IPsec is one of the oldest, most complicated, and most bug-ridden components. We need to rewrite it and also improve its CLI as we go.
- CLI design
- Implementation design
- Rewrite of ipsec.pl
- Rewrite of DMVPN
- Rewrite of L2TP/IPsec
dmbaturin | |
Aug 20 2020, 3:37 PM |
F3899753: image.png | |
Nov 16 2023, 11:30 AM |
IPsec is one of the oldest, most complicated, and most bug-ridden components. We need to rewrite it and also improve its CLI as we go.
Tested with basic ipsec configuration and it does not seem to work when 3des encryption is configured. It works with default (aes128) and aes192.
Version
Version: VyOS 1.4-rolling-202106151212 Release Train: sagitta Built by: autobuild@vyos.net Built on: Tue 15 Jun 2021 11:57 UTC Build UUID: aca2a1be-7e7c-49c5-81f8-35df11d65aeb Build Commit ID: e5a2250f2d0145 Architecture: x86_64 Boot via: installed image System type: KVM guest Hardware vendor: QEMU Hardware model: Standard PC (Q35 + ICH9, 2009) Hardware S/N: Hardware UUID: 54e778d8-8701-4a6a-95a0-ca658269c598 Copyright: VyOS maintainers and contributors
Config:
set vpn ipsec esp-group espN compression 'disable' set vpn ipsec esp-group espN lifetime '3600' set vpn ipsec esp-group espN proposal 1 encryption '3des' set vpn ipsec esp-group espN proposal 1 hash 'sha1' set vpn ipsec ike-group ikeN proposal 1 dh-group '2' set vpn ipsec ike-group ikeN proposal 1 encryption '3des' set vpn ipsec ike-group ikeN proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer 10.0.0.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 10.0.0.2 authentication pre-shared-secret 'Vyos@123' set vpn ipsec site-to-site peer 10.0.0.2 connection-type 'initiate' set vpn ipsec site-to-site peer 10.0.0.2 ike-group 'ikeN' set vpn ipsec site-to-site peer 10.0.0.2 local-address '10.0.0.1' set vpn ipsec site-to-site peer 10.0.0.2 vti bind 'vti0' set vpn ipsec site-to-site peer 10.0.0.2 vti esp-group 'espN'
Error:
vyos@vyos# run sh vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 10.0.0.2 10.0.0.2 10.0.0.1 10.0.0.1 Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 68, in <module> ike_sa(args.peer, args.nat) File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 52, in ike_sa encryption = f'{s(sa["encr-alg"])}_{s(sa["encr-keysize"])}' if 'encr-alg' in sa else 'n/a' KeyError: 'encr-keysize'
Works in 1.2.7 version.
In fresh/new setup, the output of the command "show vpn ike sa" is throwing an exception error:
vyos@vyos:~$ sh vpn ike sa Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 70, in <module> ike_sa(args.peer, args.nat) File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 34, in ike_sa session = vici.Session() File "/usr/lib/python3/dist-packages/vici/session.py", line 12, in __init__ sock.connect("/var/run/charon.vici") FileNotFoundError: [Errno 2] No such file or directory vyos@vyos:~$ sh vpn ipsec sa IPSec process not running
In older version:
vyos@vyos:~$ sh vpn ike sa vyos@vyos:~$ sh vpn ipsec sa IPSec Process NOT Running
Tested in VyOS 1.4-rolling-202311100309 (3DES)
Configurations:
LEFT-R:
set interfaces dummy dum0 address '10.0.11.1/24' set interfaces ethernet eth0 address '192.0.2.11/24' set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 source-address 192.0.2.11 set interfaces tunnel tun0 remote 192.0.2.12 set interfaces tunnel tun0 address 10.10.10.1/30 set vpn ipsec interface eth0 set vpn ipsec authentication psk vyos id 192.0.2.11 set vpn ipsec authentication psk vyos id 192.0.2.12 set vpn ipsec authentication psk vyos secret MYSECRETKEY set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption '3des' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' set vpn ipsec esp-group MyESPGroup proposal 1 encryption '3des' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' set vpn ipsec site-to-site peer right authentication mode pre-shared-secret set vpn ipsec site-to-site peer right authentication remote-id 192.0.2.12 set vpn ipsec site-to-site peer right ike-group MyIKEGroup set vpn ipsec site-to-site peer right default-esp-group MyESPGroup set vpn ipsec site-to-site peer right local-address 192.0.2.11 set vpn ipsec site-to-site peer right remote-address 192.0.2.12 set vpn ipsec site-to-site peer right tunnel 1 protocol gre set protocols static route 10.0.12.0/24 interface tun0
RIGHT-R
set interfaces dummy dum0 address '10.0.12.1/24' set interfaces ethernet eth0 address '192.0.2.12/24' set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 source-address 192.0.2.12 set interfaces tunnel tun0 remote 192.0.2.11 set interfaces tunnel tun0 address 10.10.10.2/30 set vpn ipsec interface eth0 set vpn ipsec authentication psk vyos id 192.0.2.12 set vpn ipsec authentication psk vyos id 192.0.2.11 set vpn ipsec authentication psk vyos secret MYSECRETKEY set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption '3des' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' set vpn ipsec esp-group MyESPGroup proposal 1 encryption '3des' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' set vpn ipsec site-to-site peer left authentication mode pre-shared-secret set vpn ipsec site-to-site peer left authentication remote-id 192.0.2.11 set vpn ipsec site-to-site peer left ike-group MyIKEGroup set vpn ipsec site-to-site peer left default-esp-group MyESPGroup set vpn ipsec site-to-site peer left local-address 192.0.2.12 set vpn ipsec site-to-site peer left remote-address 192.0.2.11 set vpn ipsec site-to-site peer left tunnel 1 protocol gre set protocols static route 10.0.11.0/24 interface tun0
