Page MenuHomeVyOS Platform

VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel.
Closed, ResolvedPublicBUG

Description

a similar problem is shown in the below link from ubnt edgeos . it seems this bug has carried over from the vyatta code.

problem shows up in both 1.1.x and 1.2.0 versions of vyos.
unable to use ipsec over ipv6

Derived from above link, when an ipv6 ipsec site to site vpn is created with a IPv6 VPN endpoint.

vpn {
     ipsec {
         auto-firewall-nat-exclude disable
         esp-group ESP1 {
             compression disable
             lifetime 3600
             mode transport
             pfs enable
             proposal 1 {
                 encryption aes128
                 hash sha1
             }
         }
         ike-group IKE1 {
             dead-peer-detection {
                 action restart
                 interval 15
                 timeout 90
             }
             ikev2-reauth no
             key-exchange ikev1
             lifetime 28800
             proposal 1 {
                 dh-group 2
                 encryption aes128
                 hash sha1
             }
         }
         ipsec-interfaces {
             interface eth0
         }
         site-to-site {
            peer yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret PassWord
                }
                default-esp-group ESP1
                ike-group IKE1
                local-address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
                tunnel 1 {
                }
            }
         }
     }
 }

the following error appears:

commit
[ vpn ]
[ vpn ipsec site-to-site peer yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy:yyyy tunnel 1 ]
VPN configuration error: IPv4 over IPv6 IPsec is not supported

Details

Version
1.2.0
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

masterit renamed this task from VPN configuration error: IPv6 over IPv4 IPsec is not supported even when using ipv6 only tunnel. to VPN configuration error: IPv6 over IPv4 IPsec is not supported when using IPv6 ONLY tunnel..Oct 3 2017, 2:05 AM
masterit updated the task description. (Show Details)
masterit edited a custom field.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 2.0.x.
Viacheslav subscribed.

Fixed

set vpn ipsec esp-group ESP-GRP compression 'disable'
set vpn ipsec esp-group ESP-GRP lifetime '1800'
set vpn ipsec esp-group ESP-GRP mode 'tunnel'
set vpn ipsec esp-group ESP-GRP pfs 'enable'
set vpn ipsec esp-group ESP-GRP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GRP proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-GRP ikev2-reauth 'no'
set vpn ipsec ike-group IKE-GRP key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GRP lifetime '3600'
set vpn ipsec ike-group IKE-GRP proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GRP proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 authentication pre-shared-secret 'SeCrEt'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 connection-type 'respond'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 ike-group 'IKE-GRP'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 local-address 'c01d:c01a:cafe::2'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 esp-group 'ESP-GRP'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 local prefix '2001:db7::/64'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 0 remote prefix '2001:db8::/64'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 esp-group 'ESP-GRP'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 local prefix '10.2.3.0/24'
set vpn ipsec site-to-site peer c01d:c01a:cafe::1 tunnel 1 remote prefix '10.1.0.0/24'

Show VPN state and routes

vyos@r2-lts:~$ show vpn ipsec sa
Connection                       State    Up         Bytes In/Out    Remote address     Remote ID    Proposal
-------------------------------  -------  ---------  --------------  -----------------  -----------  ------------------------------------------------
peer-c01d:c01a:cafe::1-tunnel-0  up       3 minutes  312B/312B       c01d:c01a:cafe::1  N/A          AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
peer-c01d:c01a:cafe::1-tunnel-1  up       3 minutes  588B/588B       c01d:c01a:cafe::1  N/A          AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
vyos@r2-lts:~$ 
vyos@r2-lts:~$ show ip route table 220
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued route, r - rejected route

VRF default table 220:
K>* 10.1.0.0/24 [0/0] is directly connected, eth1, 00:03:09
vyos@r2-lts:~$ 
vyos@r2-lts:~$ show ipv6  route table 220
Codes: K - kernel route, C - connected, S - static, R - RIPng,
       O - OSPFv3, I - IS-IS, B - BGP, N - NHRP, T - Table,
       v - VNC, V - VNC-Direct, A - Babel, D - SHARP, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued route, r - rejected route

VRF default table 220:
K>* 2001:db8::/64 [0/1024] via c01d:c01a:cafe::1, eth1, src 2001:db7::1, 00:03:13
vyos@r2-lts:~$

Tested on VyOS 1.2.7, VyOS 1.4-rolling-202105310839

dmbaturin set Is it a breaking change? to Perfectly compatible.Sep 3 2021, 7:23 AM
dmbaturin set Issue type to Bug (incorrect behavior).