Page MenuHomeVyOS Platform

IPSec: VTI interface does not honor default-esp-group
Closed, ResolvedPublicBUG

Description

cpo@LR1.wue3# show vpn
+ipsec {
+    esp-group ESP1 {
+        compression disable
+        lifetime 3600
+        mode tunnel
+        pfs enable
+        proposal 1 {
+            encryption aes256
+            hash sha256
+        }
+    }
+    ike-group IKE1 {
+        close-action none
+        ikev2-reauth no
+        key-exchange ikev1
+        lifetime 28800
+        proposal 1 {
+            dh-group 2
+            encryption aes256
+            hash sha256
+        }
+    }
+    interface dum0
+    site-to-site {
+        peer 172.18.254.202 {
+            authentication {
+                mode pre-shared-secret
+                pre-shared-secret secret
+            }
+            connection-type initiate
+            default-esp-group ESP1
+            ike-group IKE1
+            ikev2-reauth inherit
+            local-address 172.18.254.201
+            vti {
+                bind vti1
+            }
+        }
+    }
+}
[edit]
cpo@LR1.wue3# commit
[ vpn ipsec ]
VyOS had an issue completing a command.

We are sorry that you encountered a problem while using VyOS.
There are a few things you can do to help us (and yourself):
- Contact us using the online help desk if you have a subscription:
  https://support.vyos.io/
- Make sure you are running the latest version of VyOS available at:
  https://vyos.net/get/
- Consult the community forum to see how to handle this issue:
  https://forum.vyos.io
- Join us on Slack where our users exchange help and advice:
  https://vyos.slack.com

When reporting problems, please include as much information as possible:
- do not obfuscate any data (feel free to contact us privately if your
  business policy requires it)
- and include all the information presented below

Report Time:      2021-07-26 20:39:50
Image Version:    VyOS 1.4-rolling-202107242017
Release Train:    sagitta

Built by:         autobuild@vyos.net
Built on:         Mon 26 Jul 2021 01:17 UTC
Build UUID:       bf8bb33c-1634-4b04-9693-e458f634222c
Build Commit ID:  404ef29d13cfe8

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-42 3f 67 73 77 df c4 80-42 c9 42 af ff 15 de 0b
Hardware UUID:    73673f42-df77-80c4-42c9-42afff15de0b

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 579, in <module>
    generate(ipsec)
  File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 541, in generate
    render(swanctl_conf, 'ipsec/swanctl.conf.tmpl', ipsec)
  File "/usr/lib/python3/dist-packages/vyos/template.py", line 112, in render
    rendered = render_to_string(template, content, formater)
  File "/usr/lib/python3/dist-packages/vyos/template.py", line 82, in render_to_string
    rendered = template.render(content)
  File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 1090, in render
    self.environment.handle_exception()
  File "/usr/lib/python3/dist-packages/jinja2/environment.py", line 832, in handle_exception
    reraise(*rewrite_traceback_stack(source=source))
  File "/usr/lib/python3/dist-packages/jinja2/_compat.py", line 28, in reraise
    raise value.with_traceback(tb)
  File "/usr/share/vyos/templates/ipsec/swanctl.conf.tmpl", line 15, in top-level template code
    {{     peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }}
  File "/usr/lib/python3/dist-packages/jinja2/runtime.py", line 679, in _invoke
    rv = self._func(*arguments)
  File "/usr/share/vyos/templates/ipsec/swanctl/peer.tmpl", line 59, in template
    esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }}
  File "/usr/lib/python3/dist-packages/vyos/template.py", line 419, in get_esp_ike_cipher
    if 'proposal' in group_config:
TypeError: argument of type 'NoneType' is not iterable



[[vpn ipsec]] failed
Commit failed
[edit]
cpo@LR1.wue3#

Details

Difficulty level
Easy (less than an hour)
Version
1.4-rolling-202107242017
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

c-po claimed this task.