Page MenuHomeVyOS Platform

swanctl.conf is broken when ipsec site-to-site peer set.
Closed, ResolvedPublicBUG

Description

The ipsec site-to-site peer <name> cannot allow ip address, it only need alphanumeric, hyphen and underscores.

This format will break swanctl.conf remote_ts field.
It makes ipsec cannot work normaly.

vyos@vyos# show
 peer test {
     authentication {
         mode pre-shared-secret
         pre-shared-secret myipseckey
     }
     default-esp-group default
     ike-group default
     local-address <left>
     remote-address <right>
     tunnel 0 {
         protocol gre
     }
 }
[edit vpn ipsec site-to-site]
vyos@vyos# run restart vpn
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
loaded ike secret 'ike_test'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loading connection 'test' failed: invalid value for: remote_ts, config discarded
loaded 0 of 1 connections, 1 failed to load, 0 unloaded
[edit vpn ipsec site-to-site]
  • swanctl.conf
vyos@vyos# cat /etc/swanctl/swanctl.conf 
### Autogenerated by vpn_ipsec.py ###

connections {
    test {
        proposals = aes128-sha1-modp2048
        version = 1
        local_addrs = <left> # dhcp:no
        remote_addrs = <right>
        dpd_timeout = 120
        dpd_delay = 30
        rekey_time = 28800s
        mobike = yes
        keyingtries = 0
        local {
            auth = psk
        }
        remote {
            id = "<left>"
            auth = psk
        }
        children {
            test-tunnel-0 {
                esp_proposals = aes256-sha1-modp1024
                life_time = 3600s
                local_ts = <left>[gre/]
                remote_ts = test[gre/]
                ipcomp = no
                mode = transport
                start_action = start
                dpd_action = 
                close_action = 
            }
        }
    }

}

pools {
}

secrets {
    ike_test {
        id-local = <left> # dhcp:no
        id-remote_<right> = <right>
        secret = "myipseckey"
    }
}
[edit vpn ipsec site-to-site]

You can notice that remote_ts field is test[gre/] and I restart the vpn service, it will break.
In the past (version: 1.4-rolling-20221005), this field is ip address and ipsec works fine.

Details

Version
vyos-1.4-rolling-202211120317-amd64
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

ipsec site-to-site peer <name> - it is just a connection name and is not related to the IP address
I'll take a look at TS

Viacheslav changed the task status from Open to In progress.Nov 20 2022, 10:21 PM
Viacheslav claimed this task.

@Viacheslav Thank you sir!!!

I will look forward to next rolling version coming !!!

Viacheslav changed the task status from In progress to Needs testing.Nov 22 2022, 8:24 AM

@Viacheslav

Hello sir,

In vyos-1.4-rolling-202211220318-amd64.iso, the broken syntax was fixed, but I notice a wired behavior on connection.<conn>.remote.id.

The default value on swanctl.conf will be <name> when I don't set site-to-site -> peer <name> -> authentication -> remote-id.

It will make the IPsec Phase 2 cannot establish.

If I change this id value to ip addr, it will works good.

  • swanctl.conf
connections {
    test {
        ...
        local_addrs = 1.1.1.1 # dhcp:no
        remote_addrs = 2.2.2.2
        ...
        local {
            auth = psk
        }
        remote {
            id = "test"    << here
            auth = psk
        }
        ...
    }
}

secrets {
    ike_test {
        id-local = 1.1.1.1 # dhcp:no
        id-remote_2-2-2-2 = 2.2.2.2
        secret = "myipseckey"
    }
}

When I set the vyos config : authentication -> id, the ipsec can work and swanctl.conf remote.id will set in correct value.

  • vyos conf
peer test {
    authentication {
        mode pre-shared-secret
        pre-shared-secret myipseckey
        remote-id 2.2.2.2
    }
    default-esp-group default
    ike-group default
    local-address 1.1.1.1
    remote-address 2.2.2.2
    tunnel 0 {
        protocol gre
    }
}
  • swanctl.conf
remote {
    id = "2.2.2.2"
    auth = psk
}

@Viacheslav

Hello sir,

In vyos-1.4-rolling-202211220318-amd64.iso, the broken syntax was fixed, but I notice a wired behavior on connection.<conn>.remote.id.

The default value on swanctl.conf will be <name> when I don't set site-to-site -> peer <name> -> authentication -> remote-id.

It is expected behavior, as remote-id can be not only ip address, so if you don't set it, it gets remote-id from peer-name/connection name
As I remember we discussed it with @dmbaturin

Thanks sir,

I got it.

Finally, Thank you for this bug fixing.
I already checked that all things were be good.

I thought it already have no any problem, then I will change the status to resolved.
Thanks a lot !!!