On an upgrade from 1.3.2 to latest rolling (1.4-rolling-202212140319) the following IPSec config will not be migrate correctly
#1.3.2 Config set vpn ipsec esp-group ESP-GROUP compression 'disable' set vpn ipsec esp-group ESP-GROUP lifetime '3600' set vpn ipsec esp-group ESP-GROUP mode 'tunnel' set vpn ipsec esp-group ESP-GROUP pfs 'dh-group14' set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256' set vpn ipsec ike-group IKE-GROUP close-action 'none' set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120' set vpn ipsec ike-group IKE-GROUP ikev2-reauth 'no' set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1' set vpn ipsec ike-group IKE-GROUP lifetime '28800' set vpn ipsec ike-group IKE-GROUP mode 'main' set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14' set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer 192.0.2.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 192.0.2.2 authentication pre-shared-secret 'PSK123' set vpn ipsec site-to-site peer 192.0.2.2 connection-type 'respond' set vpn ipsec site-to-site peer 192.0.2.2 default-esp-group 'ESP-GROUP' set vpn ipsec site-to-site peer 192.0.2.2 description 'Test-VPN' set vpn ipsec site-to-site peer 192.0.2.2 ike-group 'IKE-GROUP' set vpn ipsec site-to-site peer 192.0.2.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 192.0.2.2 local-address '192.0.2.1' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 allow-public-networks 'disable' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 local prefix '10.0.0.0/8' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 1 remote prefix '10.213.1.0/24' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 2 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 2 allow-public-networks 'disable' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 2 local prefix '192.168.0.0/16' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 2 remote prefix '10.213.1.0/24' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 3 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 3 allow-public-networks 'disable' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 3 local prefix '172.16.0.0/12' set vpn ipsec site-to-site peer 192.0.2.2 tunnel 3 remote prefix '10.213.1.0/24
will be migrated to:
set vpn ipsec esp-group ESP-GROUP lifetime '3600' set vpn ipsec esp-group ESP-GROUP mode 'tunnel' set vpn ipsec esp-group ESP-GROUP pfs 'dh-group14' set vpn ipsec esp-group ESP-GROUP proposal 1 encryption 'aes256' set vpn ipsec esp-group ESP-GROUP proposal 1 hash 'sha256' set vpn ipsec ike-group IKE-GROUP close-action 'none' set vpn ipsec ike-group IKE-GROUP dead-peer-detection action 'restart' set vpn ipsec ike-group IKE-GROUP dead-peer-detection interval '30' set vpn ipsec ike-group IKE-GROUP dead-peer-detection timeout '120' set vpn ipsec ike-group IKE-GROUP key-exchange 'ikev1' set vpn ipsec ike-group IKE-GROUP lifetime '28800' set vpn ipsec ike-group IKE-GROUP mode 'main' set vpn ipsec ike-group IKE-GROUP proposal 1 dh-group '14' set vpn ipsec ike-group IKE-GROUP proposal 1 encryption 'aes256' set vpn ipsec ike-group IKE-GROUP proposal 1 hash 'sha256' set vpn ipsec interface 'eth0' set vpn ipsec site-to-site peer peer_192-0-2-2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer peer_192-0-2-2 authentication pre-shared-secret 'PSK123' set vpn ipsec site-to-site peer peer_192-0-2-2 connection-type 'respond' set vpn ipsec site-to-site peer peer_192-0-2-2 default-esp-group 'ESP-GROUP' set vpn ipsec site-to-site peer peer_192-0-2-2 description 'Test-VPN' set vpn ipsec site-to-site peer peer_192-0-2-2 ike-group 'IKE-GROUP' set vpn ipsec site-to-site peer peer_192-0-2-2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer peer_192-0-2-2 local-address '192.0.2.1' set vpn ipsec site-to-site peer peer_192-0-2-2 remote-address '192.0.2.2' set vpn ipsec site-to-site peer peer_192-0-2-2 tunnel 1 local prefix '10.0.0.0/8' set vpn ipsec site-to-site peer peer_192-0-2-2 tunnel 1 remote prefix '10.213.1.0/24' set vpn ipsec site-to-site peer peer_192-0-2-2 tunnel 2 local prefix '192.168.0.0/16' set vpn ipsec site-to-site peer peer_192-0-2-2 tunnel 2 remote prefix '10.213.1.0/24' set vpn ipsec site-to-site peer peer_192-0-2-2 tunnel 3 local prefix '172.16.0.0/12' set vpn ipsec site-to-site peer peer_192-0-2-2 tunnel 3 remote prefix '10.213.1.0/24'
log 1.4 as initializer
