Page MenuHomeVyOS Platform
Create Task
Maniphest T2816

Rewrite IPsec scripts with the new XML/Python approach
Closed, ResolvedPublic
Actions

Description

IPsec is one of the oldest, most complicated, and most bug-ridden components. We need to rewrite it and also improve its CLI as we go.

  • CLI design
  • Implementation design
  • Rewrite of ipsec.pl
  • Rewrite of DMVPN
  • Rewrite of L2TP/IPsec

Details

Version
-
Is it a breaking change?
Config syntax change (migratable)
Issue type
Unspecified (please specify)

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedsarthurdevT2816 Rewrite IPsec scripts with the new XML/Python approach
 ResolvedBUGzsdcT2728 Protocol option ignored for IPSec peers in transport mode
 ResolvedBUGNoneT1534 IPSec w/ IKEv2 Invalid local-address "any"
 Not ApplicableFEATURE REQUESTNoneT1549 ipsec ikev2 multi usergroup roadwarrior configuration
 ResolvedFEATURE REQUESTViacheslavT1856 Support configuring IPSec SA bytes
 ResolvedBUGViacheslavT1925 DMVPN is always listed as down in "show vpn ipsec sa"
 InvalidBUGNoneT2606 ikev2 mobike commit failed
ResolvedENHANCEMENTsarthurdevT57 Make it possible to disable the entire IPsec peer
 ResolvedENHANCEMENTdmbaturinT66 IPSec v6 over v6 support
 ResolvedFEATURE REQUESTdmbaturinT71 Add virtual IP and route installation policy options for IPsec
 ResolvedBUGdmbaturinT628 StrongSwan requires configuration change for proper routing over VTI.
 WontfixFEATURE REQUESTViacheslavT440 VTI/IPSec with dynamic peer
 ResolvedBUGzsdcT406 VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel.
 ResolvedBUGerkinT627 IPSec configuration directive deletion fails, causes bad IPSec state on reboot.
ResolvedFEATURE REQUESTUnknown Object (User)T645 Allow multiple prefixes in ipsec tunnel
 Needs testingNoneT1070 SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer
 Not ApplicableBUGNoneT1101 Spoke site dynamic IP over NAT connect to Hub site
 ResolvedFEATURE REQUESTc-poT1210 About IKEv2 IPSec VPN remote access
 ResolvedBUGzsdcT1233 ipsec vpn sa showing down
 ResolvedBUGUnicronNLT1501 VPN Commit Errors
 ResolvedFEATURE REQUESTzsdcT2049 Update strongSwan cipher suites list for IPSec settings
 ResolvedBUGjestabroT2164 Package libstrongswan-standard-plugins missing from image
 ResolvedFEATURE REQUESTViacheslavT2620 Add ipsec peer-name to log to simplifies grepping and troubleshooting
 ResolvedFEATURE REQUESTViacheslavT2639 sort output of show vpn ipsec sa
ResolvedFEATURE REQUESTsarthurdevT2641 Rewrite vpn ipsec OP commands in new style XML syntax
 ResolvedBUGViacheslavT3333 "show vpn ipsec sa" reports ESP tunnels to be up when they are not.
 ResolvedViacheslavT2806 ipsec generates false warning on commit when local prefix is sourced from loopback
 DuplicateFEATURE REQUESTNoneT1251 IKEv2 Agile VPN Support
 ResolvedBUGjack9603301T3055 op-mode incorrect naming for ipsec policy-based tunnels
ResolvedViacheslavT3093 Add xml for vpn ipsec
 ResolvedFEATURE REQUESTc-poT2173 Add the ability to use VRF on VTI interfaces
 Resolvedc-poT1513 Move OSPF and RIP interface configuration under protocols
 Resolvedc-poT3588 IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan
 ResolvedFEATURE REQUESTc-poT842 Adopt VyOS CLI to latest StrongSwan options and deprecated Keywords
 ResolvedBUGsarthurdevT3594 Disable by default service strongswan-starter
 Resolvedc-poT3595 Cannot create new VTI interface
 ResolvedFEATURE REQUESTsarthurdevT3613 Selectors for route-based IPsec tunnel (vti)
Restricted Maniphest Task
 ResolvedBUGsarthurdevT3643 show vpn ipsec sa doesn't show tunnels in "down" state
 ResolvedBUGSrividyaAT3678 VyOS 1.4: Invalid error message while deleting ipsec vpn configuration
 ResolvedBUGc-poT3718 VPN IPsec IKE group by default not use DH-group 2
 ResolvedBUGc-poT3719 Restart vpn shows some missed files
 ResolvedBUGc-poT3720 IPSec set vti secondary address cause interface disable
 ResolvedBUGa.apostoliukT3722 op-mode IPSec show vpn ike sa always shows L-TIME 0
 ResolvedBUGViacheslavT3723 op-mode IPSec show vpn ipsec sa output with underscores
 ResolvedBUGsarthurdevT3727 VPN IPsec ESP proposal and ESP presented in config missmatch
 ResolvedFEATURE REQUESTc-poT3745 op-mode IPSec show vpn ipse sa sorting
 ResolvedBUGc-poT3764 Unconfigurable IKE and ESP lifetime

