Page MenuHomeVyOS Platform
Create Task
Maniphest T3720

IPSec set vti secondary address cause interface disable
Closed, ResolvedPublicBUG
Actions

Description

Set secondary ip address to vti interface cause interface disable.

To reproduce, initial configuration

set interfaces ethernet eth1 address '2001:db8::2/64'
set interfaces ethernet eth1 address '192.0.2.2/30'
set interfaces ethernet eth1 ipv6 disable-forwarding
set interfaces ethernet eth1 mtu '1540'
set interfaces vti vti2 address '10.0.0.2/30'
set vpn ipsec esp-group ESP-GRP-VTI compression 'disable'
set vpn ipsec esp-group ESP-GRP-VTI lifetime '1800'
set vpn ipsec esp-group ESP-GRP-VTI mode 'tunnel'
set vpn ipsec esp-group ESP-GRP-VTI pfs 'enable'
set vpn ipsec esp-group ESP-GRP-VTI proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GRP-VTI proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-GRP-VTI ikev2-reauth 'no'
set vpn ipsec ike-group IKE-GRP-VTI key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GRP-VTI lifetime '3600'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'SeCrEt'
set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'IKE-GRP-VTI'
set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2'
set vpn ipsec site-to-site peer 192.0.2.1 vti bind 'vti2'
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group 'ESP-GRP-VTI'

Add or remove secondary address to vti2 interface:

vyos@r1-roll:~$ show int vti 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
vti2             10.0.0.2/30                       u/u  
vyos@r1-roll:~$ conf
[edit]
vyos@r1-roll# set interfaces vti vti2 address 100.64.222.1/24
[edit]
vyos@r1-roll# commit
[edit]
vyos@r1-roll# run show interfaces vti 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
vti2             10.0.0.2/30                       A/D  
                 100.64.222.1/24

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.4-rolling-202107280117
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Unspecified (possibly destroys the router)

Related Objects
Search...

Event Timeline

Viacheslav created this task.Aug 3 2021, 3:29 PM
Viacheslav added a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.
Viacheslav updated the task description. (Show Details)Aug 3 2021, 3:45 PM
c-po claimed this task.Aug 4 2021, 6:58 PM
pasik added a subscriber: pasik.Aug 4 2021, 8:44 PM
c-po closed this task as Resolved.Aug 9 2021, 7:06 PM
c-po triaged this task as Normal priority.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.