Page MenuHomeVyOS Platform

VPN Commit Errors
Open, NormalPublicBUG

Description

It seems as though the support for using DHCP interfaces with IPsec VTIs was dropped from 1.2.1 to 1.2.1-s2. Below is the commit error I am receiving:

vyos@pr140002-WalshHQ-1# commit
[ vpn ]
VPN VTI configuration error: Invalid local-address "", an ip address must be specified for VTIs.

[[vpn]] failed
Commit failed
[edit]

The /config/config.boot file that was tested without error in 1.2.1 is now producing errors that we received during 1.2.x EPA testing. The config file used for testing is attached to this ticket.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.1-s2
Why the issue appeared?
Will be filled on close

Related Objects

Event Timeline

ekim created this task.Jul 2 2019, 4:16 PM
pasik added a subscriber: pasik.Jul 5 2019, 9:53 PM
syncer assigned this task to UnicronNL.Aug 30 2019, 11:58 PM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.

It reproducible in VyOS 1.3-rolling-202007240117

This situation occurs as the dhcp address has not yet been received, and the VPN configuration is already being applied.

set interfaces ethernet eth1 address dhcp

set interfaces vti vti0 address '10.69.69.1/30'
set vpn ipsec esp-group default compression 'disable'
set vpn ipsec esp-group default lifetime '3600'
set vpn ipsec esp-group default mode 'tunnel'
set vpn ipsec esp-group default pfs 'dh-group14'
set vpn ipsec esp-group default proposal 1 encryption 'aes256'
set vpn ipsec esp-group default proposal 1 hash 'sha256'
set vpn ipsec ike-group default ikev2-reauth 'no'
set vpn ipsec ike-group default key-exchange 'ikev1'
set vpn ipsec ike-group default lifetime '28800'
set vpn ipsec ike-group default proposal 1 dh-group '14'
set vpn ipsec ike-group default proposal 1 encryption 'aes256'
set vpn ipsec ike-group default proposal 1 hash 'sha256'
set vpn ipsec ike-group ikev2 ikev2-reauth 'no'
set vpn ipsec ike-group ikev2 key-exchange 'ikev2'
set vpn ipsec ike-group ikev2 lifetime '28800'
set vpn ipsec ike-group ikev2 proposal 1 dh-group '14'
set vpn ipsec ike-group ikev2 proposal 1 encryption 'aes256'
set vpn ipsec ike-group ikev2 proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec logging log-level '2'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 10.0.0.2 authentication id 'pr140002-WalshHQ-1'
set vpn ipsec site-to-site peer 10.0.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.0.0.2 authentication pre-shared-secret 'password'
set vpn ipsec site-to-site peer 10.0.0.2 authentication remote-id '10.0.0.2'
set vpn ipsec site-to-site peer 10.0.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.0.0.2 default-esp-group 'default'
set vpn ipsec site-to-site peer 10.0.0.2 dhcp-interface 'eth1'
set vpn ipsec site-to-site peer 10.0.0.2 ike-group 'ikev2'
set vpn ipsec site-to-site peer 10.0.0.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 10.0.0.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 10.0.0.2 vti esp-group 'default'

vyos@r1-roll# commit
[ vpn ]
VPN VTI configuration error: Invalid local-address "", an ip address must be specified for VTIs.

[[vpn]] failed
Commit failed

If we commit 2 times, it will go fine.

If you already have a DHCP address, then the commit works fine and without errors.