summaryrefslogtreecommitdiff
path: root/data/templates/ipsec
AgeCommit message (Collapse)Author
2026-05-27ipsec: T8912: Fix log level not respected in system journalOleksandr Kuchmystyi
When setting 'vpn ipsec logging log-level 0', DPD informational messages (log level 1) were still appearing in the system journal. The root cause is that charon-systemd reads both `charon-systemd.conf` and `charon-logging.conf` and applies the higher of the two log levels to the journal. The VyOS only managed `charon-systemd.conf`, leaving `charon-logging.conf` at its default level of 1, which silently overrode the user-configured level. Fix this by rendering `charon-logging.conf` on every commit with syslog backend set to -1 (silent), making `charon-systemd.conf` the sole authoritative source for journal log verbosity. This also eliminates duplicate log entries in the journal that occurred when both backends were active and writing to the same destination.
2026-05-20ipsec: T7555: Implement `ikev2-reauth` for site-to-site peersOleksandr Kuchmystyi
IKEv2 reauthentication was configurable via CLI but never translated into `swanctl.conf`. Add `reauth_time` to the peer connection template, driven by the `ikev2-reauth` flag on the ike-group and the per-peer override (yes/no/inherit).
2026-03-27T8410: Fix typos and mistakes for comments and messagesViacheslav Hletenko
Fix typos and mistakes No functional changes
2026-03-17T8386: fix locat_ts rendering in remote_access.j2Alex Kudentsov
2026-03-04T8136: IPSEC PPK SupportGiga Murphy
2025-12-04ipsec: T7594: Rename `respond` connection-type in IPSec peer settings to `trap`Oleksandr Kuchmystyi
The previous 'connection-type respond' option in IPsec site-to-site peers was misleading - instead of passively waiting for peer initiation, it would initiate negotiation when matching traffic appeared, potentially causing SA duplication and renegotiation loops.
2025-11-21T8027: vpn: adding config for swanctl "send-cert always"Chris Cowart
This setting seems to be required for various Apple clients to connect to the IKEv2 IPSec VPN.
2025-08-12ipsec: T7562: Add support for `disable-uniqreqids` option in IPsec configsOleksandr Kuchmystyi
This commit makes `set vpn ipsec disable-uniqreqids` work with the modern StrongSwan backend by setting `unique=never` in swanctl.conf for connections. This restores legacy behavior about multiple connections with the same identity.
2025-07-28ipsec: T7581: Fix unsupported 'all' protocol in site-to-site tunnels after ↵Oleksandr Kuchmystyi
upgrade to 1.4.x Upgrading from VyOS 1.3.8 (strongSwan 5.7.2) to 1.4.x (strongSwan 5.9.11) caused the IPsec service to fail if the configuration contained: ``` set vpn ipsec site-to-site peer <peer> tunnel <id> protocol 'all' ``` In 1.3.8, 'all' was supported in the CLI for protocol and converted internally to '%any' in ipsec.conf traffic selectors, allowing the tunnel to match all protocols. However, in 1.4.x and strongSwan 5.9.11+, the '[all/]' syntax is no longer supported, and use of 'protocol all' produces an invalid traffic selector (e.g., 'x.x.x.0/24[all/]'), causing the strongSwan service to fail on reload. This fix ensures that 'protocol all' is converted to just the subnet notation (e.g., 'x.x.x.0/24') in the generated traffic selector, restoring previous behavior and allowing seamless service startup after upgrade.
2025-07-18ipsec: T7504: Added IKEv2 retransmission optionsaapostoliuk
Added IKEv2 retransmission options (base, tries, timeout).
2025-04-17T7343: IPsec add traffic-selector handling for VTI interfacesViacheslav Hletenko
Allow to set traffic-selector for VTI interfaces We can set several local and remote IPv4 and IPv6 prefixes ``` set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix 0.0.0.0/0 set vpn ipsec site-to-site peer P1 vti traffic-selector local prefix :/0 set vpn ipsec site-to-site peer P1 vti traffic-selector remote prefix 192.0.2.0/24 ```
2025-04-02T7290: Fix VPN IPsec log level processingViacheslav Hletenko
Fix the IPsec log level option processing set vpn ipsec log level '2' Render Jinja2 template to generate correct log for IPsec for the file /etc/strongswan.d/charon-systemd.conf
2025-03-06ipsec: T7225: fix dynamic generation of IKE DiffieHellmanGroup in iOS profileChristian Breunig
Commit e97d86e ("T6617: T6618: vpn ipsec remote-access: fix profile generators") added a bug when working with DiffieHellmanGroup, it started becoming a boolead and no longer referencing the DH groups itself. This has been fixed.