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
SrividyaA added a comment.Jun 17 2021, 6:18 PM

Tested with basic ipsec configuration and it does not seem to work when 3des encryption is configured. It works with default (aes128) and aes192.
Version

Version:          VyOS 1.4-rolling-202106151212
Release Train:    sagitta

Built by:         [email protected]
Built on:         Tue 15 Jun 2021 11:57 UTC
Build UUID:       aca2a1be-7e7c-49c5-81f8-35df11d65aeb
Build Commit ID:  e5a2250f2d0145

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:
Hardware UUID:    54e778d8-8701-4a6a-95a0-ca658269c598

Copyright:        VyOS maintainers and contributors

Config:

set vpn ipsec esp-group espN compression 'disable'
set vpn ipsec esp-group espN lifetime '3600'
set vpn ipsec esp-group espN proposal 1 encryption '3des'
set vpn ipsec esp-group espN proposal 1 hash 'sha1'
set vpn ipsec ike-group ikeN proposal 1 dh-group '2'
set vpn ipsec ike-group ikeN proposal 1 encryption '3des'
set vpn ipsec ike-group ikeN proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.0.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.0.0.2 authentication pre-shared-secret 'Vyos@123'
set vpn ipsec site-to-site peer 10.0.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.0.0.2 ike-group 'ikeN'
set vpn ipsec site-to-site peer 10.0.0.2 local-address '10.0.0.1'
set vpn ipsec site-to-site peer 10.0.0.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 10.0.0.2 vti esp-group 'espN'

Error:

vyos@vyos#  run sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.0.0.2 10.0.0.2                       10.0.0.1 10.0.0.1
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 68, in <module>
    ike_sa(args.peer, args.nat)
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 52, in ike_sa
    encryption = f'{s(sa["encr-alg"])}_{s(sa["encr-keysize"])}' if 'encr-alg' in sa else 'n/a'
KeyError: 'encr-keysize'

Works in 1.2.7 version.

sarthurdev added a comment.Jun 17 2021, 7:58 PM

@SrividyaA Fixed in PR: https://github.com/vyos/vyos-1x/pull/884

Restricted Repository Identity mentioned this in rVYOSONEX5f4ed4033195: Merge pull request #884 from sarthurdev/opmode_ike_sa.Jun 18 2021, 4:04 AM
Restricted Repository Identity mentioned this in rVYOSONEX43d3c3b3d510: ipsec: T2816: Fix 'show vpn ike sa' when key-size is not set.Jun 18 2021, 4:05 AM
c-po changed the status of subtask Restricted Maniphest Task from Confirmed to Needs testing.Jun 19 2021, 11:26 AM
SrividyaA added a comment.Jun 21 2021, 7:01 PM

