Page MenuHomeVyOS Platform
Create Task
Maniphest T7774

Routed IPsec not working dual stack
Closed, InvalidPublicBUG
Actions

Description

hi,

I tried to get a routed ipsec with dual stack working:

VyOSConfig:

set interfaces vti vti0 address '10.51.22.2/30'
set interfaces vti vti0 address '2a00:f88:f020:1004::2/64'
set interfaces vti vti0 description 'Marcant Tunnel'
set interfaces vti vti0 ip adjust-mss 'clamp-mss-to-pmtu'
set nat source rule 1 outbound-interface name 'eth0'
set nat source rule 1 translation address 'masquerade'
set policy route MARCANT_VTI interface 'eth1'
set policy route MARCANT_VTI rule 1 action 'accept'
set policy route MARCANT_VTI rule 1 destination address '0.0.0.0/0'
set policy route MARCANT_VTI rule 1 set table '1'
set policy route MARCANT_VTI rule 1 source address '192.168.14.0/24'
set protocols static route 0.0.0.0/0 next-hop 172.31.84.254
set protocols static table 1 description 'VTI_MARCANT'
set protocols static table 1 route 0.0.0.0/0 next-hop 10.51.22.1
set vpn ipsec authentication psk marcant id 'sophos.test.de'
set vpn ipsec authentication psk marcant secret 'XXXXX'
set vpn ipsec esp-group MARCANT lifetime '3600'
set vpn ipsec esp-group MARCANT mode 'tunnel'
set vpn ipsec esp-group MARCANT pfs 'dh-group31'
set vpn ipsec esp-group MARCANT proposal 1 encryption 'aes256gcm128'
set vpn ipsec esp-group MARCANT proposal 1 hash 'sha256'
set vpn ipsec ike-group MARCANT close-action 'start'
set vpn ipsec ike-group MARCANT dead-peer-detection action 'restart'
set vpn ipsec ike-group MARCANT key-exchange 'ikev2'
set vpn ipsec ike-group MARCANT lifetime '28800'
set vpn ipsec ike-group MARCANT proposal 1 dh-group '31'
set vpn ipsec ike-group MARCANT proposal 1 encryption 'aes256'
set vpn ipsec ike-group MARCANT proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer marcant authentication local-id 'office.test.de'
set vpn ipsec site-to-site peer marcant authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer marcant authentication remote-id 'sophos.test.de'
set vpn ipsec site-to-site peer marcant connection-type 'initiate'
set vpn ipsec site-to-site peer marcant description 'Marcant Tunnel'
set vpn ipsec site-to-site peer marcant ike-group 'MARCANT'
set vpn ipsec site-to-site peer marcant ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer marcant local-address '172.31.84.253'
set vpn ipsec site-to-site peer marcant remote-address '217.14.171.1XX'
set vpn ipsec site-to-site peer marcant vti bind 'vti0'
set vpn ipsec site-to-site peer marcant vti esp-group 'MARCANT'

IPv4 runs fine but It I try to ping the IPv6 on the other side I get no answer and don't see any UDP packets leaving my system on the outside interface.
After digging aroung I found this:

src 0.0.0.0/0 dst 0.0.0.0/0 
	dir out priority 399999 ptype main 
	tmpl src 172.31.84.253 dst 217.14.171.XX
		proto esp spi 0xccdf0067 reqid 1 mode tunnel
	if_id 0x1
src 0.0.0.0/0 dst 0.0.0.0/0 
	dir fwd priority 399999 ptype main 
	tmpl src 217.14.171.XX dst 172.31.84.253
		proto esp reqid 1 mode tunnel
	if_id 0x1
src 0.0.0.0/0 dst 0.0.0.0/0 
	dir in priority 399999 ptype main 
	tmpl src 217.14.171.XX dst 172.31.84.253
		proto esp reqid 1 mode tunnel
	if_id 0x1
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src ::/0 dst ::/0 
	socket in priority 0 ptype main 
src ::/0 dst ::/0 
	socket out priority 0 ptype main 
src ::/0 dst ::/0 
	socket in priority 0 ptype main 
src ::/0 dst ::/0 
	socket out priority 0 ptype main

After I add:

vbash-4.1# ip xfrm policy
src ::/0 dst ::/0 
	dir in priority 399999 ptype main 
	tmpl src 217.14.171.196 dst 172.31.84.253
		proto esp reqid 1 mode tunnel
	if_id 0x1
src ::/0 dst ::/0 
	dir fwd priority 399999 ptype main 
	tmpl src 217.14.171.196 dst 172.31.84.253
		proto esp reqid 1 mode tunnel
	if_id 0x1
src ::/0 dst ::/0 
	dir out priority 399999 ptype main 
	tmpl src 172.31.84.253 dst 217.14.171.196
		proto esp spi 0xccdf0067 reqid 1 mode tunnel
	if_id 0x1

I see traffic leaving my system and the other side received my traffic.
Seemst that something with xfrm policy creation is wrong.

