Page MenuHomeVyOS Platform
Create Task
Maniphest T2816

Rewrite IPsec scripts with the new XML/Python approach
Closed, ResolvedPublic
Actions

Description

IPsec is one of the oldest, most complicated, and most bug-ridden components. We need to rewrite it and also improve its CLI as we go.

  • CLI design
  • Implementation design
  • Rewrite of ipsec.pl
  • Rewrite of DMVPN
  • Rewrite of L2TP/IPsec

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Unspecified (please specify)

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedsarthurdevT2816 Rewrite IPsec scripts with the new XML/Python approach
 ResolvedBUGzsdcT2728 Protocol option ignored for IPSec peers in transport mode
 ResolvedBUGNoneT1534 IPSec w/ IKEv2 Invalid local-address "any"
 Resolved N/AFEATURE REQUESTNoneT1549 ipsec ikev2 multi usergroup roadwarrior configuration
 ResolvedFEATURE REQUESTViacheslavT1856 Support configuring IPSec SA bytes
 ResolvedBUGViacheslavT1925 DMVPN is always listed as down in "show vpn ipsec sa"
 InvalidBUGNoneT2606 ikev2 mobike commit failed
ResolvedENHANCEMENTsarthurdevT57 Make it possible to disable the entire IPsec peer
 ResolvedENHANCEMENTdmbaturinT66 IPSec v6 over v6 support
 ResolvedFEATURE REQUESTdmbaturinT71 Add virtual IP and route installation policy options for IPsec
 ResolvedBUGdmbaturinT628 StrongSwan requires configuration change for proper routing over VTI.
 WontfixFEATURE REQUESTViacheslavT440 VTI/IPSec with dynamic peer
 ResolvedBUGzsdcT406 VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel.
 ResolvedBUGerkinT627 IPSec configuration directive deletion fails, causes bad IPSec state on reboot.
ResolvedFEATURE REQUESTUnknown Object (User)T645 Allow multiple prefixes in ipsec tunnel
 Needs testingNoneT1070 SWANCTL: DMVPN: ALL peers are deleted in swan when opennhrp tries to delete ONE peer
 OpenBUGNoneT1101 Spoke site dynamic IP over NAT connect to Hub site
 ResolvedFEATURE REQUESTc-poT1210 About IKEv2 IPSec VPN remote access
 ResolvedBUGzsdcT1233 ipsec vpn sa showing down
 ResolvedBUGUnicronNLT1501 VPN Commit Errors
 ResolvedFEATURE REQUESTzsdcT2049 Update strongSwan cipher suites list for IPSec settings
 ResolvedBUGjestabroT2164 Package libstrongswan-standard-plugins missing from image
 ResolvedFEATURE REQUESTViacheslavT2620 Add ipsec peer-name to log to simplifies grepping and troubleshooting
 ResolvedFEATURE REQUESTViacheslavT2639 sort output of show vpn ipsec sa
ResolvedFEATURE REQUESTsarthurdevT2641 Rewrite vpn ipsec OP commands in new style XML syntax
 ResolvedBUGViacheslavT3333 "show vpn ipsec sa" reports ESP tunnels to be up when they are not.
 ResolvedViacheslavT2806 ipsec generates false warning on commit when local prefix is sourced from loopback
 DuplicateFEATURE REQUESTNoneT1251 IKEv2 Agile VPN Support
 ResolvedBUGjack9603301T3055 op-mode incorrect naming for ipsec policy-based tunnels
ResolvedViacheslavT3093 Add xml for vpn ipsec
 ResolvedFEATURE REQUESTc-poT2173 Add the ability to use VRF on VTI interfaces
 Resolvedc-poT1513 Move OSPF and RIP interface configuration under protocols
 Resolvedc-poT3588 IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan
 ResolvedFEATURE REQUESTc-poT842 Adopt VyOS CLI to latest StrongSwan options and deprecated Keywords
 ResolvedBUGsarthurdevT3594 Disable by default service strongswan-starter
 Resolvedc-poT3595 Cannot create new VTI interface
 ResolvedFEATURE REQUESTsarthurdevT3613 Selectors for route-based IPsec tunnel (vti)
Restricted Maniphest Task
 ResolvedBUGsarthurdevT3643 show vpn ipsec sa doesn't show tunnels in "down" state
 ResolvedBUGSrividyaAT3678 VyOS 1.4: Invalid error message while deleting ipsec vpn configuration
 ResolvedBUGc-poT3718 VPN IPsec IKE group by default not use DH-group 2
 ResolvedBUGc-poT3719 Restart vpn shows some missed files
 ResolvedBUGc-poT3720 IPSec set vti secondary address cause interface disable
 ResolvedBUGa.apostoliukT3722 op-mode IPSec show vpn ike sa always shows L-TIME 0
 ResolvedBUGViacheslavT3723 op-mode IPSec show vpn ipsec sa output with underscores
 ResolvedBUGsarthurdevT3727 VPN IPsec ESP proposal and ESP presented in config missmatch
 ResolvedFEATURE REQUESTc-poT3745 op-mode IPSec show vpn ipse sa sorting
 ResolvedBUGc-poT3764 Unconfigurable IKE and ESP lifetime