In fresh/new setup, the output of the command "show vpn ike sa" is throwing an exception error:

vyos@vyos:~$ sh vpn ike sa
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 70, in <module>
    ike_sa(args.peer, args.nat)
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 34, in ike_sa
    session = vici.Session()
  File "/usr/lib/python3/dist-packages/vici/session.py", line 12, in __init__
    sock.connect("/var/run/charon.vici")
FileNotFoundError: [Errno 2] No such file or directory
vyos@vyos:~$ sh vpn ipsec sa
IPSec process not running

In older version:

vyos@vyos:~$ sh vpn ike sa
vyos@vyos:~$ sh vpn ipsec sa
IPSec Process NOT Running
Viacheslav added a subtask: T3643: show vpn ipsec sa doesn't show tunnels in "down" state.Jun 21 2021, 8:57 PM
sarthurdev added a comment.Jun 22 2021, 7:45 AM

@SrividyaA Fixed in PR https://github.com/vyos/vyos-1x/pull/894

Restricted Repository Identity mentioned this in rVYOSONEX395595f832ac: Merge pull request #894 from sarthurdev/T3643.Jun 22 2021, 7:59 AM
Restricted Repository Identity mentioned this in rVYOSONEXa1aaf4fb9c0e: ipsec: T3643: T2816: Update IPSec VPN op-mode commands.Jun 22 2021, 7:59 AM
SrividyaA mentioned this in T3656: IPSec 1.4 : "show vpn ike sa" does not show the correct default ike version.Jun 28 2021, 4:37 PM
c-po mentioned this in rVYOSONEXff004bee54df: ipsec: T2816: adjust Jinja2 template to coding style.Jul 3 2021, 1:43 PM
c-po mentioned this in rVYOSONEX2d79a5000c8a: ipsec: T2816: add Jinja2 converter for ESP/IKE groups to string.
c-po mentioned this in rVYOSONEXa1abb118c9eb: ipsec: T2816: rework IKE and ESP key assignment.
c-po mentioned this in rVYOSONEX1e74c0df2179: ipsec: T2816: remove default values from Jinja2 template and place them in XML.
c-po mentioned this in rVYOSONEXdcfeb0de0a51: Merge branch 'ipsec-ikev2-remote-access' of github.com:c-po/vyos-1x into current.
c-po mentioned this in rVYOSONEX469cd1de9f90: ipsec: T2816: rework log options for debugging.Jul 3 2021, 3:49 PM
c-po closed subtask T57: Make it possible to disable the entire IPsec peer as Resolved.Jul 3 2021, 5:22 PM
c-po mentioned this in rVYOSONEX32fab6c7c5a7: ipsec: T2816: provide esp and ike-group XML building block.Jul 3 2021, 5:58 PM
c-po mentioned this in rVYOSONEX2aec3e61c913: ipsec: T2816: provide x509 certificate base auth building blocks.
c-po mentioned this in rVYOSONEXfb1802111155: ipsec: T2816: drop duplicate dict key "data" from generate().
c-po mentioned this in rVYOSONEXe30668287ad0: Revert "ipsec: T2816: drop duplicate dict key "data" from generate()".Jul 3 2021, 7:54 PM
Restricted Repository Identity mentioned this in rVYOSONEX82d881a28bf4: Merge pull request #907 from sarthurdev/ipsec_cleanup.Jul 3 2021, 8:23 PM
Restricted Repository Identity mentioned this in rVYOSONEX4db7364a08ba: ipsec: T2816: Remove legacy vyatta code that references Openswan.Jul 3 2021, 8:23 PM
c-po mentioned this in rVYOSONEXce3847239493: ipsec: T2816: remove erroneously added config snipped for road-warriors.Jul 3 2021, 8:32 PM
c-po mentioned this in rVYOSONEX40c6a0402511: ipsec: T2816: add completion helper for tunnel interfaces.Jul 4 2021, 7:19 PM
c-po mentioned this in rVYOSONEXb16827699604: ipsec: T2816: add completion helper for VTI interfaces.
