T7343: IPsec add traffic-selector AFI handling for VTI interfaces

[sever-sever]

Change summary

• Support for ipv4, ipv6, and both traffic-selectors modes for VTI interfaces
• Automatically sets local_ts and remote_ts values based on the selected mode
• Defaults to both if not explicitly specified

set vpn ipsec site-to-site peer RIGHT vti bind 'vti1'
set vpn ipsec site-to-site peer RIGHT vti traffic-selectors 'ipv4'

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe): Add traffic selectors for IPsec VTI interfaces

Related Task(s)

• https://vyos.dev/T7343

Related PR(s)

How to test / Smoketest result

Configure traffic-selectors for VTI, check the strongswan.conf
VyOS configuration:

set vpn ipsec authentication psk PSK id '192.0.2.1'
set vpn ipsec authentication psk PSK id '192.0.2.2'
set vpn ipsec authentication psk PSK secret '1234567890'
set vpn ipsec esp-group ESP-group lifetime '3600'
set vpn ipsec esp-group ESP-group mode 'tunnel'
set vpn ipsec esp-group ESP-group pfs 'enable'
set vpn ipsec esp-group ESP-group proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-group proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-group key-exchange 'ikev2'
set vpn ipsec ike-group IKE-group lifetime '28800'
set vpn ipsec ike-group IKE-group proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-group proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer RIGHT authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer RIGHT authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer RIGHT authentication remote-id '192.0.2.2'
set vpn ipsec site-to-site peer RIGHT connection-type 'initiate'
set vpn ipsec site-to-site peer RIGHT ike-group 'IKE-group'
set vpn ipsec site-to-site peer RIGHT local-address '192.0.2.1'
set vpn ipsec site-to-site peer RIGHT remote-address '192.0.2.2'
set vpn ipsec site-to-site peer RIGHT vti bind 'vti1'
set vpn ipsec site-to-site peer RIGHT vti esp-group 'ESP-group'
set vpn ipsec site-to-site peer RIGHT vti traffic-selectors 'ipv4'

check the strongswan.conf, expected IPv4 only traffic-slectrots:

vyos@r14# cat /etc/swanctl/swanctl.conf | grep _ts
                local_ts = 0.0.0.0/0
                remote_ts = 0.0.0.0/0
[edit]
vyos@r14# 

Smoketest

vyos@r14:~$ /usr/libexec/vyos/tests/smoke/cli/test_vpn_ipsec.py
test_dhcp_fail_handling (__main__.TestVPNIPsec.test_dhcp_fail_handling) ... ok
test_dmvpn (__main__.TestVPNIPsec.test_dmvpn) ... ok
test_flex_vpn_vips (__main__.TestVPNIPsec.test_flex_vpn_vips) ... ok
test_remote_access (__main__.TestVPNIPsec.test_remote_access) ... ok
test_remote_access_dhcp_fail_handling (__main__.TestVPNIPsec.test_remote_access_dhcp_fail_handling) ... ok
test_remote_access_eap_tls (__main__.TestVPNIPsec.test_remote_access_eap_tls) ... ok
test_remote_access_no_rekey (__main__.TestVPNIPsec.test_remote_access_no_rekey) ... ok
test_remote_access_pool_range (__main__.TestVPNIPsec.test_remote_access_pool_range) ... ok
test_remote_access_vti (__main__.TestVPNIPsec.test_remote_access_vti) ... ok
test_remote_access_x509 (__main__.TestVPNIPsec.test_remote_access_x509) ... ok
test_site_to_site (__main__.TestVPNIPsec.test_site_to_site) ... ok
test_site_to_site_vti (__main__.TestVPNIPsec.test_site_to_site_vti) ... ok
test_site_to_site_vti_ts_afi (__main__.TestVPNIPsec.test_site_to_site_vti_ts_afi) ... ok
test_site_to_site_x509 (__main__.TestVPNIPsec.test_site_to_site_x509) ... ok

----------------------------------------------------------------------
Ran 14 tests in 105.016s

OK
vyos@r14:~$ 

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title

[sarthurdev]

Code looks good, adds smoketest to verify explicit and default functionality.

[c-po]

As this is not a multi node and it can be either ipv4, ipv6 or both I would use singular for the node name.

@dmbaturin what's your opinion on this?

[sever-sever]

traffic-selectors means many prefixes
Even if it set to IPv4 => 0.0.0.0/0, the remote site could send several prefixes. As and local site as well.

We probably extend it in the future to

x.x.x.x/x
x.x.y.y/x[gre]

this way we’ll have less migrations for naming

[zdc]

Speaking about multi-nodes...

Why not make this a multi-node with only ipv4 and ipv6 values? And activate both if the node is not presented in the config?

[sever-sever]

Why not make this a multi-node with only ipv4 and ipv6 values? And activate both if the node is not presented in the config?

It doesn't make sense now.
By default, without a node, it uses the default value both
If we agree, I'm ready to replace this with /multi.
Just let me know.

[c-po]

Why not make this a multi-node with only ipv4 and ipv6 values? And activate both if the node is not presented in the config?

This is the wrong way. If this should be a multi node, a migrator would be needed to change CLI to add both ipv4 and ipv6 options and not silently setting them under the hood. It should be obvious to the user. I kind of like the idea of a multi node, but it requires additional effort for the migrator and can not be backported to 1.4 as the CLI is fixed.

[github-actions]

CI integration 👍 passed!

Details

CI logs

• CLI Smoketests (no interfaces) 👍 passed
• CLI Smoketests (interfaces only) 👍 passed
• Config tests 👍 passed
• RAID1 tests 👍 passed
• TPM tests 👍 passed