Page MenuHomeVyOS Platform

IPSec generates wrong configuration colons for IPv6 peers
Closed, ResolvedPublicBUG

Description

Swanctl generates peers with the colon which is not expected in the swanctl.conf:
VyOS configuration:

set interfaces ethernet eth1 address 'dead:beef::1/64'
set vpn ipsec esp-group grp-ESP compression 'disable'
set vpn ipsec esp-group grp-ESP lifetime '28800'
set vpn ipsec esp-group grp-ESP mode 'tunnel'
set vpn ipsec esp-group grp-ESP pfs 'dh-group14'
set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold'
set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30'
set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120'
set vpn ipsec ike-group grp-IKE ikev2-reauth 'no'
set vpn ipsec ike-group grp-IKE key-exchange 'ikev2'
set vpn ipsec ike-group grp-IKE lifetime '86400'
set vpn ipsec ike-group grp-IKE mobike 'disable'
set vpn ipsec ike-group grp-IKE proposal 10 dh-group '14'
set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer dead:beef::2 authentication id 'dead:beef::1'
set vpn ipsec site-to-site peer dead:beef::2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer dead:beef::2 authentication pre-shared-secret 'SSSeeccRetT'
set vpn ipsec site-to-site peer dead:beef::2 authentication remote-id 'dead:beef::2'
set vpn ipsec site-to-site peer dead:beef::2 connection-type 'initiate'
set vpn ipsec site-to-site peer dead:beef::2 ike-group 'grp-IKE'
set vpn ipsec site-to-site peer dead:beef::2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer dead:beef::2 local-address 'dead:beef::1'
set vpn ipsec site-to-site peer dead:beef::2 tunnel 0 esp-group 'grp-ESP'
set vpn ipsec site-to-site peer dead:beef::2 tunnel 0 local prefix '172.16.0.0/24'
set vpn ipsec site-to-site peer dead:beef::2 tunnel 0 remote prefix '10.0.0.0/24'

Load configuration:

vyos@r11-roll:~$ sudo swanctl -q
/etc/swanctl/swanctl.conf:4: syntax error, unexpected :, expecting "," or '{' [:]
invalid config file '/etc/swanctl/swanctl.conf'
no authorities found, 0 unloaded
no pools found, 0 unloaded
no connections found, 0 unloaded
vyos@r11-roll:~$

Swanctl part:

vyos@r11-roll:~$ cat /etc/swanctl/swanctl.conf 
### Autogenerated by vpn_ipsec.py ###

connections {
    peer_dead:beef::2 {
        proposals = aes256gcm128-sha256-modp2048
        version = 2
...

Details

Version
VyOS 1.4-rolling-202112210318
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav renamed this task from IPSec generates wrong configuration for IPv6 peers to IPSec generates wrong configuration colons for IPv6 peers.Dec 27 2021, 7:47 PM
Viacheslav updated the task description. (Show Details)

PR https://github.com/vyos/vyos-1x/pull/1123

vyos@r11-roll:~$ sudo swanctl -q
loaded ike secret 'ike_dead-beef--2'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'peer_dead-beef--2'
successfully loaded 1 connections, 0 unloaded
vyos@r11-roll:~$
vyos@r11-roll:~$ show vpn ipsec sa
Connection                  State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ------------------------
peer_dead-beef--2_tunnel_0  up                 0B/0B           0/0               dead:beef::2      N/A          AES_GCM_16_256/MODP_2048
vyos@r11-roll:~$
Viacheslav changed the task status from Open to In progress.Dec 28 2021, 12:04 PM
Viacheslav changed the task status from In progress to Needs testing.Dec 28 2021, 7:07 PM
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.

Test version:
VyOS 1.4-rolling-202112290317
Result:

vyos@vyos# sudo swanctl -q
loaded ike secret 'ike_dead-beef--2'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'peer_dead-beef--2'
successfully loaded 1 connections, 0 unloaded
[edit]
vyos@vyos#
vyos@vyos# run show vpn ipsec sa
Connection                  State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
--------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ------------------------
peer_dead-beef--2_tunnel_0  up                 0B/0B           0/0               dead:beef::2      N/A          AES_GCM_16_256/MODP_2048
 [edit]
vyos@vyos#