5-81f8-35df11d65aeb
Build Commit ID:  e5a2250f2d0145

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:
Hardware UUID:    54e778d8-8701-4a6a-95a0-ca658269c598

Copyright:        VyOS maintainers and contributors

Config:

set vpn ipsec esp-group espN compression 'disable'
set vpn ipsec esp-group espN lifetime '3600'
set vpn ipsec esp-group espN proposal 1 encryption '3des'
set vpn ipsec esp-group espN proposal 1 hash 'sha1'
set vpn ipsec ike-group ikeN proposal 1 dh-group '2'
set vpn ipsec ike-group ikeN proposal 1 encryption '3des'
set vpn ipsec ike-group ikeN proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.0.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.0.0.2 authentication pre-shared-secret 'Vyos@123'
set vpn ipsec site-to-site peer 10.0.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.0.0.2 ike-group 'ikeN'
set vpn ipsec site-to-site peer 10.0.0.2 local-address '10.0.0.1'
set vpn ipsec site-to-site peer 10.0.0.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 10.0.0.2 vti esp-group 'espN'

Error:

vyos@vyos#  run sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.0.0.2 10.0.0.2                       10.0.0.1 10.0.0.1
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 68, in <module>
    ike_sa(args.peer, args.nat)
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 52, in ike_sa
    encryption = f'{s(sa["encr-alg"])}_{s(sa["encr-keysize"])}' if 'encr-alg' in sa else 'n/a'
KeyError: 'encr-keysize'

Works in 1.2.7 version.

c-po changed the status of subtask Restricted Maniphest Task from Confirmed to Needs testing.Jun 19 2021, 11:26 AM

In fresh/new setup, the output of the command "show vpn ike sa" is throwing an exception error:

vyos@vyos:~$ sh vpn ike sa
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 70, in <module>
    ike_sa(args.peer, args.nat)
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 34, in ike_sa
    session = vici.Session()
  File "/usr/lib/python3/dist-packages/vici/session.py", line 12, in __init__
    sock.connect("/var/run/charon.vici")
FileNotFoundError: [Errno 2] No such file or directory
vyos@vyos:~$ sh vpn ipsec sa
IPSec process not running

In older version:

vyos@vyos:~$ sh vpn ike sa
vyos@vyos:~$ sh vpn ipsec sa
IPSec Process NOT Running
sarthurdev closed subtask Restricted Maniphest Task as Resolved.Feb 20 2022, 7:21 PM

Tested in VyOS 1.4-rolling-202311100309 (3DES)

image.png (195×665 px, 6 KB)

Configurations:
LEFT-R:

set interfaces dummy dum0 address '10.0.11.1/24'
set interfaces ethernet eth0 address '192.0.2.11/24'

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.11
set interfaces tunnel tun0 remote 192.0.2.12
set interfaces tunnel tun0 address 10.10.10.1/30
set vpn ipsec interface eth0
set vpn ipsec authentication psk vyos id 192.0.2.11
set vpn ipsec authentication psk vyos id 192.0.2.12
set vpn ipsec authentication psk vyos secret MYSECRETKEY
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption '3des'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption '3des'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
set vpn ipsec site-to-site peer right authentication remote-id 192.0.2.12
set vpn ipsec site-to-site peer right ike-group MyIKEGroup
set vpn ipsec site-to-site peer right default-esp-group MyESPGroup
set vpn ipsec site-to-site peer right local-address 192.0.2.11
set vpn ipsec site-to-site peer right remote-address 192.0.2.12
set vpn ipsec site-to-site peer right tunnel 1 protocol gre

set protocols static route 10.0.12.0/24 interface tun0

RIGHT-R

set interfaces dummy dum0 address '10.0.12.1/24'
set interfaces ethernet eth0 address '192.0.2.12/24'

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.12
set interfaces tunnel tun0 remote 192.0.2.11
set interfaces tunnel tun0 address 10.10.10.2/30
set vpn ipsec interface eth0
set vpn ipsec authentication psk vyos id 192.0.2.12
set vpn ipsec authentication psk vyos id 192.0.2.11
set vpn ipsec authentication psk vyos secret MYSECRETKEY
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption '3des'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption '3des'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer left authentication mode pre-shared-secret
set vpn ipsec site-to-site peer left authentication remote-id 192.0.2.11
set vpn ipsec site-to-site peer left ike-group MyIKEGroup
set vpn ipsec site-to-site peer left default-esp-group MyESPGroup
set vpn ipsec site-to-site peer left local-address 192.0.2.12
set vpn ipsec site-to-site peer left remote-address 192.0.2.11
set vpn ipsec site-to-site peer left tunnel 1 protocol gre

set protocols static route 10.0.11.0/24 interface tun0

Checking:

