Page MenuHomeVyOS Platform

sstp not able to run tunnels ipv6 only
Closed, ResolvedPublicBUG

Description

hi,

I tried a minimal sstp config and commit. I got the error message that an ipv4 network for the clients is required.
Why can' I run it with ipv6 only?

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3-rolling-202006070117
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

rherold created this object in space S1 VyOS Public.
erkin set Issue type to Bug (incorrect behavior).Aug 30 2021, 5:42 AM
erkin removed a subscriber: Active contributors.

To reproduce:

[edit vpn sstp]
vyos@r4-epa1# compare 
[edit vpn sstp]
+authentication {
+    local-users {
+        username foo {
+            password bar
+        }
+    }
+    mode local
+}
+client-ipv6-pool {
+    prefix 2001:db8::/48 {
+    }
+}
+gateway-address 192.168.122.14
+ssl {
+    ca-cert-file /config/user-data/sstp/ca.crt
+    cert-file /config/user-data/sstp/server.crt
+    key-file /config/user-data/sstp/server.key
+}
[edit vpn sstp]
vyos@r4-epa1# commit
[ vpn ]
Note: the IPsec process will not start until you configure some tunnels, profiles, or L2TP/IPsec settings

[ vpn sstp ]
VyOS had an issue completing a command.


Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/vpn_sstp.py", line 109, in <module>
    verify(c)
  File "/usr/libexec/vyos/conf_mode/vpn_sstp.py", line 53, in verify
    if not sstp['client_ip_pool']:
KeyError: 'client_ip_pool'
Viacheslav changed the task status from Open to In progress.Oct 22 2021, 2:31 PM
Viacheslav claimed this task.
Viacheslav changed the subtype of this task from "Task" to "Bug".
Viacheslav added a subscriber: Dmitry.

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1039

set vpn sstp authentication local-users username foo password 'bar'
set vpn sstp authentication mode 'local'
set vpn sstp client-ipv6-pool prefix 2001:db8::/48
set vpn sstp gateway-address '192.168.122.14'
set vpn sstp ssl ca-cert-file '/config/user-data/sstp/ca.crt'
set vpn sstp ssl cert-file '/config/user-data/sstp/server.crt'
set vpn sstp ssl key-file '/config/user-data/sstp/server.key'

Chekc service:

vyos@r4-epa1# commit
[edit]
vyos@r4-epa1# ps ax | grep sstp
 5863 ?        Ssl    0:00 /usr/sbin/accel-pppd -d -p /run/accel-pppd/sstp.pid -c /run/accel-pppd/sstp.conf
 5901 pts/0    S+     0:00 grep sstp
[edit]
vyos@r4-epa1#
Viacheslav changed the task status from In progress to Needs testing.Oct 22 2021, 3:10 PM

To enable IPv6 only it is required some new options in CLI, which are not presented in 1.3 yet

set vpn sstp ppp-options ipv4 allow(default)|deny
set vpn sstp ppp-options ipv6 allow|deny|prefer|require

Also, it is required to load additional modules to sstp.conf:

[modules]
...
ipv6_nd
ipv6_dhcp
ipv6pool

[PPP]
...
ipv4=deny

It is impossible to check this behavior in 1.4 as it not working after rewriting certificates to PKI T3931

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1060

set vpn sstp authentication local-users username foo password 'bar'
set vpn sstp authentication local-users username foo2 password 'bar2'
set vpn sstp authentication mode 'local'
set vpn sstp client-ipv6-pool prefix 2001:db8::/48
set vpn sstp gateway-address '192.168.122.14'
set vpn sstp ppp-options ipv4 'deny'
set vpn sstp ppp-options ipv6 'allow'
set vpn sstp ssl ca-cert-file '/config/user-data/sstp/ca.crt'
set vpn sstp ssl cert-file '/config/user-data/sstp/server.crt'
set vpn sstp ssl key-file '/config/user-data/sstp/server.key'

Check sessions:

vyos@r4-epa2:~$ show sstp-server s
sessions    statistics  
vyos@r4-epa2:~$ show sstp-server sessions 
ifname | username |          ip           |          ip6          | ip6-dp |   calling-sid   | rate-limit | state  |  uptime  | rx-bytes | tx-bytes 
--------+----------+-----------------------+-----------------------+--------+-----------------+------------+--------+----------+----------+----------
 sstp0  | foo2     | 2001:db8:0:0:200::/64 | 2001:db8:0:0:200::/64 |        | 192.168.122.222 |            | active | 00:00:09 | 735 B    | 506 B
vyos@r4-epa2:~$
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.