Page MenuHomeVyOS Platform
Create Task
Maniphest T3718

VPN IPsec IKE group by default not use DH-group 2
Closed, ResolvedPublicBUG
Actions

Description

1.2/1.3 versions are used IKE DH-group '2' by default, if not set any other proposal configuration.

1.4 doesn't use any IKE DH-group by default.

To reproduce
1.3 configuration:

set interfaces vti vti2 address '10.0.0.1/30'
set vpn ipsec esp-group ESP-GRP-VTI compression 'disable'
set vpn ipsec esp-group ESP-GRP-VTI lifetime '1800'
set vpn ipsec esp-group ESP-GRP-VTI mode 'tunnel'
set vpn ipsec esp-group ESP-GRP-VTI pfs 'enable'
set vpn ipsec esp-group ESP-GRP-VTI proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GRP-VTI proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-GRP-VTI ikev2-reauth 'no'
set vpn ipsec ike-group IKE-GRP-VTI key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GRP-VTI lifetime '3600'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 192.0.2.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.2 authentication pre-shared-secret 'SeCrEt'
set vpn ipsec site-to-site peer 192.0.2.2 ike-group 'IKE-GRP-VTI'
set vpn ipsec site-to-site peer 192.0.2.2 local-address '192.0.2.1'
set vpn ipsec site-to-site peer 192.0.2.2 vti bind 'vti2'
set vpn ipsec site-to-site peer 192.0.2.2 vti esp-group 'ESP-GRP-VTI'

1.4 configuration:

set interfaces vti vti2 address '10.0.0.2/30'
set vpn ipsec esp-group ESP-GRP-VTI compression 'disable'
set vpn ipsec esp-group ESP-GRP-VTI lifetime '1800'
set vpn ipsec esp-group ESP-GRP-VTI mode 'tunnel'
set vpn ipsec esp-group ESP-GRP-VTI pfs 'enable'
set vpn ipsec esp-group ESP-GRP-VTI proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GRP-VTI proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-GRP-VTI ikev2-reauth 'no'
set vpn ipsec ike-group IKE-GRP-VTI key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GRP-VTI lifetime '3600'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'SeCrEt'
set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'IKE-GRP-VTI'
set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2'
set vpn ipsec site-to-site peer 192.0.2.1 vti bind 'vti2'
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group 'ESP-GRP-VTI'

1.4 Logs:

Aug  3 17:33:08 r1-roll ipsec_starter[3344]: charon (3346) started after 60 ms
Aug  3 17:33:08 r1-roll charon: 07[CFG] loaded IKE shared key with id 'ike_192-0-2-1' for: '192.0.2.2', '192.0.2.1'
Aug  3 17:33:08 r1-roll charon: 12[CFG] a DH group is mandatory in IKE proposals

To get it working, needs to set dh-group 2 for 1.4

set vpn ipsec ike-group IKE-GRP-VTI proposal 1 dh-group 2

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.4-rolling-202107280117
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects
Search...

Event Timeline

Viacheslav created this task.Aug 3 2021, 2:36 PM
Viacheslav added a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.Aug 3 2021, 3:14 PM
c-po changed the task status from Open to Confirmed.Aug 3 2021, 7:25 PM
c-po claimed this task.
c-po triaged this task as Normal priority.
c-po closed this task as Resolved.Aug 4 2021, 6:50 PM