Checking:
$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal -------------- ------- -------- -------------- ---------------- ---------------- ----------- --------------------- right-tunnel-1 up 15m36s 7K/7K 74/74 192.0.2.12 192.0.2.12 3DES_CBC/HMAC_SHA1_96
$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 192.0.2.12 192.0.2.12 192.0.2.11 192.0.2.11 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv2 3DES_CBC HMAC_SHA1_96 MODP_1024 no 963 0
Works good
Tested in VyOS 1.4-rolling-202311100309 (AES)
Configurations:
LEFT-R:
set interfaces dummy dum0 address '10.0.11.1/24' set interfaces ethernet eth0 address '192.0.2.11/24' set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 source-address 192.0.2.11 set interfaces tunnel tun0 remote 192.0.2.12 set interfaces tunnel tun0 address 10.10.10.1/30 set vpn ipsec interface eth0 set vpn ipsec authentication psk vyos id 192.0.2.11 set vpn ipsec authentication psk vyos id 192.0.2.12 set vpn ipsec authentication psk vyos secret MYSECRETKEY set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' set vpn ipsec site-to-site peer right authentication mode pre-shared-secret set vpn ipsec site-to-site peer right authentication remote-id 192.0.2.12 set vpn ipsec site-to-site peer right ike-group MyIKEGroup set vpn ipsec site-to-site peer right default-esp-group MyESPGroup set vpn ipsec site-to-site peer right local-address 192.0.2.11 set vpn ipsec site-to-site peer right remote-address 192.0.2.12 set vpn ipsec site-to-site peer right tunnel 1 protocol gre set protocols static route 10.0.12.0/24 interface tun0
RIGHT-R
set interfaces dummy dum0 address '10.0.12.1/24' set interfaces ethernet eth0 address '192.0.2.12/24' set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 source-address 192.0.2.12 set interfaces tunnel tun0 remote 192.0.2.11 set interfaces tunnel tun0 address 10.10.10.2/30 set vpn ipsec interface eth0 set vpn ipsec authentication psk vyos id 192.0.2.12 set vpn ipsec authentication psk vyos id 192.0.2.11 set vpn ipsec authentication psk vyos secret MYSECRETKEY set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' set vpn ipsec site-to-site peer left authentication mode pre-shared-secret set vpn ipsec site-to-site peer left authentication remote-id 192.0.2.11 set vpn ipsec site-to-site peer left ike-group MyIKEGroup set vpn ipsec site-to-site peer left default-esp-group MyESPGroup set vpn ipsec site-to-site peer left local-address 192.0.2.12 set vpn ipsec site-to-site peer left remote-address 192.0.2.11 set vpn ipsec site-to-site peer left tunnel 1 protocol gre set protocols static route 10.0.11.0/24 interface tun0
Checking:
$ sh vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal -------------- ------- -------- -------------- ---------------- ---------------- ----------- ------------------------ right-tunnel-1 up 59s 0B/0B 0/0 192.0.2.12 192.0.2.12 AES_CBC_256/HMAC_SHA1_96
$ sh vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 192.0.2.12 192.0.2.12 192.0.2.11 192.0.2.11 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_1024 no 66 0
Works good
Tested on VyOS 1.4-rolling-202311100309 and VyOS 1.5-rolling-202311160736 - L-Time shows 0. But supposed to show 3600 according to the configuration.
show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 192.0.2.11 192.0.2.11 192.0.2.12 192.0.2.12 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ up IKEv2 AES_CBC_256 HMAC_SHA1_96 MODP_1024 no 588 0
The configurations:
LEFT
set vpn ipsec authentication psk vyos id '192.0.2.11' set vpn ipsec authentication psk vyos id '192.0.2.12' set vpn ipsec authentication psk vyos secret 'MYSECRETKEY' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' set vpn ipsec ike-group MyIKEGroup lifetime '3600' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' set vpn ipsec interface 'eth0' set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer right authentication remote-id '192.0.2.12' set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup' set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup' set vpn ipsec site-to-site peer right local-address '192.0.2.11' set vpn ipsec site-to-site peer right remote-address '192.0.2.12' set vpn ipsec site-to-site peer right tunnel 1 protocol 'gre'
RIGHT
set vpn ipsec authentication psk vyos id '192.0.2.12' set vpn ipsec authentication psk vyos id '192.0.2.11' set vpn ipsec authentication psk vyos secret 'MYSECRETKEY' set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256' set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1' set vpn ipsec ike-group MyIKEGroup lifetime '3600' set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2' set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256' set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1' set vpn ipsec interface 'eth0' set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer left authentication remote-id '192.0.2.11' set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup' set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup' set vpn ipsec site-to-site peer left local-address '192.0.2.12' set vpn ipsec site-to-site peer left remote-address '192.0.2.11' set vpn ipsec site-to-site peer left tunnel 1 protocol 'gre'