Page MenuHomeVyOS Platform
Create Task
Maniphest T5874

ipsec site-to-site: Support binding multiple tunnels to one VTI, customizing local and remote traffic selectors
Open, LowPublicFEATURE REQUEST
Actions

Description

Now that we use XFRM under the hood, there is no technical constraint that a single tunnel must map to a single VTI (XFRM) interface. It is perfectly possible to bind multiple tunnels to one interface, either for redundancy or to reduce administrative overhead with several tunnels each configured with non-overlapping traffic selectors.

Scope of work:

  1. Allow the local and remote traffic selectors to be configured when VTI is in use. This may have value on its own, e.g. if users want to change the default of all IPv4 and IPv6 traffic.
  2. Modify ipsec hooks that translate tunnel up/down into interface up/down to logically handle multiple tunnels bound to one interface.

Details

Version
-
Is it a breaking change?
Perfectly compatible

Related Objects

Event Timeline

lucasec created this task.Dec 29 2023, 6:24 AM
lucasec created this object in space S1 VyOS Public.
pasik subscribed.Dec 29 2023, 9:45 AM
dmbaturin edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.Apr 12 2024, 2:46 PM
dmbaturin added a project: Restricted Project.Sep 16 2024, 4:16 PM
dmbaturin edited projects, added VyOS Rolling; removed Restricted Project.Oct 14 2024, 10:53 AM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Unspecified (please specify) to improvement.
syncer removed a project: VyOS 1.5 Circinus.Oct 30 2024, 9:37 PM
syncer moved this task from Need Triage to Backlog - Feature Requests on the VyOS Rolling board.
syncer changed the subtype of this task from "Task" to "Feature Request".
syncer added a subscriber: Global Notifications.Nov 1 2024, 9:19 PM
Viacheslav subscribed.EditedThu, Apr 17, 11:24 AM

Allow the local and remote traffic selectors to be configured when VTI is in use

PR https://github.com/vyos/vyos-1x/pull/4446 for T7343

set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix 0.0.0.0/0
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix :/0
set vpn ipsec site-to-site peer P1 vti traffic-selector remote prefix 192.0.2.0/24
lucasec added a comment.EditedSat, Apr 19, 7:34 PM

Took a look at the PR... nice.

edit: Was going to say we could expand this to cover remote-access, but it looks like the remote-access local traffic selector is already customizable via set vpn ipsec remote-access connection <conn> local prefix <prefix>. There may be some value in re-factoring to make the two CLIs consistent though.