summaryrefslogtreecommitdiff
path: root/data/templates/ipsec/swanctl/peer.j2
AgeCommit message (Collapse)Author
2026-05-20ipsec: T7555: Implement `ikev2-reauth` for site-to-site peersOleksandr Kuchmystyi
IKEv2 reauthentication was configurable via CLI but never translated into `swanctl.conf`. Add `reauth_time` to the peer connection template, driven by the `ikev2-reauth` flag on the ike-group and the per-peer override (yes/no/inherit).
2026-03-04T8136: IPSEC PPK SupportGiga Murphy
2025-12-04ipsec: T7594: Rename `respond` connection-type in IPSec peer settings to `trap`Oleksandr Kuchmystyi
The previous 'connection-type respond' option in IPsec site-to-site peers was misleading - instead of passively waiting for peer initiation, it would initiate negotiation when matching traffic appeared, potentially causing SA duplication and renegotiation loops.
2025-08-12ipsec: T7562: Add support for `disable-uniqreqids` option in IPsec configsOleksandr Kuchmystyi
This commit makes `set vpn ipsec disable-uniqreqids` work with the modern StrongSwan backend by setting `unique=never` in swanctl.conf for connections. This restores legacy behavior about multiple connections with the same identity.
2025-07-28ipsec: T7581: Fix unsupported 'all' protocol in site-to-site tunnels after ↵Oleksandr Kuchmystyi
upgrade to 1.4.x Upgrading from VyOS 1.3.8 (strongSwan 5.7.2) to 1.4.x (strongSwan 5.9.11) caused the IPsec service to fail if the configuration contained: ``` set vpn ipsec site-to-site peer <peer> tunnel <id> protocol 'all' ``` In 1.3.8, 'all' was supported in the CLI for protocol and converted internally to '%any' in ipsec.conf traffic selectors, allowing the tunnel to match all protocols. However, in 1.4.x and strongSwan 5.9.11+, the '[all/]' syntax is no longer supported, and use of 'protocol all' produces an invalid traffic selector (e.g., 'x.x.x.0/24[all/]'), causing the strongSwan service to fail on reload. This fix ensures that 'protocol all' is converted to just the subnet notation (e.g., 'x.x.x.0/24') in the generated traffic selector, restoring previous behavior and allowing seamless service startup after upgrade.
2025-04-17T7343: IPsec add traffic-selector handling for VTI interfacesViacheslav Hletenko
Allow to set traffic-selector for VTI interfaces We can set several local and remote IPv4 and IPv6 prefixes ``` set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix 0.0.0.0/0 set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix :/0 set vpn ipsec site-to-site peer P1 vti traffic-selector remote prefix 192.0.2.0/24 ```
2024-07-22T6599: ipsec: support disabling rekey of CHILD_SA.Lucas Christian
Also adds support for life_bytes, life_packets, and DPD for remote-access connections. Changes behavior of remote-access esp-group lifetime setting to have parity with site-to-site connections.
2024-02-03ipsec: T5998: add replay-windows settingChristian Breunig
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node to explicitly change this. * set vpn ipsec site-to-site peer <name> replay-window <0-2040>
2024-01-17T5953: Changed values of 'close-action' to Strongswan valuesaapostoliuk
Changed the value from 'hold' to 'trap' in the 'close-action' option in the IKE group. Changed the value from 'restart' to 'start' in the 'close-action' option in the IKE group.
2024-01-16T4658: Renamed DPD action value from 'hold' to 'trap'aapostoliuk
Renamed DPD action value from 'hold' to 'trap'
2023-01-12T4118: Add default value any for connection remote-idViacheslav Hletenko
If IPsec "peer <tag> authentication remote-id" is not set it should be "%any" by default https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote Set XML default value in use it in the python vpn_ipsec.py script
2022-11-21T4823: Fix IPsec transport mode remote TSViacheslav Hletenko
Remote TS for transport mode GRE must be remote-address and not peer name
2022-09-16ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peerViacheslav Hletenko
Migration and Change boolean nodes "enable/disable" to disable-xxxx, enable-xxxx and just xxx for VPN IPsec configurations - IKE changes: - replace 'ipsec ike-group <tag> mobike disable' => 'ipsec ike-group <tag> disable-mobike' - replace 'ipsec ike-group <tag> ikev2-reauth yes|no' => 'ipsec ike-group <tag> ikev2-reauth' - ESP changes: - replace 'ipsec esp-group <tag> compression enable' => 'ipsec esp-group <tag> compression' - PEER changes: - replace: 'peer <tag> id xxx' => 'peer <tag> local-id xxx' - replace: 'peer <tag> force-encapsulation enable' => 'peer <tag> force-udp-encapsulation' - add option: 'peer <tag> remote-address x.x.x.x' Add 'peer <name> remote-address <name>' via migration script
2022-05-01ipsec: T4353: fix Jinja2 linting errorsChristian Poessinger