diff options
| author | Oleksandr Kuchmystyi <o.kuchmystyi@vyos.io> | 2025-07-25 16:44:37 +0300 |
|---|---|---|
| committer | Oleksandr Kuchmystyi <o.kuchmystyi@vyos.io> | 2025-07-28 11:43:42 +0300 |
| commit | 46a0e2cfc99a41a43fbcede2f02d8ad8f98daffb (patch) | |
| tree | 1a22e0b475ae0e4c576702cd1ac9f174f9374eac | |
| parent | 6c6bcb59b85efdb60129639afaade482a2419cfe (diff) | |
| download | vyos-1x-46a0e2cfc99a41a43fbcede2f02d8ad8f98daffb.tar.gz vyos-1x-46a0e2cfc99a41a43fbcede2f02d8ad8f98daffb.zip | |
ipsec: T7581: Fix unsupported 'all' protocol in site-to-site tunnels after upgrade to 1.4.x
Upgrading from VyOS 1.3.8 (strongSwan 5.7.2) to 1.4.x (strongSwan 5.9.11) caused
the IPsec service to fail if the configuration contained:
```
set vpn ipsec site-to-site peer <peer> tunnel <id> protocol 'all'
```
In 1.3.8, 'all' was supported in the CLI for protocol and converted internally to '%any'
in ipsec.conf traffic selectors, allowing the tunnel to match all protocols. However, in
1.4.x and strongSwan 5.9.11+, the '[all/]' syntax is no longer supported, and use of
'protocol all' produces an invalid traffic selector (e.g., 'x.x.x.0/24[all/]'), causing
the strongSwan service to fail on reload.
This fix ensures that 'protocol all' is converted to just the subnet notation (e.g.,
'x.x.x.0/24') in the generated traffic selector, restoring previous behavior and allowing
seamless service startup after upgrade.
| -rw-r--r-- | data/templates/ipsec/swanctl/peer.j2 | 6 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_vpn_ipsec.py | 65 |
2 files changed, 71 insertions, 0 deletions
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2 index cf0865c88..b6b5d2dac 100644 --- a/data/templates/ipsec/swanctl/peer.j2 +++ b/data/templates/ipsec/swanctl/peer.j2 @@ -111,6 +111,12 @@ {% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is vyos_defined else peer_conf.default_esp_group %} {% set tunnel_esp = esp_group[tunnel_esp_name] %} {% set proto = tunnel_conf.protocol if tunnel_conf.protocol is vyos_defined else '' %} +{# VyOS 1.3.x (with strongSwan 5.7.x) previously allowed using `all` in traffic selectors, converting it to `%any`. #} +{# In strongSwan 5.9.x (VyOS >= 1.4.x), the syntax `x.x.x.0/24[all/]` is no longer accepted. #} +{# We must now explicitly specify a protocol (e.g., `tcp`, `udp`). #} +{# To achieve "all" protocol behavior, simply use the subnet notation without brackets, #} +{# such as `x.x.x.0/24` or `x.x.x.0/24[/443]`. #} +{% set proto = '' if proto == 'all' else proto %} {% set local_port = tunnel_conf.local.port if tunnel_conf.local.port is vyos_defined else '' %} {% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %} {% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %} diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index f9f0bd669..830e58fe8 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -282,6 +282,71 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): for line in swanctl_secrets_lines: self.assertRegex(swanctl_conf, fr'{line}') + def test_site_to_site_ts_protocol_all(self): + """ + Test acceptance of 'all' protocol in site-to-site traffic selector. + + Verifies that specifying only the subnet (e.g., 'x.x.x.0/24') is accepted + for "all" protocols in IPsec site-to-site configuration, while explicit + '[all/]' protocol syntax is rejected with strongSwan 5.9.x. + + More details: https://vyos.dev/T7581 + """ + + self.cli_set(base_path + ['ike-group', ike_group, 'key-exchange', 'ikev2']) + + local_address = '192.0.2.12' + + # vpn ipsec auth psk <tag> id <x.x.x.x> + auth_psk_path = base_path + ['authentication', 'psk', connection_name] + self.cli_set(auth_psk_path + ['id', local_id]) + self.cli_set(auth_psk_path + ['id', remote_id]) + self.cli_set(auth_psk_path + ['id', local_address]) + self.cli_set(auth_psk_path + ['id', peer_ip]) + self.cli_set(auth_psk_path + ['secret', secret]) + + # Site to site + peer_base_path = base_path + ['site-to-site', 'peer', connection_name] + tunnel_1_base_path = peer_base_path + ['tunnel', '1'] + tunnel_2_base_path = peer_base_path + ['tunnel', '2'] + + self.cli_set(peer_base_path + ['authentication', 'mode', 'pre-shared-secret']) + self.cli_set(peer_base_path + ['ike-group', ike_group]) + self.cli_set(peer_base_path + ['default-esp-group', esp_group]) + self.cli_set(peer_base_path + ['local-address', local_address]) + self.cli_set(peer_base_path + ['remote-address', peer_ip]) + self.cli_set(tunnel_1_base_path + ['protocol', 'all']) + self.cli_set(tunnel_1_base_path + ['local', 'prefix', '172.16.10.0/24']) + self.cli_set(tunnel_1_base_path + ['local', 'port', '443']) + self.cli_set(tunnel_1_base_path + ['remote', 'prefix', '172.17.11.0/24']) + self.cli_set(tunnel_1_base_path + ['remote', 'port', '443']) + + self.cli_set(tunnel_2_base_path + ['protocol', 'all']) + self.cli_set(tunnel_2_base_path + ['local', 'prefix', '10.1.0.0/16']) + self.cli_set(tunnel_2_base_path + ['remote', 'prefix', '10.2.0.0/16']) + + self.cli_commit() + + # Verify strongSwan configuration + swanctl_conf = read_file(swanctl_file) + swanctl_conf_lines = [ + 'version = 2', + 'auth = psk', + f'local_addrs = {local_address} # dhcp:no', + f'remote_addrs = {peer_ip}', + 'mode = tunnel', + f'{connection_name}-tunnel-1', + 'local_ts = 172.16.10.0/24[/443]', + 'remote_ts = 172.17.11.0/24[/443]', + 'mode = tunnel', + f'{connection_name}-tunnel-2', + 'local_ts = 10.1.0.0/16', + 'remote_ts = 10.2.0.0/16', + 'mode = tunnel', + ] + for line in swanctl_conf_lines: + self.assertIn(line, swanctl_conf) + def test_site_to_site_vti(self): local_address = '192.0.2.10' |
