Page MenuHomeVyOS Platform

DMVPN with IPSec does not work in HUB mode
Closed, ResolvedPublicBUG

Description

If DMVPN use IPSec, related configuration for strongSwan adding via /etc/swanctl/swanctl.conf and reloading configuration with swanctl -q. So, it is not stored inside the strongSwan configuration file permanently and requires reloading with swanctl -q to make configuration active.
Inside ipsec-settings.py in apply function exists ipsec restart operation.

When ipsec-settings.py running after the DMVPN config (dmvpn-config.pl), it restarts strongSwan and, as a result, remove DMVPN-related connections configuration.
If VyOS configured as spoke, this is not critical, as swanctl -q additionally runs by opennhrp-script, but if it acts as a hub, DMVPN IPSec configuration will never being active.

Details

Difficulty level
Normal (likely a few hours)
Version
1.2-rolling-201911021616
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

zsdc changed the task status from Open to Confirmed.Nov 2 2019, 5:09 PM
zsdc created this task.
syncer assigned this task to dmbaturin.Nov 2 2019, 9:29 PM
syncer triaged this task as High priority.
Dmitry added a subscriber: Dmitry.Nov 3 2019, 2:06 PM
pasik added a subscriber: pasik.Nov 4 2019, 9:51 AM
syncer reassigned this task from dmbaturin to Dmitry.Nov 16 2019, 11:59 PM
syncer added a subscriber: dmbaturin.
systo added a subscriber: systo.Nov 23 2019, 6:21 AM

For rolling we need add small fix to opennhtp.init
https://github.com/vyos/vyos-nhrp/pull/3

syncer changed the task status from Needs testing to Backport pending.Jan 1 2020, 1:08 PM
syncer reassigned this task from Dmitry to c-po.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.5) board.

This was only a problem in rolling and is fixed

c-po closed this task as Resolved.Jan 21 2020, 1:27 PM