Details

Version
1.4.2
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

rherold created this task.Sep 2 2025, 2:53 PM
pasik subscribed.Sep 2 2025, 4:31 PM
Unknown Object (User) triaged this task as Normal priority.Sep 5 2025, 8:29 AM
amjadhalim subscribed.Sep 12 2025, 9:47 PM
o.kuchmystyi subscribed.Sep 22 2025, 3:12 PM

@rherold I tried to reproduce this behavior using your configuration for VyOS 1.4.2, 1.4.3 and 1.5, but everything works fine in my lab.

Peer #1:

vyos@4a5477d8b0f8:~$ sudo ip xfrm policy
src ::/0 dst ::/0
        dir out priority 399999 ptype main
        tmpl src 172.18.0.7 dst 172.18.0.6
                proto esp spi 0xc24c6e29 reqid 1 mode tunnel
        if_id 0x1
src ::/0 dst ::/0
        dir fwd priority 399999 ptype main
        tmpl src 172.18.0.6 dst 172.18.0.7
                proto esp reqid 1 mode tunnel
        if_id 0x1
src ::/0 dst ::/0
        dir in priority 399999 ptype main
        tmpl src 172.18.0.6 dst 172.18.0.7
                proto esp reqid 1 mode tunnel
        if_id 0x1
src 0.0.0.0/0 dst 0.0.0.0/0
        dir out priority 399999 ptype main
        tmpl src 172.18.0.7 dst 172.18.0.6
                proto esp spi 0xc24c6e29 reqid 1 mode tunnel
        if_id 0x1
src 0.0.0.0/0 dst 0.0.0.0/0
        dir fwd priority 399999 ptype main
        tmpl src 172.18.0.6 dst 172.18.0.7
                proto esp reqid 1 mode tunnel
        if_id 0x1
src 0.0.0.0/0 dst 0.0.0.0/0
        dir in priority 399999 ptype main
        tmpl src 172.18.0.6 dst 172.18.0.7
                proto esp reqid 1 mode tunnel
        if_id 0x1
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src ::/0 dst ::/0
        socket in priority 0 ptype main
src ::/0 dst ::/0
        socket out priority 0 ptype main
src ::/0 dst ::/0
        socket in priority 0 ptype main
src ::/0 dst ::/0
        socket out priority 0 ptype main
vyos@4a5477d8b0f8:~$
vyos@4a5477d8b0f8:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address           MAC                VRF        MTU  S/L    Description
-----------  -------------------  -----------------  -------  -----  -----  -------------
eth0         172.18.0.7/16        ba:79:26:91:5d:24  default   1500  u/u
             2001:dc9:1::7/64
lo           127.0.0.1/8          00:00:00:00:00:00  default  65536  u/u
             ::1/128
vti0         10.10.10.1/30        n/a                default   1500  u/u    Peer2 Tunnel
             fd00:10:10:10::1/64
vyos@4a5477d8b0f8:~$ nc -u -l -6 -w1 9999
Test UDP packet
vyos@4a5477d8b0f8:~$ sudo tcpdump -ni vti0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vti0, link-type RAW (Raw IP), snapshot length 262144 bytes
15:05:49.862667 IP6 fd00:10:10:10::2 > fd00:10:10:10::1: ICMP6, echo request, id 102, seq 1, length 64
15:05:49.862693 IP6 fd00:10:10:10::1 > fd00:10:10:10::2: ICMP6, echo reply, id 102, seq 1, length 64
15:05:50.870461 IP6 fd00:10:10:10::2 > fd00:10:10:10::1: ICMP6, echo request, id 102, seq 2, length 64
15:05:50.870488 IP6 fd00:10:10:10::1 > fd00:10:10:10::2: ICMP6, echo reply, id 102, seq 2, length 64
15:05:51.894458 IP6 fd00:10:10:10::2 > fd00:10:10:10::1: ICMP6, echo request, id 102, seq 3, length 64
15:05:51.894486 IP6 fd00:10:10:10::1 > fd00:10:10:10::2: ICMP6, echo reply, id 102, seq 3, length 64
15:05:52.918482 IP6 fd00:10:10:10::2 > fd00:10:10:10::1: ICMP6, echo request, id 102, seq 4, length 64
15:05:52.918510 IP6 fd00:10:10:10::1 > fd00:10:10:10::2: ICMP6, echo reply, id 102, seq 4, length 64
15:05:53.942476 IP6 fd00:10:10:10::2 > fd00:10:10:10::1: ICMP6, echo request, id 102, seq 5, length 64
15:05:53.942505 IP6 fd00:10:10:10::1 > fd00:10:10:10::2: ICMP6, echo reply, id 102, seq 5, length 64
15:05:54.966442 IP6 fd00:10:10:10::2 > fd00:10:10:10::1: ICMP6, echo request, id 102, seq 6, length 64
15:05:54.966467 IP6 fd00:10:10:10::1 > fd00:10:10:10::2: ICMP6, echo reply, id 102, seq 6, length 64
15:05:55.990447 IP6 fd00:10:10:10::2 > fd00:10:10:10::1: ICMP6, echo request, id 102, seq 7, length 64
15:05:55.990473 IP6 fd00:10:10:10::1 > fd00:10:10:10::2: ICMP6, echo reply, id 102, seq 7, length 64
^C
14 packets captured
14 packets received by filter
0 packets dropped by kernel

