Page MenuHomeVyOS Platform

IPSec - 1.2 to 1.3 migration failed
Closed, ResolvedPublicBUG

Description

Boot commit failed. This message is in the vyatta log:

[ vpn ]
Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/ipsec-settings.py", line 269, in <module>
    generate(c)
  File "/usr/libexec/vyos/conf_mode/ipsec-settings.py", line 241, in generate
    write_ipsec_ra_conn(data)
  File "/usr/libexec/vyos/conf_mode/ipsec-settings.py", line 162, in write_ipsec_ra_conn
    open(ipsec_ra_conn_file,'w').write(ipsec_ra_conn_txt)
FileNotFoundError: [Errno 2] No such file or directory: '/etc/ipsec.d/tunnels/remote-access'

This is the configuration that is now non-existent:

vpn {
    ipsec {
        ipsec-interfaces {
            interface eth1
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username user1 {
                        password asd2345sad
                    }
                    username user2 {
                        password asd2345sad
                    }
                    username user3 {
                        password asd2345sad
                    }
                }
                mode radius
                radius {
                    server 10.0.10.114 {
                        key xzcvw32452534
                    }
                    server 10.0.10.115 {
                        key xzcvw32452534
                    }
                }
            }
            client-ip-pool {
                start 10.34.42.1
                stop 10.34.42.200
            }
            description RoadWarriors
            dns-servers {
                server-1 10.22.22.254
            }
            idle 1800
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret qwert12345
                }
                ike-lifetime 3600
                lifetime 3600
            }
            outside-address 11.11.11.11
        }
    }
}

Trying some manual fixes to try and get it to take doesn't appear to work:

admin@edge# commit
[ vpn ]
Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/ipsec-settings.py", line 269, in <module>
    generate(c)
  File "/usr/libexec/vyos/conf_mode/ipsec-settings.py", line 241, in generate
    write_ipsec_ra_conn(data)
  File "/usr/libexec/vyos/conf_mode/ipsec-settings.py", line 162, in write_ipsec_ra_conn
    open(ipsec_ra_conn_file,'w').write(ipsec_ra_conn_txt)
FileNotFoundError: [Errno 2] No such file or directory: '/etc/ipsec.d/tunnels/remote-access'

[[vpn]] failed
Commit failed
[edit]
admin@edge# sudo mkdir -p /etc/ipsec.d/tunnels/remote-access
[edit]
admin@edge# commit
[ vpn l2tp ]
Connection to "localhost:2004" failed

[ vpn ]
Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/ipsec-settings.py", line 269, in <module>
    generate(c)
  File "/usr/libexec/vyos/conf_mode/ipsec-settings.py", line 241, in generate
    write_ipsec_ra_conn(data)
  File "/usr/libexec/vyos/conf_mode/ipsec-settings.py", line 162, in write_ipsec_ra_conn
    open(ipsec_ra_conn_file,'w').write(ipsec_ra_conn_txt)
IsADirectoryError: [Errno 21] Is a directory: '/etc/ipsec.d/tunnels/remote-access'

[[vpn]] failed
Commit failed
[edit]
admin@edge# rmdir /etc/ipsec.d/tunnels/remote-access
rmdir: failed to remove '/etc/ipsec.d/tunnels/remote-access': Permission denied
[edit]
admin@edge# sudo rmdir /etc/ipsec.d/tunnels/remote-access
[edit]
admin@edge# commit
[ vpn l2tp ]
Connection to "localhost:2004" failed

[edit]
admin@edge# save

Even after that, the L2TP connection is rejected

Details

Difficulty level
Unknown (require assessment)
Version
1.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

kroy created this task.Dec 23 2019, 2:56 AM
kroy added a subscriber: Dmitry.

Seems like this is the same issue as in T1918 @Dmitry

Yes, already in latest rolling. @kroy, can you check migration again?

kroy added a comment.Dec 30 2019, 5:10 PM

Will confirm later this afternoon when I am on site and let you know.

kroy changed the task status from Open to Needs testing.Dec 30 2019, 5:12 PM
Dmitry claimed this task.Dec 30 2019, 5:13 PM
c-po added a subscriber: c-po.Dec 30 2019, 7:25 PM

1.2.3 to 1.3 rolling worked fine for me with a similar l2tp radius config.

kroy added a comment.Dec 30 2019, 10:09 PM

@Dmitry Can confirm I was able to upgrade without any errors now. This problem appears to be fixed

Dmitry closed this task as Resolved.Dec 30 2019, 10:12 PM

@kroy , Great. Thank you.

c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Feb 9 2020, 2:16 PM