Page MenuHomeVyOS Platform

The swanctl.conf file does not generate properly
Backport candidate, NormalPublicBUG

Description

IPSec VPN profiles use swanctl.conf for configuration. If we add more than one profile, then this file will not be generated properly.
An example:

set vpn ipsec esp-group ESP01 compression 'disable'
set vpn ipsec esp-group ESP01 lifetime '3600'
set vpn ipsec esp-group ESP01 mode 'tunnel'
set vpn ipsec esp-group ESP01 pfs 'dh-group14'
set vpn ipsec esp-group ESP01 proposal 10 encryption 'aes256'
set vpn ipsec esp-group ESP01 proposal 10 hash 'sha256'
set vpn ipsec ike-group IKE01 ikev2-reauth 'no'
set vpn ipsec ike-group IKE01 key-exchange 'ikev2'
set vpn ipsec ike-group IKE01 lifetime '28800'
set vpn ipsec ike-group IKE01 proposal 10 dh-group '14'
set vpn ipsec ike-group IKE01 proposal 10 encryption 'aes256'
set vpn ipsec ike-group IKE01 proposal 10 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile DMVPN-SPOKE10 authentication mode 'pre-shared-secret'
set vpn ipsec profile DMVPN-SPOKE10 authentication pre-shared-secret 'SECRET'
set vpn ipsec profile DMVPN-SPOKE10 bind tunnel 'tun10'
set vpn ipsec profile DMVPN-SPOKE10 esp-group 'ESP01'
set vpn ipsec profile DMVPN-SPOKE10 ike-group 'IKE01'
set vpn ipsec profile DMVPN-SPOKE11 authentication mode 'pre-shared-secret'
set vpn ipsec profile DMVPN-SPOKE11 authentication pre-shared-secret 'SECRET'
set vpn ipsec profile DMVPN-SPOKE11 bind tunnel 'tun11'
set vpn ipsec profile DMVPN-SPOKE11 esp-group 'ESP01'
set vpn ipsec profile DMVPN-SPOKE11 ike-group 'IKE01'

And generated swanctl.conf:

# generated by /opt/vyatta/sbin/dmvpn-config.pl

connections {
	dmvpn-DMVPN-SPOKE10-tun10 {
		proposals = aes256-sha256-modp2048
		version = 2
		rekey_time = 28800s
		keyingtries = 0
		local {
			auth = psk
		}
		remote {
			auth = psk
		}
		children {
			dmvpn {
				esp_proposals = aes256-sha256-modp2048
				rekey_time = 3600s
				rand_time = 540s
				local_ts = dynamic[gre]
				remote_ts = dynamic[gre]
				mode = tunnel
			}
		}
	}
}
secrets {
	ike-dmvpn-tun10 {
		secret = SECRET
	}
}
	dmvpn-DMVPN-SPOKE11-tun11 {
		proposals = aes256-sha256-modp2048
		version = 2
		rekey_time = 28800s
		keyingtries = 0
		local {
			auth = psk
		}
		remote {
			auth = psk
		}
		children {
			dmvpn {
				esp_proposals = aes256-sha256-modp2048
				rekey_time = 3600s
				rand_time = 540s
				local_ts = dynamic[gre]
				remote_ts = dynamic[gre]
				mode = tunnel
			}
		}
	}
}
secrets {
	ike-dmvpn-tun11 {
		secret = SECRET
	}
}

One connections { header is missed and these file is not loaded by strongSwan:

/etc/swanctl/swanctl.conf:54: syntax error, unexpected '}', expecting $end or NAME or NEWLINE [}]
invalid config file '/etc/swanctl/swanctl.conf'
no authorities found, 0 unloaded
no pools found, 0 unloaded
no connections found, 0 unloaded

Details

Difficulty level
Unknown (require assessment)
Version
1.2.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

zsdc created this task.Mar 2 2020, 3:29 PM
pasik added a subscriber: pasik.Mar 2 2020, 10:08 PM
syncer assigned this task to c-po.Mar 28 2020, 11:53 AM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
c-po added a subscriber: Dmitry.Apr 8 2020, 7:59 PM

Re-assigning to @Dmitry after checking with him as he's more experienced here.

c-po reassigned this task from c-po to Dmitry.Apr 8 2020, 7:59 PM
c-po added a subscriber: c-po.
Dmitry changed the task status from Needs testing to Backport candidate.Fri, Jun 12, 9:59 AM
Dmitry added a project: Ready for Crux (1.2.x).

Successfully tested on 1.3-rolling-202006120643