c-po mentioned this in rVYOSONEX3851818b7a26: ipsec: T2816: add include definition for ipsec local-address.
c-po mentioned this in rVYOSONEXa89554bae49d: ipsec: T2816: use common building block/include for port definition.
Restricted Repository Identity mentioned this in rVYOSONEX511253635a9b: Merge pull request #911 from sarthurdev/pki_san.Jul 6 2021, 10:22 AM
Restricted Repository Identity mentioned this in rVYOSONEXa5cd877a0a4a: ipsec: T2816: Migrate ipsec-settings.xml.in and charon.conf to vpn_ipsec.py.Jul 6 2021, 10:22 AM
c-po changed the status of subtask T1210: About IKEv2 IPSec VPN remote access from Open to Needs testing.Jul 11 2021, 1:12 PM
c-po mentioned this in rVYOSONEXbffd2687fa55: ipsec: T2816: fix NameError.Jul 11 2021, 6:08 PM
c-po mentioned this in rVYOSONEX562f4c276215: ipsec: T2816: use common "if key in dict:" pattern.
SrividyaA mentioned this in T3678: VyOS 1.4: Invalid error message while deleting ipsec vpn configuration.Jul 13 2021, 3:29 PM
Viacheslav added a subtask: T3678: VyOS 1.4: Invalid error message while deleting ipsec vpn configuration.Jul 13 2021, 3:54 PM
Restricted Repository Identity mentioned this in rVYOSONEXb04c4e21a071: Merge pull request #924 from sarthurdev/ipsec_l2tp_pki.Jul 17 2021, 5:25 AM
Restricted Repository Identity mentioned this in rVYOSONEX3af38a4d673c: pki: ipsec: l2tp: T2816: T3642: Move IPSec/L2TP code into vpn_ipsec.py and….Jul 17 2021, 5:25 AM
c-po mentioned this in rVYOSONEX227391443df0: ipsec: T2816: migrate "ipsec interfaces" to "interface".Jul 17 2021, 7:13 AM
c-po mentioned this in rVYOSONEX94531412e730: ipsec: T2816: restore erroneous deleted file.Jul 17 2021, 6:14 PM
c-po mentioned this in rVYOSONEXc8639be885e1: ipsec: T2816: add missing +x permission on Python helper.Jul 17 2021, 8:34 PM
c-po mentioned this in rVYOSONEXe202bff78246: ipsec: l2tp: T2816: use common if 'key' in dict pattern.Jul 18 2021, 6:37 PM
c-po mentioned this in rVYOSONEX0a9ff39b4880: ipsec: T2816: limit remote-access nameservers to two IPv4 and two for IPv6.
c-po mentioned this in rVYOSONEX4e4dacee2810: ipsec: T2816: remove "auto-update" CLI option.Jul 22 2021, 6:01 PM
c-po closed subtask T1210: About IKEv2 IPSec VPN remote access as Resolved.Jul 30 2021, 6:12 PM
Viacheslav added a subtask: T3718: VPN IPsec IKE group by default not use DH-group 2.Aug 3 2021, 3:14 PM
Viacheslav added a subtask: T3719: Restart vpn shows some missed files.Aug 3 2021, 3:19 PM
Viacheslav added a subtask: T3720: IPSec set vti secondary address cause interface disable.Aug 3 2021, 3:29 PM
c-po changed the status of subtask T3718: VPN IPsec IKE group by default not use DH-group 2 from Open to Confirmed.Aug 3 2021, 7:25 PM
c-po closed subtask T3718: VPN IPsec IKE group by default not use DH-group 2 as Resolved.Aug 4 2021, 6:50 PM
Viacheslav added a subtask: T3722: op-mode IPSec show vpn ike sa always shows L-TIME 0.Aug 5 2021, 8:14 AM
Viacheslav added a subtask: T3723: op-mode IPSec show vpn ipsec sa output with underscores.Aug 5 2021, 8:20 AM
c-po closed subtask T3719: Restart vpn shows some missed files as Resolved.Aug 5 2021, 2:55 PM
dmbaturin closed subtask T66: IPSec v6 over v6 support as Resolved.Aug 7 2021, 7:52 AM
