I, within the past month, bought myself an EdgeRouter X because it was a great price for such a wonderful router, so I wanted to say thank you very much Ubiquity for such a great and low cost but powerful little router. It's made me get back to reality with good routing and security methods, including IPsec and OpenVPN.
I had noticed that IKEv2 support works great, and yet still has some missing functionality that I would very much like to see.
First, the easiest one. No matter what, it seems that you cannot set any site-to-site to be auto=start mode, meaning it always tries to stay connected, and reconnect when the connection drops. It's set to auto=route which means local traffic has to be going out towards the subnets on each site-to-site configuration before it itself reconnects. This kind of problem has lead to others writing these crazy scripts that cause extra ping traffic to poll the endpoint and check if it's there, and restart ipsec and re-establish the connection. At the same time, those pings also keep "activity" through, but only just...
I would like to be able to configure my IPsec tunnels to always reconnect with auto=start. I've done this on the reverse side, where my endpoints are running on CentOS 7 with strongswan, but this kind of setup obviously wouldn't work as conistently with an EdgeRouter<->EdgeRouter setup.
Second would be the use of VTI on dynamic WAN IPs. I have a dynamic IP address for my home and thus use local-address default to automatically utilize the existing IP of the WAN for IPsec. VTI throws errors because it expects an IP address specifically or it will refuse too commit to it.
Lastly, the biggest one of them all. IKEv2 (and later versions of IKEv1), support multiple subnets in the leftsubnet and rightsubnet ipsec.conf, and as a result they negotiate bilaterally routes to each endpoint. Currently EdgeOS 1.9.0 (on ER-X), does not support multiple subnet definitions and so it's limited to 1 subnet, or a 0.0.0.0/0 (or broader subnet mask if applicable). 0.0.0.0/0 is of course dangerous if the other side is not configured correctly and specifically as it could potentially route all outbound traffic over the VPN as well and not just the associated subnets desired. On my CentOS endpoints, I specifically set multiple subnets I intend for routing over the IPsec tunnel, but I have to currently use 0.0.0.0/0 on my ER-X endpoint to account for specific routes.
Anyway, great product, and I hope to see some or all of these features included sometime.
--
Eric Renfro (Psi-Jack)