3 files changed, 49 insertions, 1 deletions

diff --git a/op-mode-definitions/include/bgp/afi-ipv4-ipv6-vpn-rd.xml.i b/op-mode-definitions/include/bgp/afi-ipv4-ipv6-vpn-rd.xml.i
new file mode 100644
index 000000000..bb95ce3f5
--- /dev/null
+++ b/op-mode-definitions/include/bgp/afi-ipv4-ipv6-vpn-rd.xml.i
@@ -0,0 +1,22 @@
+<!-- included start from bgp/afi-ipv4-ipv6-vpn-rd.xml.i -->
+<tagNode name="rd">
+  <properties>
+    <help>Display routes matching the route distinguisher</help>
+    <completionHelp>
+      <list>ASN:NN IPADDRESS:NN all</list>
+    </completionHelp>
+  </properties>
+  <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+  <children>
+    <tagNode name="">
+      <properties>
+        <help>Show IP routes of specified prefix</help>
+        <completionHelp>
+          <list>&lt;x.x.x.x/x&gt; &lt;x:x:x:x:x:x:x:x/x&gt;</list>
+        </completionHelp>
+      </properties>
+      <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
+    </tagNode>
+  </children>
+</tagNode>
+<!-- included end -->
diff --git a/op-mode-definitions/include/bgp/afi-ipv4-ipv6-vpn.xml.i b/op-mode-definitions/include/bgp/afi-ipv4-ipv6-vpn.xml.i
index f6737c8bd..a9fb6e255 100644
--- a/op-mode-definitions/include/bgp/afi-ipv4-ipv6-vpn.xml.i
+++ b/op-mode-definitions/include/bgp/afi-ipv4-ipv6-vpn.xml.i
@@ -18,6 +18,7 @@
   <children>
     #include <include/bgp/afi-common.xml.i>
     #include <include/bgp/afi-ipv4-ipv6-common.xml.i>
+    #include <include/bgp/afi-ipv4-ipv6-vpn-rd.xml.i>
   </children>
   <command>${vyos_op_scripts_dir}/vtysh_wrapper.sh $@</command>
 </node>
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index 25604d2a2..71a503e61 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -156,6 +156,8 @@ def get_config(config=None):
                         _, vti = get_interface_dict(conf, ['interfaces', 'vti'], vti_interface)
                         ipsec['vti_interface_dicts'][vti_interface] = vti
 
+    ipsec['vpp_ipsec_exists'] = conf.exists(['vpp', 'settings', 'ipsec'])
+
     return ipsec
 
 def get_dhcp_address(iface):
@@ -484,6 +486,17 @@ def verify(ipsec):
             else:
                 raise ConfigError(f"Missing ike-group on site-to-site peer {peer}")
 
+            # verify encryption algorithm compatibility for IKE with VPP
+            if ipsec['vpp_ipsec_exists']:
+                ike_group = ipsec['ike_group'][peer_conf['ike_group']]
+                for proposal, proposal_config in ike_group.get('proposal', {}).items():
+                    algs = ['gmac', 'serpent', 'twofish']
+                    if any(alg in proposal_config['encryption'] for alg in algs):
+                        raise ConfigError(
+                            f'Encryption algorithm {proposal_config["encryption"]} cannot be used '
+                            f'for IKE proposal {proposal} for site-to-site peer {peer} with VPP'
+                        )
+
             if 'authentication' not in peer_conf or 'mode' not in peer_conf['authentication']:
                 raise ConfigError(f"Missing authentication on site-to-site peer {peer}")
 
@@ -562,7 +575,7 @@ def verify(ipsec):
 
                     esp_group_name = tunnel_conf['esp_group'] if 'esp_group' in tunnel_conf else peer_conf['default_esp_group']
 
-                    if esp_group_name not in ipsec['esp_group']:
+                    if esp_group_name not in ipsec.get('esp_group'):
                         raise ConfigError(f"Invalid esp-group on tunnel {tunnel} for site-to-site peer {peer}")
 
                     esp_group = ipsec['esp_group'][esp_group_name]
@@ -574,6 +587,18 @@ def verify(ipsec):
                         if ('local' in tunnel_conf and 'prefix' in tunnel_conf['local']) or ('remote' in tunnel_conf and 'prefix' in tunnel_conf['remote']):
                             raise ConfigError(f"Local/remote prefix cannot be used with ESP transport mode on tunnel {tunnel} for site-to-site peer {peer}")
 
+                    # verify ESP encryption algorithm compatibility with VPP
+                    # because Marvel plugin for VPP doesn't support all algorithms that Strongswan does
+                    if ipsec['vpp_ipsec_exists']:
+                        for proposal, proposal_config in esp_group.get('proposal', {}).items():
+                            algs = ['aes128', 'aes192', 'aes256', 'aes128gcm128', 'aes192gcm128', 'aes256gcm128']
+                            if proposal_config['encryption'] not in algs:
+                                raise ConfigError(
+                                    f'Encryption algorithm {proposal_config["encryption"]} cannot be used '
+                                    f'for ESP proposal {proposal} on tunnel {tunnel} for site-to-site peer {peer} with VPP'
+                                )
+
+
 def cleanup_pki_files():
     for path in [CERT_PATH, CA_PATH, CRL_PATH, KEY_PATH, PUBKEY_PATH]:
         if not os.path.exists(path):