<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/data/templates/ipsec/swanctl/peer.j2, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-05-20T09:22:21+00:00</updated>
<entry>
<title>ipsec: T7555: Implement `ikev2-reauth` for site-to-site peers</title>
<updated>2026-05-20T09:22:21+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-05-14T09:42:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=b6d24956bd4c7a5e4cb89c0b4331264a96667184'/>
<id>urn:sha1:b6d24956bd4c7a5e4cb89c0b4331264a96667184</id>
<content type='text'>
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
</content>
</entry>
<entry>
<title>T8136: IPSEC PPK Support</title>
<updated>2026-03-04T04:48:18+00:00</updated>
<author>
<name>Giga Murphy</name>
<email>giga1699@gmail.com</email>
</author>
<published>2026-01-02T01:04:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=673ec335b885ae1de8391dd8c48a5fe16b282db5'/>
<id>urn:sha1:673ec335b885ae1de8391dd8c48a5fe16b282db5</id>
<content type='text'>
</content>
</entry>
<entry>
<title>ipsec: T7594: Rename `respond` connection-type in IPSec peer settings to `trap`</title>
<updated>2025-12-04T15:03:54+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-11-28T14:52:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=2dc91c0a96c3d3212387be02b80c58fce7c68bd8'/>
<id>urn:sha1:2dc91c0a96c3d3212387be02b80c58fce7c68bd8</id>
<content type='text'>
The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
</content>
</entry>
<entry>
<title>ipsec: T7562: Add support for `disable-uniqreqids` option in IPsec configs</title>
<updated>2025-08-12T09:11:05+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-07-31T10:41:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=c84c7cf16bf4a0222690f4ac2d93dafc88a7a0f7'/>
<id>urn:sha1:c84c7cf16bf4a0222690f4ac2d93dafc88a7a0f7</id>
<content type='text'>
This commit makes `set vpn ipsec disable-uniqreqids` work with the modern
StrongSwan backend by setting `unique=never` in swanctl.conf for connections.
This restores legacy behavior about multiple connections with the same identity.
</content>
</entry>
<entry>
<title>ipsec: T7581: Fix unsupported 'all' protocol in site-to-site tunnels after upgrade to 1.4.x</title>
<updated>2025-07-28T08:43:42+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-07-25T13:44:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=46a0e2cfc99a41a43fbcede2f02d8ad8f98daffb'/>
<id>urn:sha1:46a0e2cfc99a41a43fbcede2f02d8ad8f98daffb</id>
<content type='text'>
Upgrading from VyOS 1.3.8 (strongSwan 5.7.2) to 1.4.x (strongSwan 5.9.11) caused
the IPsec service to fail if the configuration contained:

```
  set vpn ipsec site-to-site peer &lt;peer&gt; tunnel &lt;id&gt; protocol 'all'
```

In 1.3.8, 'all' was supported in the CLI for protocol and converted internally to '%any'
in ipsec.conf traffic selectors, allowing the tunnel to match all protocols. However, in
1.4.x and strongSwan 5.9.11+, the '[all/]' syntax is no longer supported, and use of
'protocol all' produces an invalid traffic selector (e.g., 'x.x.x.0/24[all/]'), causing
the strongSwan service to fail on reload.

This fix ensures that 'protocol all' is converted to just the subnet notation (e.g.,
'x.x.x.0/24') in the generated traffic selector, restoring previous behavior and allowing
seamless service startup after upgrade.
</content>
</entry>
<entry>
<title>T7343: IPsec add traffic-selector handling for VTI interfaces</title>
<updated>2025-04-17T09:45:46+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2025-04-12T08:45:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=41ba7fc5c7edbaca6ff149818aa5689b3ac3c097'/>
<id>urn:sha1:41ba7fc5c7edbaca6ff149818aa5689b3ac3c097</id>
<content type='text'>
Allow to set traffic-selector for VTI interfaces
We can set several local and remote IPv4 and IPv6 prefixes

```
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix 0.0.0.0/0
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix :/0
set vpn ipsec site-to-site peer P1 vti traffic-selector remote prefix 192.0.2.0/24
```
</content>
</entry>
<entry>
<title>T6599: ipsec: support disabling rekey of CHILD_SA.</title>
<updated>2024-07-22T09:15:36+00:00</updated>
<author>
<name>Lucas Christian</name>
<email>lucas@lucasec.com</email>
</author>
<published>2024-07-21T02:29:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=fd5d7ff0b4fd69b248ecb29c6ec1f3cf844c41cf'/>
<id>urn:sha1:fd5d7ff0b4fd69b248ecb29c6ec1f3cf844c41cf</id>
<content type='text'>
Also adds support for life_bytes, life_packets, and DPD for
remote-access connections. Changes behavior of remote-access esp-group
lifetime setting to have parity with site-to-site connections.
</content>
</entry>
<entry>
<title>ipsec: T5998: add replay-windows setting</title>
<updated>2024-02-03T12:01:02+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2024-02-02T19:44:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=4d943d8fbf1253154897179b0e3ea2d93b898197'/>
<id>urn:sha1:4d943d8fbf1253154897179b0e3ea2d93b898197</id>
<content type='text'>
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node
to explicitly change this.

* set vpn ipsec site-to-site peer &lt;name&gt; replay-window &lt;0-2040&gt;
</content>
</entry>
<entry>
<title>T5953: Changed values of 'close-action' to Strongswan values</title>
<updated>2024-01-17T15:46:38+00:00</updated>
<author>
<name>aapostoliuk</name>
<email>a.apostoliuk@vyos.io</email>
</author>
<published>2024-01-17T15:46:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8870fabf1b4358618fca7db459515106653214b5'/>
<id>urn:sha1:8870fabf1b4358618fca7db459515106653214b5</id>
<content type='text'>
Changed the value from 'hold' to 'trap' in the 'close-action'
option in the IKE group.
Changed the value from 'restart' to 'start' in the 'close-action'
option in the IKE group.
</content>
</entry>
<entry>
<title>T4658: Renamed DPD action value from 'hold' to 'trap'</title>
<updated>2024-01-16T14:26:26+00:00</updated>
<author>
<name>aapostoliuk</name>
<email>a.apostoliuk@vyos.io</email>
</author>
<published>2024-01-16T14:26:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=9f4aee5778eefa0a17d4795430d50e4a046e88b0'/>
<id>urn:sha1:9f4aee5778eefa0a17d4795430d50e4a046e88b0</id>
<content type='text'>
Renamed DPD action value from 'hold' to 'trap'
</content>
</entry>
</feed>
