Page MenuHomeVyOS Platform

Fix various 'show vpn' commands that no longer function correctly
Closed, ResolvedPublic


For example:

'show vpn ike sa' always returns nothing, regardless of any active SAs.
'show vpn ipsec sa' now returns rather less meaningful output.

The root cause is the upgrade of strongswan with the upgrade from vyos 1.1 to 1.2.

In a similar vein, there are various other vpn show commands and helper functions that aren't clearly exposed by the interface.

I've re-worked various bits, and will submit a pull request with more information.


Difficulty level
Normal (likely a few hours)
Why the issue appeared?
Will be filled on close

Event Timeline

There's a pull request against vyatta-op-vpn that implements all of this.

is your fix already in 'vyos-999.201707272138-amd64.iso'? I get in this version:

$ show vpn ike sa
Bareword found where operator expected at /opt/vyatta/share/perl5/Vyatta/VPN/ line 869, near "display_ipsec_sa_brief"
        (Missing semicolon on previous line?)
syntax error at /opt/vyatta/share/perl5/Vyatta/VPN/ line 865, near "1 )"
syntax error at /opt/vyatta/share/perl5/Vyatta/VPN/ line 866, near "};"
Global symbol "%tmphash" requires explicit package name at /opt/vyatta/share/perl5/Vyatta/VPN/ line 869.
syntax error at /opt/vyatta/share/perl5/Vyatta/VPN/ line 870, near "}"
syntax error at /opt/vyatta/share/perl5/Vyatta/VPN/ line 882, near "}"
syntax error at /opt/vyatta/share/perl5/Vyatta/VPN/ line 888, near "}"
syntax error at /opt/vyatta/share/perl5/Vyatta/VPN/ line 894, near "}"
Can't use global @_ in "my" at /opt/vyatta/share/perl5/Vyatta/VPN/ line 898, near "pop(@_"
Global symbol "$peerid" requires explicit package name at /opt/vyatta/share/perl5/Vyatta/VPN/ line 899.
syntax error at /opt/vyatta/share/perl5/Vyatta/VPN/ line 901, near "}"
/opt/vyatta/share/perl5/Vyatta/VPN/ has too many errors.
Compilation failed in require at /opt/vyatta/bin/sudo-users// line 28.
BEGIN failed--compilation aborted at /opt/vyatta/bin/sudo-users// line 28.

and the same in 'show vpn ike status'. At the moment one IKEv2 Site-to-Site tunnel is in use.

Hi Line2.

I've just looked, and no... doesn't look like my pull request has been pulled into the mainline yet.

If you were desparate for the nightly to be less broken right away , then you can fix that file with just a single character change, for what it's worth, on /opt/vyatta/share/perl5/Vyatta/VPN/ - line 865 (i think, according to your stack-trace)- a '>' should be a '}', or you could replace it entirely with the file here:

That won't get all of the other commands fixed, but I think it would make show vpn ike sa function from memory.

Hopefully, though, the pull request will be pulled through shortly, and then things should be better.

@UnicronNL , @dmbaturin - any chance of pulling this one swiftly so that Line2 can use the nightly?

Hi Jules

Thanks for your fix. I edited the file, the error is gone, 'show vpn ike sa' gives empty output now. No problem for me at the moment as I leave for holiday today. I will try the newest nightly in 2weeks.

syncer triaged this task as Normal priority.Aug 1 2017, 2:50 AM
syncer moved this task from Need Triage to In Progress on the VyOS 1.2 Crux board.
syncer changed the edit policy from "Custom Policy" to "Custom Policy".
syncer edited subscribers, added: Maintainers, Sentrium; removed: dmbaturin, UnicronNL.

Right. Pull request merged. I'll make sure that it's all working once it's made it to the nightlies, and then close this one.

OK. Minor tweaks - actually wired 'show vpn ipsec sa' to use the pretty-print code, rather than just calling swanctl to get half a page of ugliness.

Secondly, 'show vpn ike sa' wasn't showing any output at all when a tunnel was configured but not completing phase 1. There's not much information available at that point, but at least it shows the ike as being 'down' at this point.

I'll submit a new pull request for those two.

UnicronNL claimed this task.
UnicronNL moved this task from In Progress to Finished on the VyOS 1.2 Crux board.