If we have wrong configured tunX, e.g. keep tun0 remote-ip x.x.x.x, after commit NHRP-script creates too early iptables rules.
set interfaces tunnel tun0 address '10.0.0.1/24' set interfaces tunnel tun0 encapsulation 'gre' set interfaces tunnel tun0 local-ip '172.16.0.2' set interfaces tunnel tun0 multicast 'enable' set interfaces tunnel tun0 parameters ip key '1' set interfaces tunnel tun0 remote-ip '172.16.2.2' set protocols nhrp tunnel tun0 cisco-authentication 'testPass' set protocols nhrp tunnel tun0 map 10.0.0.2/24 nbma-address '172.16.2.2' set protocols nhrp tunnel tun0 map 10.0.0.2/24 register set protocols nhrp tunnel tun0 multicast 'nhs' set protocols nhrp tunnel tun0 redirect set protocols nhrp tunnel tun0 shortcut
After commit we have failed
vyos@R1# commit [ protocols nhrp ] tun0 is not 'mGRE' tunnel' [[protocols nhrp]] failed Commit failed
If we delete wrong tun0 remote-ip x.x.x.x and commit again, we have error
vyos@R1# delete interfaces tunnel tun0 remote-ip [edit] vyos@R1# commit [ interfaces tunnel tun0 ] No remote-ip configured for tun0, tunnel can only be used for mGRE. [ protocols nhrp tunnel tun0 ] iptables: Chain already exists. System call failed: at /opt/vyatta/sbin/vyos-update-nhrp.pl line 469. [[protocols nhrp]] failed Commit failed