Page MenuHomeVyOS Platform
Create Task
Maniphest T4001

Cannot use local-subnet or remote-subnet when using transport mode
Needs testing, NormalPublicFEATURE REQUEST
Actions

Description

Tested in VyOS 1.3.0-epa3

Configure IPsec ("transport mode") using local-subnet and remote-subnet. An error occurs:

# commit
[ vpn ipsec site-to-site peer TST2 tunnel 0 ]
VPN configuration error: Can not use local-subnet or remote-subnet when using transport mode

To reproduce:

set interfaces ethernet eth0 address '192.168.2.2/24'
set interfaces ethernet eth1 address '10.2.2.2/24'
set protocols static route 0.0.0.0/0 next-hop 192.168.2.100

set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '1800'
set vpn ipsec esp-group ESP mode 'transport'
set vpn ipsec esp-group ESP pfs 'enable'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP proposal 1 hash 'sha1'

set vpn ipsec ike-group IKEv2gr close-action 'none'
set vpn ipsec ike-group IKEv2gr ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2gr key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2gr lifetime '86400'
set vpn ipsec ike-group IKEv2gr mobike 'disable'
set vpn ipsec ike-group IKEv2gr proposal 2 dh-group '2'
set vpn ipsec ike-group IKEv2gr proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKEv2gr proposal 2 hash 'sha1'

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer TST2 authentication id '192.168.2.2'
set vpn ipsec site-to-site peer TST2 authentication remote-id '192.168.1.1'
set vpn ipsec site-to-site peer TST2 connection-type 'initiate'
set vpn ipsec site-to-site peer TST2 force-encapsulation 'enable'
set vpn ipsec site-to-site peer TST2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer TST2 authentication pre-shared-secret 'VyOS'
set vpn ipsec site-to-site peer TST2 local-address '192.168.2.2'
set vpn ipsec site-to-site peer TST2 ike-group 'IKEv2gr'
set vpn ipsec site-to-site peer TST2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer TST2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer TST2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer TST2 tunnel 0 esp-group 'ESP'
set vpn ipsec site-to-site peer TST2 tunnel 0 local prefix '10.2.2.0/24'
set vpn ipsec site-to-site peer TST2 tunnel 0 remote prefix '10.1.1.0/24'

Details

Version
VyOS 1.3.0-epa3
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

Unknown Object (User) created this task.Nov 17 2021, 11:39 AM
Unknown Object (User) created this object in space S1 VyOS Public.
pasik subscribed.Nov 17 2021, 1:04 PM
Viacheslav changed the subtype of this task from "Task" to "Feature Request".Feb 20 2022, 3:18 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.2); removed VyOS 1.3 Equuleus (1.3.0-epa3).Aug 14 2022, 1:06 PM
dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.2).Aug 14 2022, 6:35 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:47 PM
SrividyaA subscribed.Jul 14 2023, 12:26 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:36 PM
Viacheslav changed the task status from Open to Needs testing.Jan 20 2024, 10:31 AM
Viacheslav assigned this task to a.hajiyev.
Viacheslav triaged this task as Normal priority.
Viacheslav subscribed.

Still relevant for 1.3.5

vyos@r1# commit
[ vpn ipsec site-to-site peer TST2 tunnel 0 ]
VPN configuration error: Can not use local-subnet or remote-subnet when using transport mode



[[vpn]] failed
Commit failed
[edit]
vyos@r1#

Needs to re-check for 1.4/1.5

Viacheslav added a project: VyOS 1.5 Circinus.Jan 20 2024, 10:32 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.7); removed VyOS 1.3 Equuleus (1.3.6).Feb 10 2024, 9:17 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).May 13 2024, 7:31 PM
dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.9); removed VyOS 1.3 Equuleus (1.3.8).Jun 20 2024, 10:18 AM
dmbaturin added a project: Restricted Project.Sep 16 2024, 4:16 PM
dmbaturin renamed this task from Feature Request: IPsec transport mode. VyOS can not use local-subnet or remote-subnet when using transport mode to Cannot use local-subnet or remote-subnet when using transport mode.Oct 14 2024, 9:29 AM
dmbaturin edited projects, added VyOS Rolling, VyOS 1.4 Sagitta (1.4.0); removed Restricted Project, VyOS 1.3 Equuleus (1.3.9).
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).
vyosbot added a project: Bugs.Oct 14 2024, 11:32 AM
Viacheslav removed a.hajiyev as the assignee of this task.Sep 25 2025, 3:27 AM
Viacheslav added a subscriber: a.hajiyev.
o.kuchmystyi subscribed.Fri, Dec 5, 12:31 PM
In T4001#173519, @Viacheslav wrote:

Needs to re-check for 1.4/1.5

This is also relevant to 1.4/1.5:

set interfaces ethernet eth0 address '192.168.2.2/24'
set interfaces ethernet eth1 address '10.2.2.2/24'
set protocols static route 0.0.0.0/0 next-hop '192.168.2.100'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP lifetime '1800'
set vpn ipsec esp-group ESP pfs 'enable'
set vpn ipsec esp-group ESP mode 'transport'
set vpn ipsec esp-group ESP compression
set vpn ipsec ike-group IKEv2gr key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2gr lifetime '86400'
set vpn ipsec ike-group IKEv2gr proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKEv2gr proposal 1 hash 'sha1'
set vpn ipsec ike-group IKEv2gr proposal 1 dh-group '2'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer TST2 authentication local-id '192.168.2.2'
set vpn ipsec site-to-site peer TST2 authentication remote-id '192.168.1.1'
set vpn ipsec site-to-site peer TST2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer TST2 ike-group 'IKEv2gr'
set vpn ipsec site-to-site peer TST2 local-address '192.168.2.2'
set vpn ipsec site-to-site peer TST2 remote-address '192.168.1.1'
set vpn ipsec site-to-site peer TST2 connection-type 'initiate'
set vpn ipsec site-to-site peer TST2 tunnel 0 esp-group 'ESP'
set vpn ipsec site-to-site peer TST2 tunnel 0 local prefix '10.2.2.0/24'
set vpn ipsec site-to-site peer TST2 tunnel 0 remote prefix '10.1.1.0/24'
commit
vyos@vyos# commit
[ vpn ipsec ]
Local/remote prefix cannot be used with ESP transport mode on tunnel 0
for site-to-site peer TST2
[[vpn ipsec]] failed
Commit failed

But I think the main problem in the next lines:

set vpn ipsec esp-group ESP mode 'transport'
set vpn ipsec site-to-site peer TST2 tunnel 0 local prefix '10.2.2.0/24'
set vpn ipsec site-to-site peer TST2 tunnel 0 remote prefix '10.1.1.0/24'

The VPN couldn't start because "transport mode" is for encrypting traffic just between the two VPN endpoints, not whole networks behind them.
Since this config includes local/remote subnet settings (10.x.x.x/24), we need 'tunnel ESP mode', which supports routing traffic for subnets.

In the VyOS template data/templates/ipsec/swanctl/peer.j2, we have this block. Which forces host‑based traffic selectors when ESP mode is transport. If the config also defines local-subnet or remote-subnet, VyOS cannot generate compatible selectors for StrongSwan and throws validation error.

I guest necessary to use mode tunnel for LAN‑to‑LAN VPNs or remove subnet parameters for host‑to‑host connections.