VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel.
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	masterit
	Oct 1 2017, 5:13 AM

Description

a similar problem is shown in the below link from ubnt edgeos . it seems this bug has carried over from the vyatta code.

problem shows up in both 1.1.x and 1.2.0 versions of vyos.
unable to use ipsec over ipv6

Derived from above link, when an ipv6 ipsec site to site vpn is created with a IPv6 VPN endpoint.

vpn {
     ipsec {
         auto-firewall-nat-exclude disable
         esp-group ESP1 {
             compression disable
             lifetime 3600
             mode transport
             pfs enable
             proposal 1 {
                 encryption aes128
                 hash sha1
             }
         }
         ike-group IKE1 {
             dead-peer-detection {
                 action restart
                 interval 15
                 timeout 90
             }
             ikev2-reauth no
             key-exchange ikev1
             lifetime 28800
             proposal 1 {
                 dh-group 2
                 encryption aes128
                 hash sha1
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
            peer yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret PassWord
                }
                default-esp-group ESP1
                ike-group IKE1
                local-address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
                tunnel 1 {
                }
            }
         }
     }
 }

the following error appears:

commit
[ vpn ]
[ vpn ipsec site-to-site peer yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy tunnel 1 ]
VPN configuration error: IPv4 over IPv6 IPsec is not supported

Details

Version: 1.2.0
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		sarthurdev	T2816 Rewrite IPsec scripts with the new XML/Python approach
		Resolved	BUG	zsdc	T406 VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel.

Event Timeline

masterit created this task.Oct 1 2017, 5:13 AM

masterit renamed this task from VPN configuration error: IPv6 over IPv4 IPsec is not supported even when using ipv6 only tunnel. to VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel..Oct 3 2017, 2:05 AM

masterit updated the task description. (Show Details)

masterit edited a custom field.

syncer triaged this task as Low priority.Dec 21 2017, 9:47 PM

syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 2.0.x.

pasik subscribed.Oct 1 2018, 9:53 AM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.Oct 13 2018, 10:09 AM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:40 PM

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM

dmbaturin removed a project: VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 5 2018, 12:32 AM

syncer assigned this task to zsdc.Nov 17 2019, 1:16 PM

dmbaturin added a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.Aug 20 2020, 3:45 PM

jbrown subscribed.Mar 10 2021, 7:47 PM

Fixed

set vpn ipsec esp-group ESP-GRP compression 'disable'
set vpn ipsec esp-group ESP-GRP lifetime '1800'
set vpn ipsec esp-group ESP-GRP mode 'tunnel'
set vpn ipsec esp-group ESP-GRP pfs 'enable'
set vpn ipsec esp-group ESP-GRP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GRP proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-GRP ikev2-reauth 'no'
set vpn ipsec ike-group IKE-GRP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GRP lifetime '3600'
set vpn ipsec ike-group IKE-GRP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GRP proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 authentication pre-shared-secret 'SeCrEt'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 connection-type 'respond'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 ike-group 'IKE-GRP'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 local-address 'c01d:c01a:cafe::2'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 esp-group 'ESP-GRP'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 local prefix '2001:db7::/64'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 remote prefix '2001:db8::/64'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 esp-group 'ESP-GRP'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 local prefix '10.2.3.0/24'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 remote prefix '10.1.0.0/24'

Show VPN state and routes

vyos@r2-lts:~$ show vpn ipsec sa
Connection                       State    Up         Bytes In/Out    Remote address     Remote ID    Proposal
-------------------------------  -------  ---------  --------------  -----------------  -----------  ------------------------------------------------
peer-c01d:c01a:cafe::1-tunnel-0  up       3 minutes  312B/312B       c01d:c01a:cafe::1  N/A          AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-c01d:c01a:cafe::1-tunnel-1  up       3 minutes  588B/588B       c01d:c01a:cafe::1  N/A          AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vyos@r2-lts:~$ 
vyos@r2-lts:~$ show ip route table 220
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued route, r - rejected route

VRF default table 220:
K>* 10.1.0.0/24 [0/0] is directly connected, eth1, 00:03:09
vyos@r2-lts:~$ 
vyos@r2-lts:~$ show ipv6  route table 220
Codes: K - kernel route, C - connected, S - static, R - RIPng,
       O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
       v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued route, r - rejected route

VRF default table 220:
K>* 2001:db8::/64 [0/1024] via c01d:c01a:cafe::1, eth1, src 2001:db7::1, 00:03:13
vyos@r2-lts:~$

Tested on VyOS 1.2.7, VyOS 1.4-rolling-202105310839

dmbaturin set Is it a breaking change? to Perfectly compatible.Sep 3 2021, 7:23 AM

dmbaturin set Issue type to Bug (incorrect behavior).

dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed VyOS 1.3 Equuleus.Sep 10 2021, 6:04 AM

VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel.Closed, ResolvedPublicBUGActions

Description

Details

Related ObjectsSearch...

Event Timeline

VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel.
Closed, ResolvedPublicBUG
Actions

Related Objects
Search...