Peer #2:

vyos@a2efbaf227cd:~$ sudo ip xfrm policy
src ::/0 dst ::/0
        dir out priority 399999 ptype main
        tmpl src 172.18.0.6 dst 172.18.0.7
                proto esp spi 0xcd646a0b reqid 1 mode tunnel
        if_id 0x1
src ::/0 dst ::/0
        dir fwd priority 399999 ptype main
        tmpl src 172.18.0.7 dst 172.18.0.6
                proto esp reqid 1 mode tunnel
        if_id 0x1
src ::/0 dst ::/0
        dir in priority 399999 ptype main
        tmpl src 172.18.0.7 dst 172.18.0.6
                proto esp reqid 1 mode tunnel
        if_id 0x1
src 0.0.0.0/0 dst 0.0.0.0/0
        dir out priority 399999 ptype main
        tmpl src 172.18.0.6 dst 172.18.0.7
                proto esp spi 0xcd646a0b reqid 1 mode tunnel
        if_id 0x1
src 0.0.0.0/0 dst 0.0.0.0/0
        dir fwd priority 399999 ptype main
        tmpl src 172.18.0.7 dst 172.18.0.6
                proto esp reqid 1 mode tunnel
        if_id 0x1
src 0.0.0.0/0 dst 0.0.0.0/0
        dir in priority 399999 ptype main
        tmpl src 172.18.0.7 dst 172.18.0.6
                proto esp reqid 1 mode tunnel
        if_id 0x1
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src ::/0 dst ::/0
        socket in priority 0 ptype main
src ::/0 dst ::/0
        socket out priority 0 ptype main
src ::/0 dst ::/0
        socket in priority 0 ptype main
src ::/0 dst ::/0
        socket out priority 0 ptype main
vyos@a2efbaf227cd:~$
vyos@a2efbaf227cd:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address           MAC                VRF        MTU  S/L    Description
-----------  -------------------  -----------------  -------  -----  -----  -------------
eth0         172.18.0.6/16        86:b6:66:25:1a:90  default   1500  u/u
             2001:dc9:1::6/64
lo           127.0.0.1/8          00:00:00:00:00:00  default  65536  u/u
             ::1/128
vti0         10.10.10.2/30        n/a                default   1500  u/u    Peer1 Tunnel
             fd00:10:10:10::2/64
vyos@a2efbaf227cd:~$ echo "Test UDP packet" | nc -u -w1 -6 fd00:10:10:10::1 9999
vyos@a2efbaf227cd:~$
vyos@a2efbaf227cd:~$ ping6 fd00:10:10:10::1
PING fd00:10:10:10::1(fd00:10:10:10::1) 56 data bytes
64 bytes from fd00:10:10:10::1: icmp_seq=1 ttl=64 time=0.165 ms
64 bytes from fd00:10:10:10::1: icmp_seq=2 ttl=64 time=0.215 ms
64 bytes from fd00:10:10:10::1: icmp_seq=3 ttl=64 time=0.213 ms
64 bytes from fd00:10:10:10::1: icmp_seq=4 ttl=64 time=0.204 ms
64 bytes from fd00:10:10:10::1: icmp_seq=5 ttl=64 time=0.222 ms
64 bytes from fd00:10:10:10::1: icmp_seq=6 ttl=64 time=0.193 ms
64 bytes from fd00:10:10:10::1: icmp_seq=7 ttl=64 time=0.198 ms
^C
--- fd00:10:10:10::1 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6128ms
rtt min/avg/max/mdev = 0.165/0.201/0.222/0.017 ms

Could you provide more details about you setup or re-check it again?

Viacheslav changed the task status from Open to Needs reporter action.Sep 24 2025, 11:29 PM
Viacheslav subscribed.Oct 14 2025, 9:03 AM

@rherold any updates?

rherold added a comment.Oct 14 2025, 12:12 PM

Yes got the information that the other side is no vyos (sorry didn't expect this) it's an current sophos box with strongswan.
It try to replicate it here between two vyos boxes the next days

Unknown Object (User) closed this task as Invalid.Oct 14 2025, 2:59 PM