<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/interface-definitions/vpn_ipsec.xml.in, branch rolling</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-06-25T14:36:22+00:00</updated>
<entry>
<title>Merge pull request #5284 from vyos/T8097-strongswan-esn</title>
<updated>2026-06-25T14:36:22+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2026-06-25T14:36:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=fe78ab4165456fd1d7bcd2ec99d7601dc2e71d2c'/>
<id>urn:sha1:fe78ab4165456fd1d7bcd2ec99d7601dc2e71d2c</id>
<content type='text'>
T8097: strongswan: add CLI for ESN</content>
</entry>
<entry>
<title>T8099: strongswan: Post quantum options</title>
<updated>2026-06-22T18:24:49+00:00</updated>
<author>
<name>Kyrylo Yatsenko</name>
<email>hedrok@gmail.com</email>
</author>
<published>2026-06-19T16:14:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=7693c06dc1c5fecb71bf2d21c140ac1bbd5a1088'/>
<id>urn:sha1:7693c06dc1c5fecb71bf2d21c140ac1bbd5a1088</id>
<content type='text'>
Add options for mlkem*
</content>
</entry>
<entry>
<title>T8097: strongswan: add CLI for ESN</title>
<updated>2026-06-20T06:59:00+00:00</updated>
<author>
<name>Kyrylo Yatsenko</name>
<email>hedrok@gmail.com</email>
</author>
<published>2026-06-20T06:37:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=e8611801c7f36d7942ed367c5cf0b0dfd08083d2'/>
<id>urn:sha1:e8611801c7f36d7942ed367c5cf0b0dfd08083d2</id>
<content type='text'>
Add CLI commands:

set vpn ipsec ike-group MyIKEGroup proposal 1 esn ESN-VALUE
set vpn ipsec esp-group MyESPGroup proposal 1 esn ESN-VALUE

Where ESN-VALUE can be one of:

* required: only establish connection using ESN
* optional: try using ESN, but if not available, accept non-ESN
* disabled (default): don't use ESN

StrongSwan 6.0.6 doesn't allow connections between proposal with
'-noesn' and without '-esn'/'-noesn'. To make it work as expected, use
two proposals for 'optional' and 'disabled':

* required: PROPOSAL-esn
* optional: PROPOSAL-esn-noesn,PROPOSAL
* disabled: PROPOSAL-noesn,PROPOSAL
</content>
</entry>
<entry>
<title>ipsec: T8912: Fix log level not respected in system journal</title>
<updated>2026-05-27T14:04:17+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-05-27T13:31:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=3b22850f4fe4163fea73f907ba8fe72777ba8d80'/>
<id>urn:sha1:3b22850f4fe4163fea73f907ba8fe72777ba8d80</id>
<content type='text'>
When setting 'vpn ipsec logging log-level 0', DPD informational
messages (log level 1) were still appearing in the system journal.

The root cause is that charon-systemd reads both `charon-systemd.conf`
and `charon-logging.conf` and applies the higher of the two log levels
to the journal. The VyOS only managed `charon-systemd.conf`, leaving
`charon-logging.conf` at its default level of 1, which silently overrode
the user-configured level.

Fix this by rendering `charon-logging.conf` on every commit with
syslog backend set to -1 (silent), making `charon-systemd.conf`
the sole authoritative source for journal log verbosity.

This also eliminates duplicate log entries in the journal that occurred
when both backends were active and writing to the same destination.
</content>
</entry>
<entry>
<title>ipsec: T7555: Implement `ikev2-reauth` for site-to-site peers</title>
<updated>2026-05-20T09:22:21+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-05-14T09:42:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=b6d24956bd4c7a5e4cb89c0b4331264a96667184'/>
<id>urn:sha1:b6d24956bd4c7a5e4cb89c0b4331264a96667184</id>
<content type='text'>
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
</content>
</entry>
<entry>
<title>T8587: fix XML data type from u32 to u64 where range exceeds uint32 max</title>
<updated>2026-04-27T08:39:46+00:00</updated>
<author>
<name>Yahya Civelek</name>
<email>yahyacivelek@ulakhaberlesme.com.tr</email>
</author>
<published>2026-04-27T08:39:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=d58ca8f6d837d7f832e51abcc29440de0f653bde'/>
<id>urn:sha1:d58ca8f6d837d7f832e51abcc29440de0f653bde</id>
<content type='text'>
The following nodes specified u32 but their range values exceed the
uint32 maximum (4,294,967,295):

- service lldp interface location coordinate-based elin:
  u32:0-9999999999 -&gt; u64:0-9999999999
- vpn ipsec esp-group life-bytes:
  u32:1024-26843545600000 -&gt; u64:1024-26843545600000
- vpn ipsec esp-group life-packets:
  u32:1000-26843545600000 -&gt; u64:1000-26843545600000
</content>
</entry>
<entry>
<title>T8410: Fix typos and mistakes for operational and configuration commands</title>
<updated>2026-03-24T17:02:56+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2026-03-20T16:41:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=bb2aee1e58c1cd30087b935798060e6bf3c698c8'/>
<id>urn:sha1:bb2aee1e58c1cd30087b935798060e6bf3c698c8</id>
<content type='text'>
Fix typos and mistakes in the commands and comments
No functional changes
</content>
</entry>
<entry>
<title>T8136: IPSEC PPK Support</title>
<updated>2026-03-04T04:48:18+00:00</updated>
<author>
<name>Giga Murphy</name>
<email>giga1699@gmail.com</email>
</author>
<published>2026-01-02T01:04:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=673ec335b885ae1de8391dd8c48a5fe16b282db5'/>
<id>urn:sha1:673ec335b885ae1de8391dd8c48a5fe16b282db5</id>
<content type='text'>
</content>
</entry>
<entry>
<title>ipsec: T7594: Rename `respond` connection-type in IPSec peer settings to `trap`</title>
<updated>2025-12-04T15:03:54+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-11-28T14:52:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=2dc91c0a96c3d3212387be02b80c58fce7c68bd8'/>
<id>urn:sha1:2dc91c0a96c3d3212387be02b80c58fce7c68bd8</id>
<content type='text'>
The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
</content>
</entry>
<entry>
<title>T8027: vpn: adding config for swanctl "send-cert always"</title>
<updated>2025-11-22T02:22:43+00:00</updated>
<author>
<name>Chris Cowart</name>
<email>ccowart@timesinks.net</email>
</author>
<published>2025-11-16T06:39:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b'/>
<id>urn:sha1:090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b</id>
<content type='text'>
This setting seems to be required for various Apple clients to
connect to the IKEv2 IPSec VPN.
</content>
</entry>
</feed>
