Page MenuHomeVyOS Platform
Create Task
Maniphest T3988

Feature Request: IPsec Multiple local/remote prefix for the tunnel
Closed, ResolvedPublic
Actions

Description

Tested in VyOS 1.3.0-epa3
There is no way to configure multiple 'local prefix' (or 'remote prefix') for an IPsec tunnel:

vyos@vyos# set vpn ipsec site-to-site peer PEER tunnel 0 local prefix 10.1.0.0/24
vyos@vyos# set vpn ipsec site-to-site peer PEER tunnel 0 local prefix 10.2.0.0/24
vyos@vyos# set vpn ipsec site-to-site peer PEER tunnel 0 local prefix 10.3.0.0/24
vyos@vyos# compare
+vpn {
+    ipsec {
+        site-to-site {
+            peer PEER {
+                connection-type initiate
+                ikev2-reauth inherit
+                tunnel 0 {
+                    allow-nat-networks disable
+                    allow-public-networks disable
+                    local {
+                        prefix 10.3.0.0/24
+                    }
+                }
+            }
+        }
+    }
+}

in VyOS VyOS 1.4-rolling-202110310317 it works:

vyos@R1# set vpn ipsec site-to-site peer 1.1.1.2 tunnel 10 local prefix '10.0.0.0/24'
vyos@R1# set vpn ipsec site-to-site peer 1.1.1.2 tunnel 10 local prefix '10.1.0.0/24'
vyos@R1# set vpn ipsec site-to-site peer 1.1.1.2 tunnel 10 local prefix '10.2.0.0/24'
vyos@R1# compare
[edit vpn ipsec site-to-site peer 1.1.1.2 tunnel 10 local]
+prefix 10.0.0.0/24
+prefix 10.1.0.0/24
+prefix 10.2.0.0/24

Details

Version
VyOS 1.3.0-epa3
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects

Event Timeline

Unknown Object (User) created this task.Nov 13 2021, 6:27 AM
Unknown Object (User) created this object in space S1 VyOS Public.
Unknown Object (User) renamed this task from Feature Request: IPsec Multiple local prefix for the tunnel to Feature Request: IPsec Multiple local/remote prefix for the tunnel.Nov 13 2021, 6:33 AM
Unknown Object (User) updated the task description. (Show Details)
pasik subscribed.Nov 13 2021, 10:53 AM
Viacheslav subscribed.Nov 15 2021, 8:23 AM

For 1.4 it was implemented in T645
IPSec was completely rewritten in 1.4

syncer edited projects, added VyOS 1.3 Equuleus (1.3.2); removed VyOS 1.3 Equuleus (1.3.0-epa3).Aug 14 2022, 1:06 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus (1.3.2).Aug 14 2022, 6:40 PM
Viacheslav closed this task as Resolved.Aug 15 2022, 11:33 AM
Viacheslav claimed this task.