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
SrividyaA added a subscriber: SrividyaA.Jun 17 2021, 6:18 PM

Tested with basic ipsec configuration and it does not seem to work when 3des encryption is configured. It works with default (aes128) and aes192.
Version

Version:          VyOS 1.4-rolling-202106151212
Release Train:    sagitta

Built by:         [email protected]
Built on:         Tue 15 Jun 2021 11:57 UTC
Build UUID:       aca2a1be-7e7c-49c5-81f8-35df11d65aeb
Build Commit ID:  e5a2250f2d0145

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:
Hardware UUID:    54e778d8-8701-4a6a-95a0-ca658269c598

Copyright:        VyOS maintainers and contributors

Config:

set vpn ipsec esp-group espN compression 'disable'
set vpn ipsec esp-group espN lifetime '3600'
set vpn ipsec esp-group espN proposal 1 encryption '3des'
set vpn ipsec esp-group espN proposal 1 hash 'sha1'
set vpn ipsec ike-group ikeN proposal 1 dh-group '2'
set vpn ipsec ike-group ikeN proposal 1 encryption '3des'
set vpn ipsec ike-group ikeN proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.0.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.0.0.2 authentication pre-shared-secret 'Vyos@123'
set vpn ipsec site-to-site peer 10.0.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.0.0.2 ike-group 'ikeN'
set vpn ipsec site-to-site peer 10.0.0.2 local-address '10.0.0.1'
set vpn ipsec site-to-site peer 10.0.0.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 10.0.0.2 vti esp-group 'espN'

Error:

vyos@vyos#  run sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.0.0.2 10.0.0.2                       10.0.0.1 10.0.0.1
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 68, in <module>
    ike_sa(args.peer, args.nat)
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 52, in ike_sa
    encryption = f'{s(sa["encr-alg"])}_{s(sa["encr-keysize"])}' if 'encr-alg' in sa else 'n/a'
KeyError: 'encr-keysize'

Works in 1.2.7 version.

sarthurdev added a comment.Jun 17 2021, 7:58 PM

@SrividyaA Fixed in PR: https://github.com/vyos/vyos-1x/pull/884

c-po changed the status of subtask Restricted Maniphest Task from Confirmed to Needs testing.Jun 19 2021, 11:26 AM
SrividyaA added a comment.Jun 21 2021, 7:01 PM

In fresh/new setup, the output of the command "show vpn ike sa" is throwing an exception error:

vyos@vyos:~$ sh vpn ike sa
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 70, in <module>
    ike_sa(args.peer, args.nat)
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 34, in ike_sa
    session = vici.Session()
  File "/usr/lib/python3/dist-packages/vici/session.py", line 12, in __init__
    sock.connect("/var/run/charon.vici")
FileNotFoundError: [Errno 2] No such file or directory
vyos@vyos:~$ sh vpn ipsec sa
IPSec process not running

In older version:

vyos@vyos:~$ sh vpn ike sa
vyos@vyos:~$ sh vpn ipsec sa
IPSec Process NOT Running
Viacheslav added a subtask: T3643: show vpn ipsec sa doesn't show tunnels in "down" state.Jun 21 2021, 8:57 PM
sarthurdev added a comment.Jun 22 2021, 7:45 AM