c-po mentioned this in rVYOSONEX9cde21563cd2: ipsec: l2tp: T2816: remove duplicate 3des-sha1-modp1024 proposal.Aug 8 2021, 8:24 PM
Viacheslav added a subtask: T3727: VPN IPsec ESP proposal and ESP presented in config missmatch.Aug 9 2021, 7:41 AM
Viacheslav closed subtask T2606: ikev2 mobike commit failed as Invalid.Aug 9 2021, 8:42 AM
UnicronNL closed subtask T1501: VPN Commit Errors as Resolved.Aug 9 2021, 2:09 PM
c-po closed subtask T3720: IPSec set vti secondary address cause interface disable as Resolved.Aug 9 2021, 7:06 PM
Viacheslav added a subtask: T3745: op-mode IPSec show vpn ipse sa sorting.Aug 12 2021, 9:54 AM
Viacheslav closed subtask T3727: VPN IPsec ESP proposal and ESP presented in config missmatch as Resolved.Aug 13 2021, 11:53 AM
c-po changed the status of subtask T3745: op-mode IPSec show vpn ipse sa sorting from Open to Needs testing.Aug 14 2021, 5:02 PM
c-po closed subtask T3745: op-mode IPSec show vpn ipse sa sorting as Resolved.Aug 14 2021, 6:17 PM
Viacheslav added a subtask: T3764: Unconfigurable IKE and ESP lifetime.Aug 18 2021, 1:24 PM
c-po closed subtask T3764: Unconfigurable IKE and ESP lifetime as Resolved.Aug 19 2021, 10:03 AM
c-po mentioned this in rVYOSONEX10a1e7b68c54: ipsec: T2816: l2tp ipsec VPN must be started after strongSwan.Aug 22 2021, 5:29 PM
c-po mentioned this in rVYOSONEXda45720bf5d5: ipsec: T2816: ipsec-dhclient-hook should use vyos.util.read_file() / write_file….Sep 25 2021, 8:12 AM
c-po mentioned this in rVYOSONEXd3b951f24175: ipsec: T2816: ipsec-dhclient-hook should use exit(0).
c-po mentioned this in rVYOSONEXbcf7a9bb38c5: ipsec: T2816: ipsec-dhclient-hook should only run if swanctl.conf exists.
Viacheslav closed subtask T3613: Selectors for route-based IPsec tunnel (vti) as Resolved.Oct 15 2021, 8:59 PM
syncer changed the status of subtask T3643: show vpn ipsec sa doesn't show tunnels in "down" state from Open to In progress.Oct 17 2021, 3:00 PM
Viacheslav closed subtask T645: Allow multiple prefixes in ipsec tunnel as Resolved.Nov 15 2021, 8:22 AM
SrividyaA closed subtask T3678: VyOS 1.4: Invalid error message while deleting ipsec vpn configuration as Resolved.Dec 22 2021, 1:40 PM
Viacheslav closed subtask T3643: show vpn ipsec sa doesn't show tunnels in "down" state as Resolved.Feb 3 2022, 5:35 PM
Viacheslav changed the status of subtask T1856: Support configuring IPSec SA bytes from Open to In progress.Feb 20 2022, 4:47 PM
sarthurdev closed subtask Restricted Maniphest Task as Resolved.Feb 20 2022, 7:21 PM
c-po mentioned this in rVYOSONEX55b075df8260: ipsec: T2816: add completion help for IP addresses to local-address node.May 19 2022, 7:43 PM
c-po closed subtask T1856: Support configuring IPSec SA bytes as Resolved.Jun 20 2022, 7:39 PM
Viacheslav closed subtask T1233: ipsec vpn sa showing down as Resolved.Jul 25 2022, 9:42 AM
Viacheslav closed subtask T3723: op-mode IPSec show vpn ipsec sa output with underscores as Resolved.Oct 23 2022, 7:08 PM
c-po mentioned this in rVYOSONEX843ebb323c99: ipsec: T2816: do not explicitly call intepreter for python script.Dec 23 2022, 4:36 PM
sarthurdev mentioned this in rVYOSONEX62875954a667: ipsec: T2816: Cleanup dhcp hook file if not required.Mar 23 2023, 2:19 PM
a.hajiyev subscribed.EditedNov 16 2023, 11:30 AM

