Page MenuHomeVyOS Platform

Rewrite IPsec scripts with the new XML/Python approach
Needs testing, NormalPublic

Description

IPsec is one of the oldest, most complicated, and most bug-ridden components. We need to rewrite it and also improve its CLI as we go.

  • CLI design
  • Implementation design
  • Rewrite of ipsec.pl
  • Rewrite of DMVPN
  • Rewrite of L2TP/IPsec

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)

Related Objects

StatusSubtypeAssignedTask
Needs testingsdev
ResolvedBUGzsdc
ResolvedBUGNone
OpenFEATURE REQUESTNone
ResolvedFEATURE REQUESTViacheslav
OpenBUGViacheslav
InvalidBUGNone
ResolvedENHANCEMENTsdev
ResolvedENHANCEMENTdmbaturin
OpenFEATURE REQUESTdmbaturin
ResolvedBUGdmbaturin
OpenFEATURE REQUESTDmitry
ResolvedBUGzsdc
ResolvedBUGerkin
ResolvedFEATURE REQUESTDmitry
Needs testingNone
OpenBUGUnicronNL
ResolvedFEATURE REQUESTc-po
ResolvedBUGzsdc
ResolvedBUGUnicronNL
ResolvedFEATURE REQUESTzsdc
ResolvedBUGjestabro
ResolvedFEATURE REQUESTViacheslav
ResolvedFEATURE REQUESTViacheslav
ResolvedFEATURE REQUESTsdev
ResolvedBUGViacheslav
ResolvedViacheslav
DuplicateFEATURE REQUESTNone
ResolvedBUGjack9603301
ResolvedViacheslav
ResolvedFEATURE REQUESTc-po
Resolvedc-po
Resolvedc-po
ResolvedFEATURE REQUESTc-po
ResolvedBUGsdev
Resolvedc-po
ResolvedFEATURE REQUESTsdev
ResolvedBUGsdev
ResolvedBUGSrividyaA
ResolvedBUGc-po
ResolvedBUGc-po
ResolvedBUGc-po
OpenBUGNone
ResolvedBUGViacheslav
ResolvedBUGsdev
ResolvedFEATURE REQUESTc-po
ResolvedBUGc-po

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
acrane1 added a subtask: Restricted Maniphest Task.Jun 11 2021, 7:47 PM

Tested with basic ipsec configuration and it does not seem to work when 3des encryption is configured. It works with default (aes128) and aes192.
Version

Version:          VyOS 1.4-rolling-202106151212
Release Train:    sagitta

Built by:         [email protected]
Built on:         Tue 15 Jun 2021 11:57 UTC
Build UUID:       aca2a1be-7e7c-49c5-81f8-35df11d65aeb
Build Commit ID:  e5a2250f2d0145

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:
Hardware UUID:    54e778d8-8701-4a6a-95a0-ca658269c598

Copyright:        VyOS maintainers and contributors

Config:

set vpn ipsec esp-group espN compression 'disable'
set vpn ipsec esp-group espN lifetime '3600'
set vpn ipsec esp-group espN proposal 1 encryption '3des'
set vpn ipsec esp-group espN proposal 1 hash 'sha1'
set vpn ipsec ike-group ikeN proposal 1 dh-group '2'
set vpn ipsec ike-group ikeN proposal 1 encryption '3des'
set vpn ipsec ike-group ikeN proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.0.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.0.0.2 authentication pre-shared-secret '[email protected]'
set vpn ipsec site-to-site peer 10.0.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.0.0.2 ike-group 'ikeN'
set vpn ipsec site-to-site peer 10.0.0.2 local-address '10.0.0.1'
set vpn ipsec site-to-site peer 10.0.0.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 10.0.0.2 vti esp-group 'espN'

Error:

[email protected]#  run sh vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
10.0.0.2 10.0.0.2                       10.0.0.1 10.0.0.1
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 68, in <module>
    ike_sa(args.peer, args.nat)
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 52, in ike_sa
    encryption = f'{s(sa["encr-alg"])}_{s(sa["encr-keysize"])}' if 'encr-alg' in sa else 'n/a'
KeyError: 'encr-keysize'

Works in 1.2.7 version.

c-po changed the status of subtask Restricted Maniphest Task from Confirmed to Needs testing.Jun 19 2021, 11:26 AM

In fresh/new setup, the output of the command "show vpn ike sa" is throwing an exception error:

[email protected]:~$ sh vpn ike sa
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 70, in <module>
    ike_sa(args.peer, args.nat)
  File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 34, in ike_sa
    session = vici.Session()
  File "/usr/lib/python3/dist-packages/vici/session.py", line 12, in __init__
    sock.connect("/var/run/charon.vici")
FileNotFoundError: [Errno 2] No such file or directory
[email protected]:~$ sh vpn ipsec sa
IPSec process not running

In older version:

[email protected]:~$ sh vpn ike sa
[email protected]:~$ sh vpn ipsec sa
IPSec Process NOT Running
sdev closed subtask Restricted Maniphest Task as Resolved.Feb 20 2022, 7:21 PM