@SrividyaA Fixed in PR https://github.com/vyos/vyos-1x/pull/894

SrividyaA mentioned this in T3656: IPSec 1.4 : "show vpn ike sa" does not show the correct default ike version.Jun 28 2021, 4:37 PM
c-po closed subtask T57: Make it possible to disable the entire IPsec peer as Resolved.Jul 3 2021, 5:22 PM
c-po changed the status of subtask T1210: About IKEv2 IPSec VPN remote access from Open to Needs testing.Jul 11 2021, 1:12 PM
SrividyaA mentioned this in T3678: VyOS 1.4: Invalid error message while deleting ipsec vpn configuration.Jul 13 2021, 3:29 PM
Viacheslav added a subtask: T3678: VyOS 1.4: Invalid error message while deleting ipsec vpn configuration.Jul 13 2021, 3:54 PM
c-po closed subtask T1210: About IKEv2 IPSec VPN remote access as Resolved.Jul 30 2021, 6:12 PM
Viacheslav added a subtask: T3718: VPN IPsec IKE group by default not use DH-group 2.Aug 3 2021, 3:14 PM
Viacheslav added a subtask: T3719: Restart vpn shows some missed files.Aug 3 2021, 3:19 PM
Viacheslav added a subtask: T3720: IPSec set vti secondary address cause interface disable.Aug 3 2021, 3:29 PM
c-po changed the status of subtask T3718: VPN IPsec IKE group by default not use DH-group 2 from Open to Confirmed.Aug 3 2021, 7:25 PM
c-po closed subtask T3718: VPN IPsec IKE group by default not use DH-group 2 as Resolved.Aug 4 2021, 6:50 PM
Viacheslav added a subtask: T3722: op-mode IPSec show vpn ike sa always shows L-TIME 0.Aug 5 2021, 8:14 AM
Viacheslav added a subtask: T3723: op-mode IPSec show vpn ipsec sa output with underscores.Aug 5 2021, 8:20 AM
c-po closed subtask T3719: Restart vpn shows some missed files as Resolved.Aug 5 2021, 2:55 PM
dmbaturin closed subtask T66: IPSec v6 over v6 support as Resolved.Aug 7 2021, 7:52 AM
Viacheslav added a subtask: T3727: VPN IPsec ESP proposal and ESP presented in config missmatch.Aug 9 2021, 7:41 AM
Viacheslav closed subtask T2606: ikev2 mobike commit failed as Invalid.Aug 9 2021, 8:42 AM
UnicronNL closed subtask T1501: VPN Commit Errors as Resolved.Aug 9 2021, 2:09 PM
c-po closed subtask T3720: IPSec set vti secondary address cause interface disable as Resolved.Aug 9 2021, 7:06 PM
Viacheslav added a subtask: T3745: op-mode IPSec show vpn ipse sa sorting.Aug 12 2021, 9:54 AM
Viacheslav closed subtask T3727: VPN IPsec ESP proposal and ESP presented in config missmatch as Resolved.Aug 13 2021, 11:53 AM
c-po changed the status of subtask T3745: op-mode IPSec show vpn ipse sa sorting from Open to Needs testing.Aug 14 2021, 5:02 PM
c-po closed subtask T3745: op-mode IPSec show vpn ipse sa sorting as Resolved.Aug 14 2021, 6:17 PM
Viacheslav added a subtask: T3764: Unconfigurable IKE and ESP lifetime.Aug 18 2021, 1:24 PM
c-po closed subtask T3764: Unconfigurable IKE and ESP lifetime as Resolved.Aug 19 2021, 10:03 AM
Viacheslav closed subtask T3613: Selectors for route-based IPsec tunnel (vti) as Resolved.Oct 15 2021, 8:59 PM
syncer changed the status of subtask T3643: show vpn ipsec sa doesn't show tunnels in "down" state from Open to In progress.Oct 17 2021, 3:00 PM
Viacheslav closed subtask T645: Allow multiple prefixes in ipsec tunnel as Resolved.Nov 15 2021, 8:22 AM
SrividyaA closed subtask T3678: VyOS 1.4: Invalid error message while deleting ipsec vpn configuration as Resolved.Dec 22 2021, 1:40 PM
Viacheslav closed subtask T3643: show vpn ipsec sa doesn't show tunnels in "down" state as Resolved.Feb 3 2022, 5:35 PM
Viacheslav changed the status of subtask T1856: Support configuring IPSec SA bytes from Open to In progress.Feb 20 2022, 4:47 PM
sarthurdev closed subtask Restricted Maniphest Task as Resolved.Feb 20 2022, 7:21 PM
c-po closed subtask T1856: Support configuring IPSec SA bytes as Resolved.Jun 20 2022, 7:39 PM
Viacheslav closed subtask T1233: ipsec vpn sa showing down as Resolved.Jul 25 2022, 9:42 AM
Viacheslav closed subtask T3723: op-mode IPSec show vpn ipsec sa output with underscores as Resolved.Oct 23 2022, 7:08 PM
a.hajiyev added a subscriber: a.hajiyev.EditedNov 16 2023, 11:30 AM

