Page MenuHomeVyOS Platform

The `vpn ipsec logging log-modes` miss the IPSec daemons state check
Open, Requires assessmentPublicBUG

Description

During the configuration applying the vpn ipsec logging log-modes option, the actual state of IPSec daemons is not checked. This leads to the situation when this option never applying actually during the system boot or initial VPN configuration.
For example, on a router with an empty configuration:

set interfaces ethernet eth0 address 192.0.2.2/25
set interfaces vti vti0 address 192.0.2.254/25
set vpn ipsec esp-group e1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group e1 proposal 1 hash 'sha256'
set vpn ipsec ike-group i1 key-exchange 'ikev2'
set vpn ipsec ike-group i1 proposal 1 encryption 'aes256'
set vpn ipsec ike-group i1 proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-modes 'any'
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 192.0.2.1 default-esp-group 'e1'
set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'i1'
set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2'
set vpn ipsec site-to-site peer 192.0.2.1 vti bind 'vti0'

Will generate:

vyos@vyos# commit
[ vpn ]
connecting to 'unix:///var/run/charon.ctl' failed: No such file or directory
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Warning: unable to [Stroking log source any to loglevel 1], received error code 65280

It is necessary to add a check for the charon daemon's state and apply the option only when it will be available.

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling-202009230118
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)