Page MenuHomeVyOS Platform
Create Task
Maniphest T7343

VPN IPsec add the ability to exclude IPv6 traffic selectors for VTI interfaces
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Summary

VPN IPsec add the ability to exclude IPv6 traffic selectors for VTI interfaces.
The traffic selectors are hardcoded 0.0.0.0/0,::/0 for the VTI interfaces https://github.com/vyos/vyos-1x/blob/a8aa9843466511cf165a8ff8db6c8d2124c69364/data/templates/ipsec/swanctl/peer.j2#L71-L72
Allows the exclude IPv6 or the configuration of specific traffic selectors.

It is a blocker for some vendors to establish Phase2 SAs

Apr 9 05:30:33 srx320 kmd[2186]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: XXX-Phase2, Peer Proposed traffic-selector local-ip: ipv4(0.0.0.0-255.255.255.255),ipv6(::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff),  Peer Proposed traffic-selector remote-ip: ipv4(0.0.0.0-255.255.255.255),ipv6(::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)

Apr 9 05:30:33 srx320 kmd[2186]: IPSec negotiation failed with error: Peer proposed traffic-selectors are not in configured range. IKE Version: 2, VPN: XXX-Phase2 Gateway: XXX-Phase1, Local: 192.0.2.234/500, Remote: 203.0.113.35/500, Local IKE-ID: 192.0.2.234, Remote IKE-ID: 203.0.113.35, VR-ID: 0

Use case

Disable IPv6 traffic selectors

Additional info

Needs to think about CLI, something like this:

set vpn ipsec site-to-site peer LEFT vti bind vti1
set vpn ipsec site-to-site peer LEFT vti local prefix 0.0.0.0/0
set vpn ipsec site-to-site peer LEFT vti remote prefix 0.0.0.0/0

or

set vpn ipsec site-to-site peer LEFT vti disable-ipv6

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects

Event Timeline

Viacheslav created this task.Apr 10 2025, 10:23 AM
Viacheslav triaged this task as Normal priority.
pasik subscribed.Apr 10 2025, 11:08 AM
Viacheslav changed the task status from Open to In progress.EditedApr 12 2025, 8:57 AM
Viacheslav claimed this task.

PR https://github.com/vyos/vyos-1x/pull/4446

set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix 0.0.0.0/0
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix :/0
set vpn ipsec site-to-site peer P1 vti traffic-selector remote prefix 192.0.2.0/24
Viacheslav mentioned this in T5874: ipsec site-to-site: Support binding multiple tunnels to one VTI, customizing local and remote traffic selectors.Apr 17 2025, 11:27 AM
Viacheslav mentioned this in rVYOSONEX41ba7fc5c7ed: T7343: IPsec add traffic-selector handling for VTI interfaces.Apr 17 2025, 2:22 PM
Restricted Repository Identity mentioned this in rVYOSONEX9deb059d3d78: Merge pull request #4446 from sever-sever/T7343.Apr 17 2025, 2:22 PM
Viacheslav added projects: VyOS 1.5 Circinus, VyOS 1.4 Sagitta (1.4.3).Apr 17 2025, 3:38 PM
Viacheslav closed this task as Resolved.May 2 2025, 8:34 AM
Viacheslav moved this task from Need Triage to Completed on the VyOS Rolling board.
Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.3) board.
haakon.nore awarded a token.May 15 2025, 11:38 AM
dmbaturin edited projects, added VyOS 1.5 Circinus (1.5-stream-2025-Q2); removed VyOS 1.5 Circinus.Jul 9 2025, 12:20 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin mentioned this in 1.4.3.Jul 17 2025, 8:18 AM