Tested in VyOS 1.4-rolling-202311100309 (3DES)

image.png (195×665 px, 6 KB)

Configurations:
LEFT-R:

set interfaces dummy dum0 address '10.0.11.1/24'
set interfaces ethernet eth0 address '192.0.2.11/24'

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.11
set interfaces tunnel tun0 remote 192.0.2.12
set interfaces tunnel tun0 address 10.10.10.1/30
set vpn ipsec interface eth0
set vpn ipsec authentication psk vyos id 192.0.2.11
set vpn ipsec authentication psk vyos id 192.0.2.12
set vpn ipsec authentication psk vyos secret MYSECRETKEY
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption '3des'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption '3des'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
set vpn ipsec site-to-site peer right authentication remote-id 192.0.2.12
set vpn ipsec site-to-site peer right ike-group MyIKEGroup
set vpn ipsec site-to-site peer right default-esp-group MyESPGroup
set vpn ipsec site-to-site peer right local-address 192.0.2.11
set vpn ipsec site-to-site peer right remote-address 192.0.2.12
set vpn ipsec site-to-site peer right tunnel 1 protocol gre

set protocols static route 10.0.12.0/24 interface tun0

RIGHT-R

set interfaces dummy dum0 address '10.0.12.1/24'
set interfaces ethernet eth0 address '192.0.2.12/24'

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.12
set interfaces tunnel tun0 remote 192.0.2.11
set interfaces tunnel tun0 address 10.10.10.2/30
set vpn ipsec interface eth0
set vpn ipsec authentication psk vyos id 192.0.2.12
set vpn ipsec authentication psk vyos id 192.0.2.11
set vpn ipsec authentication psk vyos secret MYSECRETKEY
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption '3des'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption '3des'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer left authentication mode pre-shared-secret
set vpn ipsec site-to-site peer left authentication remote-id 192.0.2.11
set vpn ipsec site-to-site peer left ike-group MyIKEGroup
set vpn ipsec site-to-site peer left default-esp-group MyESPGroup
set vpn ipsec site-to-site peer left local-address 192.0.2.12
set vpn ipsec site-to-site peer left remote-address 192.0.2.11
set vpn ipsec site-to-site peer left tunnel 1 protocol gre

set protocols static route 10.0.11.0/24 interface tun0

Checking:

$ show vpn ipsec sa
Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------  -------  --------  --------------  ----------------  ----------------  -----------  ---------------------
right-tunnel-1  up       15m36s    7K/7K           74/74             192.0.2.12        192.0.2.12   3DES_CBC/HMAC_SHA1_96
$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
192.0.2.12 192.0.2.12                   192.0.2.11 192.0.2.11

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   3DES_CBC     HMAC_SHA1_96  MODP_1024      no     963     0

Works good

a.hajiyev added a comment.Nov 16 2023, 11:59 AM

Tested in VyOS 1.4-rolling-202311100309 (AES)

Configurations:
LEFT-R:

set interfaces dummy dum0 address '10.0.11.1/24'
set interfaces ethernet eth0 address '192.0.2.11/24'

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.11
set interfaces tunnel tun0 remote 192.0.2.12
set interfaces tunnel tun0 address 10.10.10.1/30
set vpn ipsec interface eth0
set vpn ipsec authentication psk vyos id 192.0.2.11
set vpn ipsec authentication psk vyos id 192.0.2.12
set vpn ipsec authentication psk vyos secret MYSECRETKEY
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer right authentication mode pre-shared-secret
set vpn ipsec site-to-site peer right authentication remote-id 192.0.2.12
set vpn ipsec site-to-site peer right ike-group MyIKEGroup
set vpn ipsec site-to-site peer right default-esp-group MyESPGroup
set vpn ipsec site-to-site peer right local-address 192.0.2.11
set vpn ipsec site-to-site peer right remote-address 192.0.2.12
set vpn ipsec site-to-site peer right tunnel 1 protocol gre

set protocols static route 10.0.12.0/24 interface tun0

RIGHT-R

set interfaces dummy dum0 address '10.0.12.1/24'
set interfaces ethernet eth0 address '192.0.2.12/24'

