Summary
VPN IPsec add the ability to exclude IPv6 traffic selectors for VTI interfaces.
The traffic selectors are hardcoded 0.0.0.0/0,::/0 for the VTI interfaces https://github.com/vyos/vyos-1x/blob/a8aa9843466511cf165a8ff8db6c8d2124c69364/data/templates/ipsec/swanctl/peer.j2#L71-L72
Allows the exclude IPv6 or the configuration of specific traffic selectors.
It is a blocker for some vendors to establish Phase2 SAs
Apr 9 05:30:33 srx320 kmd[2186]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: XXX-Phase2, Peer Proposed traffic-selector local-ip: ipv4(0.0.0.0-255.255.255.255),ipv6(::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff), Peer Proposed traffic-selector remote-ip: ipv4(0.0.0.0-255.255.255.255),ipv6(::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) Apr 9 05:30:33 srx320 kmd[2186]: IPSec negotiation failed with error: Peer proposed traffic-selectors are not in configured range. IKE Version: 2, VPN: XXX-Phase2 Gateway: XXX-Phase1, Local: 192.0.2.234/500, Remote: 203.0.113.35/500, Local IKE-ID: 192.0.2.234, Remote IKE-ID: 203.0.113.35, VR-ID: 0
Use case
Disable IPv6 traffic selectors
Additional info
Needs to think about CLI, something like this:
set vpn ipsec site-to-site peer LEFT vti bind vti1 set vpn ipsec site-to-site peer LEFT vti local prefix 0.0.0.0/0 set vpn ipsec site-to-site peer LEFT vti remote prefix 0.0.0.0/0
or
set vpn ipsec site-to-site peer LEFT vti disable-ipv6