2025-03-06ipsec: T7225: iOS18+ always requires ExtendedAuthEnabled to be setChristian Breunig
If this is unset, loading the iOS VPN profile will error out on the device giving: Profile Installation Failed configuration is invalid: Missing identity My first assumption was an empty string in LocalIdentifier for IKE, but turned out only adding this flag solved it. This was made optional in commit e97d86e ("T6617: T6618: vpn ipsec remote-access: fix profile generators") but got reverted now.
2025-03-06ipsec: T7225: "generate ipsec profile ios-remote-access" throws UndefinedErrorChristian Breunig
Calling "generate ipsec profile ios-remote-access rw remote ipsec.vyos.net name VYOS-NET profile VYOS" in op-mode causes File "/usr/share/vyos/templates/ipsec/ios_profile.j2", line 58, in top-level template code {% if authentication.client_mode.startswith("eap") %} ^^^^^^^^^^^^^^^^^^^^^^^^^ jinja2.exceptions.UndefinedError: 'dict object' has no attribute 'client_mode'
2025-01-09nhrp: T2326: NHRP migration to FRRaapostoliuk
NHRP migration to FRR
2024-11-21T264: IPsec add base64 encoded secret-type featureViacheslav Hletenko
Add the ability to configure base64 encoded passwords for VPN IPSec site-to-site peers authentication psk PSK secret 'xxxxx==' authentication psk PSK secret-type <base64|plaintext>
2024-08-01Merge pull request #3221 from lucasec/t5873Christian Breunig
T5873: ipsec remote access VPN: support VTI interfaces.
2024-07-30T6617: T6618: vpn ipsec remote-access: fix profile generatorsLucas Christian
2024-07-26T5873: vpn ipsec remote-access: improve child ESP session namingLucas Christian
2024-07-22T5873: vpn ipsec remote-access: support VTI interfacesLucas Christian
2024-07-22T6599: ipsec: support disabling rekey of CHILD_SA.Lucas Christian
Also adds support for life_bytes, life_packets, and DPD for remote-access connections. Changes behavior of remote-access esp-group lifetime setting to have parity with site-to-site connections.
2024-06-09op-mode: T6424: ipsec: honor certificate CN and CA chain during profile ↵Christian Breunig
generation In e6fe6e50a5c ("op-mode: ipsec: T6407: fix profile generation") we fixed support for multiple CAs when dealing with the generation of Apple IOS profiles. This commit extends support to properly include the common name of the server certificate issuer and all it's paren't CAs. A list of parent CAs is automatically generated from the "PKI" subsystem content and embedded into the resulting profile.
2024-05-30op-mode: ipsec: T6407: fix profile generationChristian Breunig
Commit 952b1656f51 ("ipsec: T5606: T5871: Use multi node for CA certificates") added support for multiple CA certificates which broke the OP mode command to generate the IPSec profiles as it did not expect a list and was rather working on a string. Now multiple CAs can be rendered into the Apple IOS profile.
2024-04-21T6237: IPSec remote access VPN: ability to set EAP ID of clientsAlex W
2024-04-11T5871: ipsec remote access VPN: specify "cacerts" for client auth.Lucas Christian
2024-03-11T5872: re-write exit hook to always regenerate configLucas Christian
2024-03-10T5872: fix ipsec dhclient exit hookLucas Christian
2024-03-10T5872: ipsec remote access VPN: support dhcp-interface.Lucas Christian
2024-02-03ipsec: T5998: add replay-windows settingChristian Breunig
The replay_window for child SA will always be 32 (hence enabled). Add a CLI node to explicitly change this. * set vpn ipsec site-to-site peer <name> replay-window <0-2040>
2024-01-17T5953: Changed values of 'close-action' to Strongswan valuesaapostoliuk
Changed the value from 'hold' to 'trap' in the 'close-action' option in the IKE group. Changed the value from 'restart' to 'start' in the 'close-action' option in the IKE group.
