Skip to content

ipsec: T8022: Fix invalid automatic dynamic prefix assignment for transport mode tunnels #4887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
alexandr-san4ez wants to merge 1 commit into
base: current
Choose a base branch
from
Open

ipsec: T8022: Fix invalid automatic dynamic prefix assignment for transport mode tunnels #4887

alexandr-san4ez wants to merge 1 commit into from
+136 −0

Conversation

@alexandr-san4ez
Copy link
Contributor

@alexandr-san4ez alexandr-san4ez commented Dec 4, 2025

Change summary

When ESP was configured in transport mode for GRE-based site-to-site tunnels, the default value dynamic was automatically injected into the configuration, even though prefixes must not be set in transport mode. This led to error "Local/remote prefix cannot be used with ESP transport mode" and commit failures.

This fix updates configuration logic to skip default prefix assignment for site-to-site peers using ESP transport mode tunnels.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

How to test / Smoketest result

Manual test:

conf
set interfaces tunnel tun10 address '10.0.0.1/30'
set interfaces tunnel tun10 encapsulation 'gre'
set interfaces tunnel tun10 remote '203.0.113.10'
set interfaces tunnel tun10 source-address '172.168.99.2'
set vpn ipsec authentication psk peer1 id '172.168.99.2'
set vpn ipsec authentication psk peer1 id '203.0.113.10'
set vpn ipsec authentication psk peer1 secret 'myStrongSecret123!'
set vpn ipsec esp-group ESP_POLICY3 lifetime '3600'
set vpn ipsec esp-group ESP_POLICY3 mode 'transport'
set vpn ipsec esp-group ESP_POLICY3 pfs 'dh-group14'
set vpn ipsec esp-group ESP_POLICY3 proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP_POLICY3 proposal 10 hash 'sha1'
set vpn ipsec ike-group IKE_POLICY2 close-action 'none'
set vpn ipsec ike-group IKE_POLICY2 dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE_POLICY2 dead-peer-detection interval '10'
set vpn ipsec ike-group IKE_POLICY2 key-exchange 'ikev2'
set vpn ipsec ike-group IKE_POLICY2 lifetime '28800'
set vpn ipsec ike-group IKE_POLICY2 proposal 10 dh-group '5'
set vpn ipsec ike-group IKE_POLICY2 proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE_POLICY2 proposal 10 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer peer1 authentication local-id '172.168.99.2'
set vpn ipsec site-to-site peer peer1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer1 authentication remote-id '203.0.113.10'
set vpn ipsec site-to-site peer peer1 connection-type 'initiate'
set vpn ipsec site-to-site peer peer1 default-esp-group 'ESP_POLICY3'
set vpn ipsec site-to-site peer peer1 ike-group 'IKE_POLICY2'
set vpn ipsec site-to-site peer peer1 local-address '172.168.99.2'
set vpn ipsec site-to-site peer peer1 remote-address '203.0.113.10'
set vpn ipsec site-to-site peer peer1 tunnel 10 protocol 'gre'
commit

Smoketest:

vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_vpn_ipsec.py -k site_to_site_gre_over_ipsec
test_site_to_site_gre_over_ipsec (__main__.TestVPNIPsec.test_site_to_site_gre_over_ipsec)
Test GRE over IPsec site‑to‑site configuration with transport mode ESP ... ok
----------------------------------------------------------------------
Ran 1 test in 10.632s
OK

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@alexandr-san4ez
ipsec: T8022: Fix invalid automatic dynamic prefix assignment for t…
aa3a516 
…ransport mode tunnels

When ESP was configured in transport mode for GRE-based site-to-site tunnels,
the default value `dynamic` was automatically injected into the configuration,
even though prefixes must not be set in transport mode. This led to error
"Local/remote prefix cannot be used with ESP transport mode" and commit failures.

This fix updates configuration logic to skip default prefix assignment
for site-to-site peers using ESP transport mode tunnels.
@github-actions
Copy link

github-actions bot commented Dec 4, 2025

👍
No issues in PR Title / Commit Title

@sever-sever sever-sever requested a review from zdc December 4, 2025 13:39
@github-actions
Copy link

github-actions bot commented Dec 4, 2025

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests VPP 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • Config tests VPP 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zdc zdc Awaiting requested review from zdc

At least 2 approving reviews are required to merge this pull request.

Assignees

@alexandr-san4ez alexandr-san4ez

Labels

current

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alexandr-san4ez