From 0751065ffa2161bedd040197dd51ad6ece5ab19b Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 28 Jun 2021 22:58:24 +0200 Subject: ipsec: T1441: switch from vti to xfrm interfaces XFRM interfaces are similar to VTI devices in their basic functionality but offer several advantages: * No tunnel endpoint addresses have to be configured on the interfaces. Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints, this resolves issues with wildcard addresses (only one VTI with wildcard endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and easily allows SAs with multiple peers to share the same interface. * Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on the same interface (VTI devices only support one address family). * IPsec modes other than tunnel are supported (VTI devices only support tunnel mode). * No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier (XFRM interface ID) links policies and SAs with XFRM interfaces. --- python/vyos/ifconfig/vti.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'python') diff --git a/python/vyos/ifconfig/vti.py b/python/vyos/ifconfig/vti.py index 9eafcd11b..a217d28ea 100644 --- a/python/vyos/ifconfig/vti.py +++ b/python/vyos/ifconfig/vti.py @@ -33,13 +33,11 @@ class VTIIf(Interface): # - https://man7.org/linux/man-pages/man8/ip-link.8.html # - https://man7.org/linux/man-pages/man8/ip-tunnel.8.html mapping = { - 'source_address' : 'local', 'source_interface' : 'dev', - 'remote' : 'remote', - 'key' : 'key', } - cmd = 'ip link add {ifname} type vti' + if_id = self.ifname.lstrip('vti') + cmd = f'ip link add {self.ifname} type xfrm if_id {if_id}' for vyos_key, iproute2_key in mapping.items(): # dict_search will return an empty dict "{}" for valueless nodes like # "parameters.nolearning" - thus we need to test the nodes existence -- cgit v1.2.3