Tested in VyOS 1.4-rolling-202311100309 (3DES)

image.png (195×665 px, 6 KB)

Configurations:
LEFT-R:

set interfaces dummy dum0 address '10.0.11.1/24'
set interfaces ethernet eth0 address '192.0.2.11/24'

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.11
set interfaces tunnel tun0 remote 192.0.2.12
set interfaces tunnel tun0 address 10.10.10.1/30
set vpn ipsec interface eth0
set vpn ipsec authentication psk vyos id 192.0.2.11
set vpn ipsec authentication psk vyos id 192.0.2.12
set vpn ipsec authentication psk vyos secret MYSECRETKEY
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption '3des'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption '3des'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
set vpn ipsec site-to-site peer right authentication remote-id 192.0.2.12
set vpn ipsec site-to-site peer right ike-group MyIKEGroup
set vpn ipsec site-to-site peer right default-esp-group MyESPGroup
set vpn ipsec site-to-site peer right local-address 192.0.2.11
set vpn ipsec site-to-site peer right remote-address 192.0.2.12
set vpn ipsec site-to-site peer right tunnel 1 protocol gre

set protocols static route 10.0.12.0/24 interface tun0

RIGHT-R

set interfaces dummy dum0 address '10.0.12.1/24'
set interfaces ethernet eth0 address '192.0.2.12/24'

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.12
set interfaces tunnel tun0 remote 192.0.2.11
set interfaces tunnel tun0 address 10.10.10.2/30
set vpn ipsec interface eth0
set vpn ipsec authentication psk vyos id 192.0.2.12
set vpn ipsec authentication psk vyos id 192.0.2.11
set vpn ipsec authentication psk vyos secret MYSECRETKEY
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption '3des'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption '3des'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer left authentication mode pre-shared-secret
set vpn ipsec site-to-site peer left authentication remote-id 192.0.2.11
set vpn ipsec site-to-site peer left ike-group MyIKEGroup
set vpn ipsec site-to-site peer left default-esp-group MyESPGroup
set vpn ipsec site-to-site peer left local-address 192.0.2.12
set vpn ipsec site-to-site peer left remote-address 192.0.2.11
set vpn ipsec site-to-site peer left tunnel 1 protocol gre

set protocols static route 10.0.11.0/24 interface tun0

Checking:

$ show vpn ipsec sa
Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------  -------  --------  --------------  ----------------  ----------------  -----------  ---------------------
right-tunnel-1  up       15m36s    7K/7K           74/74             192.0.2.12        192.0.2.12   3DES_CBC/HMAC_SHA1_96
$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
192.0.2.12 192.0.2.12                   192.0.2.11 192.0.2.11

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   3DES_CBC     HMAC_SHA1_96  MODP_1024      no     963     0

Works good

a.hajiyev added a comment.Nov 16 2023, 11:59 AM

Tested in VyOS 1.4-rolling-202311100309 (AES)

Configurations:
LEFT-R:

set interfaces dummy dum0 address '10.0.11.1/24'
set interfaces ethernet eth0 address '192.0.2.11/24'

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.11
set interfaces tunnel tun0 remote 192.0.2.12
set interfaces tunnel tun0 address 10.10.10.1/30
set vpn ipsec interface eth0
set vpn ipsec authentication psk vyos id 192.0.2.11
set vpn ipsec authentication psk vyos id 192.0.2.12
set vpn ipsec authentication psk vyos secret MYSECRETKEY
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
set vpn ipsec site-to-site peer right authentication remote-id 192.0.2.12
set vpn ipsec site-to-site peer right ike-group MyIKEGroup
set vpn ipsec site-to-site peer right default-esp-group MyESPGroup
set vpn ipsec site-to-site peer right local-address 192.0.2.11
set vpn ipsec site-to-site peer right remote-address 192.0.2.12
set vpn ipsec site-to-site peer right tunnel 1 protocol gre

set protocols static route 10.0.12.0/24 interface tun0

RIGHT-R

set interfaces dummy dum0 address '10.0.12.1/24'
set interfaces ethernet eth0 address '192.0.2.12/24'

