<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/data/templates/ipsec/swanctl, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-05-20T09:22:21+00:00</updated>
<entry>
<title>ipsec: T7555: Implement `ikev2-reauth` for site-to-site peers</title>
<updated>2026-05-20T09:22:21+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-05-14T09:42:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=b6d24956bd4c7a5e4cb89c0b4331264a96667184'/>
<id>urn:sha1:b6d24956bd4c7a5e4cb89c0b4331264a96667184</id>
<content type='text'>
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
</content>
</entry>
<entry>
<title>T8386: fix locat_ts rendering in remote_access.j2</title>
<updated>2026-03-17T07:02:03+00:00</updated>
<author>
<name>Alex Kudentsov</name>
<email>43482574+alexk37@users.noreply.github.com</email>
</author>
<published>2026-03-16T04:06:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8714825922af321942975d231e6065fb752abb1d'/>
<id>urn:sha1:8714825922af321942975d231e6065fb752abb1d</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T8136: IPSEC PPK Support</title>
<updated>2026-03-04T04:48:18+00:00</updated>
<author>
<name>Giga Murphy</name>
<email>giga1699@gmail.com</email>
</author>
<published>2026-01-02T01:04:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=673ec335b885ae1de8391dd8c48a5fe16b282db5'/>
<id>urn:sha1:673ec335b885ae1de8391dd8c48a5fe16b282db5</id>
<content type='text'>
</content>
</entry>
<entry>
<title>ipsec: T7594: Rename `respond` connection-type in IPSec peer settings to `trap`</title>
<updated>2025-12-04T15:03:54+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-11-28T14:52:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=2dc91c0a96c3d3212387be02b80c58fce7c68bd8'/>
<id>urn:sha1:2dc91c0a96c3d3212387be02b80c58fce7c68bd8</id>
<content type='text'>
The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
</content>
</entry>
<entry>
<title>T8027: vpn: adding config for swanctl "send-cert always"</title>
<updated>2025-11-22T02:22:43+00:00</updated>
<author>
<name>Chris Cowart</name>
<email>ccowart@timesinks.net</email>
</author>
<published>2025-11-16T06:39:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b'/>
<id>urn:sha1:090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b</id>
<content type='text'>
This setting seems to be required for various Apple clients to
connect to the IKEv2 IPSec VPN.
</content>
</entry>
<entry>
<title>ipsec: T7562: Add support for `disable-uniqreqids` option in IPsec configs</title>
<updated>2025-08-12T09:11:05+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-07-31T10:41:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=c84c7cf16bf4a0222690f4ac2d93dafc88a7a0f7'/>
<id>urn:sha1:c84c7cf16bf4a0222690f4ac2d93dafc88a7a0f7</id>
<content type='text'>
This commit makes `set vpn ipsec disable-uniqreqids` work with the modern
StrongSwan backend by setting `unique=never` in swanctl.conf for connections.
This restores legacy behavior about multiple connections with the same identity.
</content>
</entry>
<entry>
<title>ipsec: T7581: Fix unsupported 'all' protocol in site-to-site tunnels after upgrade to 1.4.x</title>
<updated>2025-07-28T08:43:42+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-07-25T13:44:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=46a0e2cfc99a41a43fbcede2f02d8ad8f98daffb'/>
<id>urn:sha1:46a0e2cfc99a41a43fbcede2f02d8ad8f98daffb</id>
<content type='text'>
Upgrading from VyOS 1.3.8 (strongSwan 5.7.2) to 1.4.x (strongSwan 5.9.11) caused
the IPsec service to fail if the configuration contained:

```
  set vpn ipsec site-to-site peer &lt;peer&gt; tunnel &lt;id&gt; protocol 'all'
```

In 1.3.8, 'all' was supported in the CLI for protocol and converted internally to '%any'
in ipsec.conf traffic selectors, allowing the tunnel to match all protocols. However, in
1.4.x and strongSwan 5.9.11+, the '[all/]' syntax is no longer supported, and use of
'protocol all' produces an invalid traffic selector (e.g., 'x.x.x.0/24[all/]'), causing
the strongSwan service to fail on reload.

This fix ensures that 'protocol all' is converted to just the subnet notation (e.g.,
'x.x.x.0/24') in the generated traffic selector, restoring previous behavior and allowing
seamless service startup after upgrade.
</content>
</entry>
<entry>
<title>T7343: IPsec add traffic-selector handling for VTI interfaces</title>
<updated>2025-04-17T09:45:46+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2025-04-12T08:45:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=41ba7fc5c7edbaca6ff149818aa5689b3ac3c097'/>
<id>urn:sha1:41ba7fc5c7edbaca6ff149818aa5689b3ac3c097</id>
<content type='text'>
Allow to set traffic-selector for VTI interfaces
We can set several local and remote IPv4 and IPv6 prefixes

```
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix 0.0.0.0/0
set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix :/0
set vpn ipsec site-to-site peer P1 vti traffic-selector remote prefix 192.0.2.0/24
```
</content>
</entry>
<entry>
<title>nhrp: T2326: NHRP migration to FRR</title>
<updated>2025-01-09T16:24:15+00:00</updated>
<author>
<name>aapostoliuk</name>
<email>a.apostoliuk@vyos.io</email>
</author>
<published>2024-08-09T15:08:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=5e8307bf3a7f816193ca9da8cb290d57bbb375f2'/>
<id>urn:sha1:5e8307bf3a7f816193ca9da8cb290d57bbb375f2</id>
<content type='text'>
NHRP migration to FRR
</content>
</entry>
<entry>
<title>T5873: vpn ipsec remote-access: improve child ESP session naming</title>
<updated>2024-07-27T01:26:30+00:00</updated>
<author>
<name>Lucas Christian</name>
<email>lucas@lucasec.com</email>
</author>
<published>2024-07-07T10:19:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=50cf1746d3ab5e3666a3e502c67d7d853ae7f932'/>
<id>urn:sha1:50cf1746d3ab5e3666a3e502c67d7d853ae7f932</id>
<content type='text'>
</content>
</entry>
</feed>