$ show vpn ipsec sa
Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------  -------  --------  --------------  ----------------  ----------------  -----------  ---------------------
right-tunnel-1  up       15m36s    7K/7K           74/74             192.0.2.12        192.0.2.12   3DES_CBC/HMAC_SHA1_96
$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
192.0.2.12 192.0.2.12                   192.0.2.11 192.0.2.11

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   3DES_CBC     HMAC_SHA1_96  MODP_1024      no     963     0

Works good

Tested in VyOS 1.4-rolling-202311100309 (AES)

Configurations:
LEFT-R:

set interfaces dummy dum0 address '10.0.11.1/24'
set interfaces ethernet eth0 address '192.0.2.11/24'

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.11
set interfaces tunnel tun0 remote 192.0.2.12
set interfaces tunnel tun0 address 10.10.10.1/30
set vpn ipsec interface eth0
set vpn ipsec authentication psk vyos id 192.0.2.11
set vpn ipsec authentication psk vyos id 192.0.2.12
set vpn ipsec authentication psk vyos secret MYSECRETKEY
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
set vpn ipsec site-to-site peer right authentication remote-id 192.0.2.12
set vpn ipsec site-to-site peer right ike-group MyIKEGroup
set vpn ipsec site-to-site peer right default-esp-group MyESPGroup
set vpn ipsec site-to-site peer right local-address 192.0.2.11
set vpn ipsec site-to-site peer right remote-address 192.0.2.12
set vpn ipsec site-to-site peer right tunnel 1 protocol gre

set protocols static route 10.0.12.0/24 interface tun0

RIGHT-R

set interfaces dummy dum0 address '10.0.12.1/24'
set interfaces ethernet eth0 address '192.0.2.12/24'

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.12
set interfaces tunnel tun0 remote 192.0.2.11
set interfaces tunnel tun0 address 10.10.10.2/30
set vpn ipsec interface eth0
set vpn ipsec authentication psk vyos id 192.0.2.12
set vpn ipsec authentication psk vyos id 192.0.2.11
set vpn ipsec authentication psk vyos secret MYSECRETKEY
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer left authentication mode pre-shared-secret
set vpn ipsec site-to-site peer left authentication remote-id 192.0.2.11
set vpn ipsec site-to-site peer left ike-group MyIKEGroup
set vpn ipsec site-to-site peer left default-esp-group MyESPGroup
set vpn ipsec site-to-site peer left local-address 192.0.2.12
set vpn ipsec site-to-site peer left remote-address 192.0.2.11
set vpn ipsec site-to-site peer left tunnel 1 protocol gre

set protocols static route 10.0.11.0/24 interface tun0

Checking:

$ sh vpn ipsec sa
Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------  -------  --------  --------------  ----------------  ----------------  -----------  ------------------------
right-tunnel-1  up       59s       0B/0B           0/0               192.0.2.12        192.0.2.12   AES_CBC_256/HMAC_SHA1_96
$ sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
192.0.2.12 192.0.2.12                   192.0.2.11 192.0.2.11

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     66      0

Works good

a.hajiyev changed the task status from Needs testing to In progress.Nov 16 2023, 1:23 PM
a.hajiyev set Issue type to Unspecified (please specify).

Tested on VyOS 1.4-rolling-202311100309 and VyOS 1.5-rolling-202311160736 - L-Time shows 0. But supposed to show 3600 according to the configuration.

show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
192.0.2.11 192.0.2.11                   192.0.2.12 192.0.2.12

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     588     0

The configurations:
LEFT

set vpn ipsec authentication psk vyos id '192.0.2.11'
set vpn ipsec authentication psk vyos id '192.0.2.12'
set vpn ipsec authentication psk vyos secret 'MYSECRETKEY'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec ike-group MyIKEGroup lifetime '3600'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer right authentication remote-id '192.0.2.12'
set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer right local-address '192.0.2.11'
set vpn ipsec site-to-site peer right remote-address '192.0.2.12'
set vpn ipsec site-to-site peer right tunnel 1 protocol 'gre'

RIGHT

set vpn ipsec authentication psk vyos id '192.0.2.12'
set vpn ipsec authentication psk vyos id '192.0.2.11'
set vpn ipsec authentication psk vyos secret 'MYSECRETKEY'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec ike-group MyIKEGroup lifetime '3600'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer left authentication remote-id '192.0.2.11'
set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer left local-address '192.0.2.12'
set vpn ipsec site-to-site peer left remote-address '192.0.2.11'
set vpn ipsec site-to-site peer left tunnel 1 protocol 'gre'
a.hajiyev changed the task status from In progress to Open.Nov 20 2023, 5:04 AM