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.12
set interfaces tunnel tun0 remote 192.0.2.11
set interfaces tunnel tun0 address 10.10.10.2/30
set vpn ipsec interface eth0
set vpn ipsec authentication psk vyos id 192.0.2.12
set vpn ipsec authentication psk vyos id 192.0.2.11
set vpn ipsec authentication psk vyos secret MYSECRETKEY
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer left authentication mode pre-shared-secret
set vpn ipsec site-to-site peer left authentication remote-id 192.0.2.11
set vpn ipsec site-to-site peer left ike-group MyIKEGroup
set vpn ipsec site-to-site peer left default-esp-group MyESPGroup
set vpn ipsec site-to-site peer left local-address 192.0.2.12
set vpn ipsec site-to-site peer left remote-address 192.0.2.11
set vpn ipsec site-to-site peer left tunnel 1 protocol gre

set protocols static route 10.0.11.0/24 interface tun0

Checking:

$ sh vpn ipsec sa
Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------  -------  --------  --------------  ----------------  ----------------  -----------  ------------------------
right-tunnel-1  up       59s       0B/0B           0/0               192.0.2.12        192.0.2.12   AES_CBC_256/HMAC_SHA1_96
$ sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
192.0.2.12 192.0.2.12                   192.0.2.11 192.0.2.11

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     66      0

Works good

a.hajiyev changed the task status from Needs testing to In progress.Nov 16 2023, 1:23 PM
a.hajiyev set Issue type to Unspecified (please specify).
a.hajiyev added a comment.Nov 20 2023, 4:59 AM

Tested on VyOS 1.4-rolling-202311100309 and VyOS 1.5-rolling-202311160736 - L-Time shows 0. But supposed to show 3600 according to the configuration.

show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
192.0.2.11 192.0.2.11                   192.0.2.12 192.0.2.12

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     588     0

The configurations:
LEFT

set vpn ipsec authentication psk vyos id '192.0.2.11'
set vpn ipsec authentication psk vyos id '192.0.2.12'
set vpn ipsec authentication psk vyos secret 'MYSECRETKEY'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec ike-group MyIKEGroup lifetime '3600'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer right authentication remote-id '192.0.2.12'
set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer right local-address '192.0.2.11'
set vpn ipsec site-to-site peer right remote-address '192.0.2.12'
set vpn ipsec site-to-site peer right tunnel 1 protocol 'gre'

RIGHT

set vpn ipsec authentication psk vyos id '192.0.2.12'
set vpn ipsec authentication psk vyos id '192.0.2.11'
set vpn ipsec authentication psk vyos secret 'MYSECRETKEY'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec ike-group MyIKEGroup lifetime '3600'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer left authentication remote-id '192.0.2.11'
set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer left local-address '192.0.2.12'
set vpn ipsec site-to-site peer left remote-address '192.0.2.11'
set vpn ipsec site-to-site peer left tunnel 1 protocol 'gre'
a.hajiyev changed the task status from In progress to Open.Nov 20 2023, 5:04 AM
Viacheslav closed this task as Resolved.Nov 20 2023, 7:38 AM
Viacheslav closed subtask T440: VTI/IPSec with dynamic peer as Wontfix.Dec 18 2023, 8:37 AM
dmbaturin closed subtask T1549: ipsec ikev2 multi usergroup roadwarrior configuration as Not Applicable.Jan 9 2024, 3:44 PM
dmbaturin closed subtask T1925: DMVPN is always listed as down in "show vpn ipsec sa" as Resolved.Jan 9 2024, 4:04 PM
dmbaturin closed subtask T71: Add virtual IP and route installation policy options for IPsec as Resolved.Feb 15 2024, 11:07 AM
a.apostoliuk changed the status of subtask T3722: op-mode IPSec show vpn ike sa always shows L-TIME 0 from Open to Needs testing.Feb 19 2024, 8:25 AM
a.apostoliuk closed subtask T3722: op-mode IPSec show vpn ike sa always shows L-TIME 0 as Resolved.
syncer closed subtask T1101: Spoke site dynamic IP over NAT connect to Hub site as Not Applicable.Oct 28 2024, 5:15 AM