Dec 14 15:20:38 server charon[1742]: 08[KNL] creating acquire job for policy 172.16.1.1/32[udp/32862] === 10.213.1.1/32[udp/1025] with reqid {3} Dec 14 15:20:38 server charon[1742]: 08[IKE] <peer_192-0-2-2|1> initiating Main Mode IKE_SA peer_192-0-2-2[1] to 192.0.2.2 Dec 14 15:20:38 server charon[1742]: 08[ENC] <peer_192-0-2-2|1> generating ID_PROT request 0 [ SA V V V V V ] Dec 14 15:20:38 server charon[1742]: 08[NET] <peer_192-0-2-2|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (180 bytes) Dec 14 15:20:38 server charon[1742]: 11[NET] <peer_192-0-2-2|1> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (160 bytes) Dec 14 15:20:38 server charon[1742]: 11[ENC] <peer_192-0-2-2|1> parsed ID_PROT response 0 [ SA V V V V ] Dec 14 15:20:38 server charon[1742]: 11[IKE] <peer_192-0-2-2|1> received XAuth vendor ID Dec 14 15:20:38 server charon[1742]: 11[IKE] <peer_192-0-2-2|1> received DPD vendor ID Dec 14 15:20:38 server charon[1742]: 11[IKE] <peer_192-0-2-2|1> received FRAGMENTATION vendor ID Dec 14 15:20:38 server charon[1742]: 11[IKE] <peer_192-0-2-2|1> received NAT-T (RFC 3947) vendor ID Dec 14 15:20:38 server charon[1742]: 11[CFG] <peer_192-0-2-2|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Dec 14 15:20:38 server charon[1742]: 11[ENC] <peer_192-0-2-2|1> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Dec 14 15:20:38 server charon[1742]: 11[NET] <peer_192-0-2-2|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (396 bytes) Dec 14 15:20:38 server charon[1742]: 12[NET] <peer_192-0-2-2|1> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (396 bytes) Dec 14 15:20:38 server charon[1742]: 12[ENC] <peer_192-0-2-2|1> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Dec 14 15:20:38 server charon[1742]: 12[ENC] <peer_192-0-2-2|1> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Dec 14 15:20:38 server charon[1742]: 12[NET] <peer_192-0-2-2|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (108 bytes) Dec 14 15:20:38 server charon[1742]: 13[NET] <peer_192-0-2-2|1> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (92 bytes) Dec 14 15:20:38 server charon[1742]: 13[ENC] <peer_192-0-2-2|1> parsed ID_PROT response 0 [ ID HASH ] Dec 14 15:20:38 server charon[1742]: 13[IKE] <peer_192-0-2-2|1> IDir '192.0.2.2' does not match to 'peer_192-0-2-2' Dec 14 15:20:38 server charon[1742]: 13[IKE] <peer_192-0-2-2|1> deleting IKE_SA peer_192-0-2-2[1] between 192.0.2.1[192.0.2.1]...192.0.2.2[%any] Dec 14 15:20:38 server charon[1742]: 13[IKE] <peer_192-0-2-2|1> sending DELETE for IKE_SA peer_192-0-2-2[1] Dec 14 15:20:38 server charon[1742]: 13[ENC] <peer_192-0-2-2|1> generating INFORMATIONAL_V1 request 913608266 [ HASH D ] Dec 14 15:20:38 server charon[1742]: 13[NET] <peer_192-0-2-2|1> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (108 bytes `
log from 1.4 as responder
Dec 14 15:23:45 server charon[1742]: 07[NET] <2> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (180 bytes) Dec 14 15:23:45 server charon[1742]: 07[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V ] Dec 14 15:23:45 server charon[1742]: 07[IKE] <2> received XAuth vendor ID Dec 14 15:23:45 server charon[1742]: 07[IKE] <2> received DPD vendor ID Dec 14 15:23:45 server charon[1742]: 07[IKE] <2> received FRAGMENTATION vendor ID Dec 14 15:23:45 server charon[1742]: 07[IKE] <2> received NAT-T (RFC 3947) vendor ID Dec 14 15:23:45 server charon[1742]: 07[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Dec 14 15:23:45 server charon[1742]: 07[IKE] <2> 192.0.2.2 is initiating a Main Mode IKE_SA Dec 14 15:23:45 server charon[1742]: 07[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 Dec 14 15:23:45 server charon[1742]: 07[ENC] <2> generating ID_PROT response 0 [ SA V V V V ] Dec 14 15:23:45 server charon[1742]: 07[NET] <2> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (160 bytes) Dec 14 15:23:45 server charon[1742]: 10[NET] <2> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (396 bytes) Dec 14 15:23:45 server charon[1742]: 10[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Dec 14 15:23:45 server charon[1742]: 10[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Dec 14 15:23:45 server charon[1742]: 10[NET] <2> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (396 bytes) Dec 14 15:23:45 server charon[1742]: 08[NET] <2> received packet: from 192.0.2.2[500] to 192.0.2.1[500] (108 bytes) Dec 14 15:23:45 server charon[1742]: 08[ENC] <2> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Dec 14 15:23:45 server charon[1742]: 08[CFG] <2> looking for pre-shared key peer configs matching 192.0.2.1...192.0.2.2[192.0.2.2] Dec 14 15:23:45 server charon[1742]: 08[IKE] <2> no peer config found Dec 14 15:23:45 server charon[1742]: 08[ENC] <2> generating INFORMATIONAL_V1 request 2097376506 [ HASH N(AUTH_FAILED) ] Dec 14 15:23:45 server charon[1742]: 08[NET] <2> sending packet: from 192.0.2.1[500] to 192.0.2.2[500] (108 bytes)
when i add
set vpn ipsec site-to-site peer peer_192-0-2-2 authentication remote-id 192.0.2.2
anything worked