At the moment VTI/IPsec is not possible in VyOS (1.1.7 and 1.2) with dynamic VPN peers (peers with FQDN). Only peers with fix IP address are possible. There are other commercial IPSec implementations where VTI and dyn.peers are possible.
Description
Description
Details
Details
- Version
- -
- Is it a breaking change?
- Unspecified (possibly destroys the router)
- Issue type
- Feature (new functionality)
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | sarthurdev | T2816 Rewrite IPsec scripts with the new XML/Python approach | |||
| Wontfix | FEATURE REQUEST | Viacheslav | T440 VTI/IPSec with dynamic peer |
Event Timeline
Comment Actions
Do we know why it‘s not possible? Is it due to a missing configuration option in VyOS or is it due to non availability in the underlying Linux Components e.g. Strongswan?
Comment Actions
VyOS doesn't allow this configuration variant. You get an appropriate message if you try. In EdgeOS it's the same. I don't know if it's possible in Strongswan V5.3.5.
Comment Actions
I believe StrongSwan does support some version of the functionality. strongSwan ipsec.conf
It looks like fqdn is resolved everytime the conf file is checked. See Below
left|right = <ip address> | <fqdn> | %any | range | subnet
The IP address of the participant's public-network interface or one of several magic values.
The value %any for the local endpoint signifies an address to be filled in
(by automatic keying) during negotiation. If the local peer initiates the connection setup the routing table
will be queried to determine the correct local IP address. In case the local peer is responding to a connection
setup then any IP address that is assigned to a local interface will be accepted.
Prior to 5.0.0 specifying %any for the local endpoint was not supported for IKEv1 connections, instead
the keyword %defaultroute could be used, causing the value to be filled in automatically with the local
address of the default-route interface (as determined at IPsec startup time and during configuration
update). Either left or right may be %defaultroute, but not both.
The prefix % in front of a fully-qualified domain name or an IP address will implicitly set left|rightallowany=yes.
If %any is used for the remote endpoint it literally means any IP address.
If an FQDN is assigned it is resolved every time a configuration lookup is done. If DNS resolution times out,
the lookup is delayed for that time.
Comment Actions
Thanks Brandon for your findings. IPSec with dynamic peer is no problem in VyOS. We use some of that with x.509 auth. Only VTI with dynamic peer is not allowed by VyOS. Do you know more about VTI and dynamic peer with strongswan on other linux installations (not VyOS)? Is it possible there?
Comment Actions
are there any new possibilities with the new kernel 4.14 and strongswan 5.6.2 in V1.2.0-rolling for this case here?
Comment Actions
I can confirm that this seems to only affect VTI's. Regular IPSec will take dynamic peer just fine. Any update on what the limitation is with VTI's?
Version: VyOS 1.2.0-rc11
VPN VTI configuration error: The peer "fqdn.goes.here" is invalid, an ip address must be specified for VTIs.