set interfaces tunnel tun0 encapsulation gre
set interfaces tunnel tun0 source-address 192.0.2.12
set interfaces tunnel tun0 remote 192.0.2.11
set interfaces tunnel tun0 address 10.10.10.2/30
set vpn ipsec interface eth0
set vpn ipsec authentication psk vyos id 192.0.2.12
set vpn ipsec authentication psk vyos id 192.0.2.11
set vpn ipsec authentication psk vyos secret MYSECRETKEY
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer left authentication mode pre-shared-secret
set vpn ipsec site-to-site peer left authentication remote-id 192.0.2.11
set vpn ipsec site-to-site peer left ike-group MyIKEGroup
set vpn ipsec site-to-site peer left default-esp-group MyESPGroup
set vpn ipsec site-to-site peer left local-address 192.0.2.12
set vpn ipsec site-to-site peer left remote-address 192.0.2.11
set vpn ipsec site-to-site peer left tunnel 1 protocol gre

set protocols static route 10.0.11.0/24 interface tun0

Checking:

$ sh vpn ipsec sa
Connection      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------  -------  --------  --------------  ----------------  ----------------  -----------  ------------------------
right-tunnel-1  up       59s       0B/0B           0/0               192.0.2.12        192.0.2.12   AES_CBC_256/HMAC_SHA1_96
$ sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
192.0.2.12 192.0.2.12                   192.0.2.11 192.0.2.11

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     66      0

Works good

a.hajiyev changed the task status from Needs testing to In progress.Nov 16 2023, 1:23 PM
a.hajiyev set Issue type to Unspecified (please specify).
a.hajiyev added a comment.Nov 20 2023, 4:59 AM

Tested on VyOS 1.4-rolling-202311100309 and VyOS 1.5-rolling-202311160736 - L-Time shows 0. But supposed to show 3600 according to the configuration.

show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
192.0.2.11 192.0.2.11                   192.0.2.12 192.0.2.12

    State  IKEVer  Encrypt      Hash          D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------      ----          ---------      -----  ------  ------
    up     IKEv2   AES_CBC_256  HMAC_SHA1_96  MODP_1024      no     588     0

The configurations:
LEFT

set vpn ipsec authentication psk vyos id '192.0.2.11'
set vpn ipsec authentication psk vyos id '192.0.2.12'
set vpn ipsec authentication psk vyos secret 'MYSECRETKEY'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec ike-group MyIKEGroup lifetime '3600'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer right authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer right authentication remote-id '192.0.2.12'
set vpn ipsec site-to-site peer right default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer right ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer right local-address '192.0.2.11'
set vpn ipsec site-to-site peer right remote-address '192.0.2.12'
set vpn ipsec site-to-site peer right tunnel 1 protocol 'gre'

RIGHT

set vpn ipsec authentication psk vyos id '192.0.2.12'
set vpn ipsec authentication psk vyos id '192.0.2.11'
set vpn ipsec authentication psk vyos secret 'MYSECRETKEY'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec ike-group MyIKEGroup lifetime '3600'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer left authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer left authentication remote-id '192.0.2.11'
set vpn ipsec site-to-site peer left default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer left ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer left local-address '192.0.2.12'
set vpn ipsec site-to-site peer left remote-address '192.0.2.11'
set vpn ipsec site-to-site peer left tunnel 1 protocol 'gre'
a.hajiyev changed the task status from In progress to Open.Nov 20 2023, 5:04 AM
Viacheslav closed this task as Resolved.Nov 20 2023, 7:38 AM
Viacheslav closed subtask T440: VTI/IPSec with dynamic peer as Wontfix.Dec 18 2023, 8:37 AM
dmbaturin closed subtask T1549: ipsec ikev2 multi usergroup roadwarrior configuration as Resolved N/A.Jan 9 2024, 3:44 PM
dmbaturin closed subtask T1925: DMVPN is always listed as down in "show vpn ipsec sa" as Resolved.Jan 9 2024, 4:04 PM
dmbaturin closed subtask T71: Add virtual IP and route installation policy options for IPsec as Resolved.Feb 15 2024, 11:07 AM
a.apostoliuk changed the status of subtask T3722: op-mode IPSec show vpn ike sa always shows L-TIME 0 from Open to Needs testing.Feb 19 2024, 8:25 AM
a.apostoliuk closed subtask T3722: op-mode IPSec show vpn ike sa always shows L-TIME 0 as Resolved.