Page MenuHomeVyOS Platform
Create Task
Maniphest T1501

VPN Commit Errors
Closed, ResolvedPublicBUG
Actions

Description

config.boot6 KBDownload

It seems as though the support for using DHCP interfaces with IPsec VTIs was dropped from 1.2.1 to 1.2.1-s2. Below is the commit error I am receiving:

vyos@pr140002-WalshHQ-1# commit
[ vpn ]
VPN VTI configuration error: Invalid local-address "", an ip address must be specified for VTIs.

[[vpn]] failed
Commit failed
[edit]

The /config/config.boot file that was tested without error in 1.2.1 is now producing errors that we received during 1.2.x EPA testing. The config file used for testing is attached to this ticket.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.1-s2
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects
Search...

Event Timeline

ekim created this task.Jul 2 2019, 4:16 PM
amcmillen added a subscriber: amcmillen.Jul 2 2019, 4:19 PM
pasik added a subscriber: pasik.Jul 5 2019, 9:53 PM
syncer assigned this task to UnicronNL.Aug 30 2019, 11:58 PM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
Viacheslav added a subscriber: Viacheslav.Jul 24 2020, 4:04 PM

It reproducible in VyOS 1.3-rolling-202007240117

This situation occurs as the dhcp address has not yet been received, and the VPN configuration is already being applied.

set interfaces ethernet eth1 address dhcp

set interfaces vti vti0 address '10.69.69.1/30'
set vpn ipsec esp-group default compression 'disable'
set vpn ipsec esp-group default lifetime '3600'
set vpn ipsec esp-group default mode 'tunnel'
set vpn ipsec esp-group default pfs 'dh-group14'
set vpn ipsec esp-group default proposal 1 encryption 'aes256'
set vpn ipsec esp-group default proposal 1 hash 'sha256'
set vpn ipsec ike-group default ikev2-reauth 'no'
set vpn ipsec ike-group default key-exchange 'ikev1'
set vpn ipsec ike-group default lifetime '28800'
set vpn ipsec ike-group default proposal 1 dh-group '14'
set vpn ipsec ike-group default proposal 1 encryption 'aes256'
set vpn ipsec ike-group default proposal 1 hash 'sha256'
set vpn ipsec ike-group ikev2 ikev2-reauth 'no'
set vpn ipsec ike-group ikev2 key-exchange 'ikev2'
set vpn ipsec ike-group ikev2 lifetime '28800'
set vpn ipsec ike-group ikev2 proposal 1 dh-group '14'
set vpn ipsec ike-group ikev2 proposal 1 encryption 'aes256'
set vpn ipsec ike-group ikev2 proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec logging log-level '2'
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 10.0.0.2 authentication id 'pr140002-WalshHQ-1'
set vpn ipsec site-to-site peer 10.0.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.0.0.2 authentication pre-shared-secret 'password'
set vpn ipsec site-to-site peer 10.0.0.2 authentication remote-id '10.0.0.2'
set vpn ipsec site-to-site peer 10.0.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.0.0.2 default-esp-group 'default'
set vpn ipsec site-to-site peer 10.0.0.2 dhcp-interface 'eth1'
set vpn ipsec site-to-site peer 10.0.0.2 ike-group 'ikev2'
set vpn ipsec site-to-site peer 10.0.0.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 10.0.0.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 10.0.0.2 vti esp-group 'default'

vyos@r1-roll# commit
[ vpn ]
VPN VTI configuration error: Invalid local-address "", an ip address must be specified for VTIs.

[[vpn]] failed
Commit failed

If we commit 2 times, it will go fine.

If you already have a DHCP address, then the commit works fine and without errors.

dmbaturin added a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.Aug 20 2020, 3:55 PM
sarthurdev added a subscriber: sarthurdev.Jun 12 2021, 7:21 PM

PR: https://github.com/vyos/vyos-1x/pull/875

dmbaturin added a project: test.Jul 29 2021, 12:30 PM
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
UnicronNL closed this task as Resolved.Aug 9 2021, 2:09 PM

https://github.com/vyos/vyatta-cfg-vpn/commit/2cec760601a6e85ca8e0b6a30c173196a97a777a
Back-ported the dhcp ip check loop to 1.3

syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 6 2021, 8:40 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 12:16 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.