Limitations and restrictions
Security improvements have been made in this release, however some limitations still exist.
IPv6 is not supported on the 40G Fortville NIC.
Vxlan tunnels do not currently work with a multicast transport, thus the command set interfaces vxlan xxx transport multicast-group does not work.
vxlan-gpe tunnel cannot be added to a bridge-group due to an underlying kernel issue.
While the OS does support IKEv1, Vyatta strongly recommends that IKEv2 is used to avoid security vulnerabilities associated with IKEv1, such as reflector and Amplifier DoS attacks.
VRRP in RFC Compatibility mode does not work fully on VRFs. Without RFC compatibility mode, VRRP will work fine with VRFs and this should be used as the solution.
The IPsec remote-id hostname behaviour has changed from the 5400 vRouter as the underlying Strongswan implementation has changed. The new behavior is not to convert FQDN to an IP address by default as the remote id. This is described by the following passage:
If the string begins with @ the type is set to FQDN and the encoding is the literal string after that prefix. In versions before 5.0.0 this prefix prevents that a FQDN is resolved into an IP address, current versions don't automatically resolve FQDNs when parsing identities.For more details see https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing.