Page MenuHomeVyOS Platform
Create Task
Maniphest T7581

IPsec service fails after upgrading from 1.3.8 to 1.4.2 if protocol all is configured
Closed, ResolvedPublicBUG
Actions

Description

Description:

IPsec service failed to restart when this set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 protocol 'all' exists in the configuration prior to 1.3.8 version and then upgraded to 1.4.2 version.

VyOS 1.3.8(strongSwan 5.7.2) uses ipsec.conf and it used to convert "all" to "%any" . Also all option was available in cli:

vyos@vyos# set vpn ipsec site-to-site peer 192.0.2.1 tunnel 10 protocol
Possible completions:
   <text>       IP protocol name from /etc/protocols (e.g. "gre" or "tcp")
   <0-255>      IP protocol number
   ah
   all

ipsec.conf snippet:

conn peer-192.0.2.1-tunnel-1
left=192.168.255.106
right=192.0.2.1
leftsubnet=10.2.2.0/24
rightsubnet=10.50.0.0/24[%any/%any]
leftsubnet=10.2.2.0/24[%any/%any]
ike=aes256gcm128-sha256-ecp256!
keyexchange=ikev2
reauth=no
ikelifetime=36000s

Post upgrade to 1.4 version, the command converts to `set vpn ipsec site-to-site peer peer_192-0-2-1 tunnel 1 protocol 'all' without any migration issue but the strongswan service fails to start with the following error message:

Jun 25 12:01:54 swanctl[3833]: loading connection 'peer_192-0-2-1' failed: invalid value for: local_ts, config discarded
Jun 25 12:01:54 systemd[1]: strongswan.service: Failed with result 'exit-code'.
Jun 25 12:01:54 systemd[1]: Failed to start strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.

strongSwan 5.9.11 version is not accepting the syntax 10.2.2.0/24[all/], only specific protocol has to be defined like : set vpn ipsec site-to-site peer peer_192-0-2-1 tunnel 1 protocol tcp

children {
    peer_192-0-2-1-tunnel-1 {
        esp_proposals = aes256gcm128-sha256-ecp256
        life_time = 10800s
        local_ts = 10.2.2.0/24[all/]
        remote_ts = 10.50.0.0/24[all/]

If directly tried the command in 1.4.2, service fails with commit then recovers in seconds but peer configuration is not seen in loaded connection, verified with 'swanctl -L` command

vyos@vyos# commit
[ vpn ipsec ]
Job for strongswan.service failed.
See "systemctl status strongswan.service" and "journalctl -xeu strongswan.service" for details.

Attached configuration to test in 1.4.2.

ipsec_proto_all.txt1 KBDownload

Details

Version
1.4.2
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

SrividyaA created this task.Jun 26 2025, 2:42 PM
SrividyaA triaged this task as Normal priority.
Viacheslav raised the priority of this task from Normal to High.Jun 26 2025, 2:51 PM
SrividyaA updated the task description. (Show Details)Jun 26 2025, 2:54 PM
pasik subscribed.Jun 26 2025, 3:47 PM
dmbaturin edited projects, added VyOS Rolling, VyOS 1.4 Sagitta (1.4.4), VyOS 1.5 Circinus (1.5-stream-2025-Q3); removed VyOS 1.4 Sagitta (1.4.3).Jul 14 2025, 1:44 PM
o.kuchmystyi mentioned this in rVYOSONEX46a0e2cfc99a: ipsec: T7581: Fix unsupported 'all' protocol in site-to-site tunnels after….Jul 28 2025, 9:27 AM
Restricted Repository Identity mentioned this in rVYOSONEXfc5ea5bdf1a1: Merge pull request #4624 from alexandr-san4ez/T7581-current.Jul 28 2025, 9:27 AM
Viacheslav subscribed.Jul 28 2025, 9:29 AM

PR https://github.com/vyos/vyos-1x/pull/4624

Viacheslav changed the task status from Open to In progress.Jul 28 2025, 9:30 AM
Viacheslav assigned this task to o.kuchmystyi.
Viacheslav closed this task as Resolved.Sep 25 2025, 12:32 AM
Viacheslav moved this task from Need Triage to Completed on the VyOS Rolling board.
Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q3) board.
Viacheslav moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.4) board.
dmbaturin edited projects, added VyOS 1.5 Circinus (2025.11); removed VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS 1.4 Sagitta (1.4.4), VyOS Rolling.Thu, Nov 13, 1:49 AM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.