2024-01-16T4658: Renamed DPD action value from 'hold' to 'trap'aapostoliuk
Renamed DPD action value from 'hold' to 'trap'
2023-12-30T5870: ipsec remote access VPN: add x509 ("pubkey") authentication.Lucas Christian
2023-02-15ipsec: T4593: Migrate and remove legacy `include-ipsec` nodessarthurdev
Not supported with swanctl
2023-01-26T4916: Rewrite IPsec peer authentication and psk migrationViacheslav Hletenko
Rewrite strongswan IPsec authentication to reflect structure from swanctl.conf The most important change is that more than one local/remote ID in the same auth entry should be allowed replace: 'ipsec site-to-site peer <tag> authentication pre-shared-secret xxx' => 'ipsec authentication psk <tag> secret xxx' set vpn ipsec authentication psk <tag> id '192.0.2.1' set vpn ipsec authentication psk <tag> id '192.0.2.2' set vpn ipsec authentication psk <tag> secret 'xxx' set vpn ipsec site-to-site peer <tag> authentication local-id '192.0.2.1' set vpn ipsec site-to-site peer <tag> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tag> authentication remote-id '192.0.2.2' Add template filter for Jinja2 'generate_uuid4'
2023-01-12T4118: Add default value any for connection remote-idViacheslav Hletenko
If IPsec "peer <tag> authentication remote-id" is not set it should be "%any" by default https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote Set XML default value in use it in the python vpn_ipsec.py script
2022-11-21T4823: Fix IPsec transport mode remote TSViacheslav Hletenko
Remote TS for transport mode GRE must be remote-address and not peer name
2022-10-31ipsec: T4787: add support for road-warrior/remote-access RADIUS timeoutChristian Poessinger
This enabled users to also use 2FA/MFA authentication with a radius backend as there is enough time to enter the second factor.
2022-09-28op-mode: ipsec: T4719: bugfix IKEv2 road-warrior profile generatorChristian Poessinger
Commit bd4588827b ("ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer") changed the CLI syntax of ipsec. This resulted in a node not renamed in the op-mode generator when generating IKEv2 IPSec iOS configuration profiles.
2022-09-20ipsec: T4118: bugfix migration of IKEv2 road-warrior "id" CLI optionChristian Poessinger
The "authentication id" option for road-warriors did not get migrated to the new local-id CLI node. This has been fixed.
2022-09-16Merge pull request #1463 from sever-sever/T4118Daniil Baturin
ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peer
2022-09-16ipsec: T4118: Change vpn ipsec syntax for IKE ESP and peerViacheslav Hletenko
Migration and Change boolean nodes "enable/disable" to disable-xxxx, enable-xxxx and just xxx for VPN IPsec configurations - IKE changes: - replace 'ipsec ike-group <tag> mobike disable' => 'ipsec ike-group <tag> disable-mobike' - replace 'ipsec ike-group <tag> ikev2-reauth yes|no' => 'ipsec ike-group <tag> ikev2-reauth' - ESP changes: - replace 'ipsec esp-group <tag> compression enable' => 'ipsec esp-group <tag> compression' - PEER changes: - replace: 'peer <tag> id xxx' => 'peer <tag> local-id xxx' - replace: 'peer <tag> force-encapsulation enable' => 'peer <tag> force-udp-encapsulation' - add option: 'peer <tag> remote-address x.x.x.x' Add 'peer <name> remote-address <name>' via migration script
2022-08-10dmvpn: T4595: Fix dpd profile optionsViacheslav Hletenko
Fix template for configuration DMVPN IKE profile dead-peer-detection delay and dead-peer-detecion timeout options
2022-05-06ipsec: T4353: use "" quotes on road-warrior idChristian Poessinger
2022-05-02ipsec: T4353: bugfix template extensionChristian Poessinger
2022-05-01ipsec: T4353: fix Jinja2 linting errorsChristian Poessinger
2022-04-25vpn-ipsec: T4398: Fix unexpected passthrough policy for peerViacheslav Hletenko
Set default passtrough list to None to prevent unexpected policy for peers with not overplapped local and remote prefixes
2022-04-13ipsec: T4333: migrate to new vyos_defined Jinja2 testChristian Poessinger
2022-03-24ike-group: T4288 : close-action is missing in swanctl.confsrividya0208
close-action parameter is missing in the swanctl.conf file
2022-02-22Merge pull request #1230 from sever-sever/T1856Christian Poessinger
ipsec: T1856: Ability to set SA life bytes and packets