IPsec is one of the oldest, most complicated, and most bug-ridden components. We need to rewrite it and also improve its CLI as we go.
- CLI design
- Implementation design
- Rewrite of ipsec.pl
- Rewrite of DMVPN
- Rewrite of L2TP/IPsec
Description
Description
Details
Details
- Difficulty level
- Unknown (require assessment)
- Version
- -
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Config syntax change (migratable)
Event Timeline
There are a very large number of changes, so older changes are hidden. Show Older Changes
Comment Actions
Tested with basic ipsec configuration and it does not seem to work when 3des encryption is configured. It works with default (aes128) and aes192.
Version
Version: VyOS 1.4-rolling-202106151212 Release Train: sagitta Built by: [email protected] Built on: Tue 15 Jun 2021 11:57 UTC Build UUID: aca2a1be-7e7c-49c5-81f8-35df11d65aeb Build Commit ID: e5a2250f2d0145 Architecture: x86_64 Boot via: installed image System type: KVM guest Hardware vendor: QEMU Hardware model: Standard PC (Q35 + ICH9, 2009) Hardware S/N: Hardware UUID: 54e778d8-8701-4a6a-95a0-ca658269c598 Copyright: VyOS maintainers and contributors
Config:
set vpn ipsec esp-group espN compression 'disable' set vpn ipsec esp-group espN lifetime '3600' set vpn ipsec esp-group espN proposal 1 encryption '3des' set vpn ipsec esp-group espN proposal 1 hash 'sha1' set vpn ipsec ike-group ikeN proposal 1 dh-group '2' set vpn ipsec ike-group ikeN proposal 1 encryption '3des' set vpn ipsec ike-group ikeN proposal 1 hash 'sha1' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer 10.0.0.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 10.0.0.2 authentication pre-shared-secret '[email protected]' set vpn ipsec site-to-site peer 10.0.0.2 connection-type 'initiate' set vpn ipsec site-to-site peer 10.0.0.2 ike-group 'ikeN' set vpn ipsec site-to-site peer 10.0.0.2 local-address '10.0.0.1' set vpn ipsec site-to-site peer 10.0.0.2 vti bind 'vti0' set vpn ipsec site-to-site peer 10.0.0.2 vti esp-group 'espN'
Error:
[email protected]# run sh vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 10.0.0.2 10.0.0.2 10.0.0.1 10.0.0.1 Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 68, in <module> ike_sa(args.peer, args.nat) File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 52, in ike_sa encryption = f'{s(sa["encr-alg"])}_{s(sa["encr-keysize"])}' if 'encr-alg' in sa else 'n/a' KeyError: 'encr-keysize'
Works in 1.2.7 version.
Comment Actions
In fresh/new setup, the output of the command "show vpn ike sa" is throwing an exception error:
[email protected]:~$ sh vpn ike sa Traceback (most recent call last): File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 70, in <module> ike_sa(args.peer, args.nat) File "/usr/libexec/vyos/op_mode/vpn_ike_sa.py", line 34, in ike_sa session = vici.Session() File "/usr/lib/python3/dist-packages/vici/session.py", line 12, in __init__ sock.connect("/var/run/charon.vici") FileNotFoundError: [Errno 2] No such file or directory [email protected]:~$ sh vpn ipsec sa IPSec process not running
In older version:
[email protected]:~$ sh vpn ike sa [email protected]:~$ sh vpn ipsec sa IPSec Process NOT Running