Page MenuHomeVyOS Platform
Create Task
Maniphest T7582

IPSec VPN: Add support for `port` to associate with protocol for policies
Closed, InvalidPublicFEATURE REQUEST
Actions

Description

Summary

Add support for port to associate with specific protocol for policy-based tunnels (local and remote traffic selectors)

CLI option:
set vpn ipsec site-to-site peer vpn_03 tunnel 0 port <number/range>

Use case

To passthrough traffic from a local service address/port to any remote address/port.

https://docs.strongswan.org/docs/5.9/config/quickstart.html#_for_specific_protocols_andor_ports

Additional information

Strongswan reference:

https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

SrividyaA created this task.Jun 26 2025, 3:13 PM
pasik subscribed.Jun 26 2025, 3:47 PM
Viacheslav triaged this task as Normal priority.Jun 26 2025, 5:06 PM
dmbaturin removed a project: VyOS 1.4 Sagitta (1.4.4).Wed, Nov 19, 2:21 PM
o.kuchmystyi subscribed.EditedWed, Dec 10, 7:30 AM

Looks like it's already been implemented here:

set vpn ipsec site-to-site peer <name> tunnel <number> protocol tcp
set vpn ipsec site-to-site peer <name> tunnel <number> local port 22

This commands will lead to generate: local_ts = dynamic[tcp/22].

And one important thing: it does not support range of ports, but only one. We will probably have to fix this in the future.

dmbaturin closed this task as Invalid.Thu, Dec 11, 3:10 PM
dmbaturin removed projects: VyOS 1.5 Circinus, VyOS Rolling.