Page MenuHomeVyOS Platform

IPSec set vti secondary address cause interface disable
Closed, ResolvedPublicBUG

Description

Set secondary ip address to vti interface cause interface disable.

To reproduce, initial configuration

set interfaces ethernet eth1 address '2001:db8::2/64'
set interfaces ethernet eth1 address '192.0.2.2/30'
set interfaces ethernet eth1 ipv6 disable-forwarding
set interfaces ethernet eth1 mtu '1540'
set interfaces vti vti2 address '10.0.0.2/30'
set vpn ipsec esp-group ESP-GRP-VTI compression 'disable'
set vpn ipsec esp-group ESP-GRP-VTI lifetime '1800'
set vpn ipsec esp-group ESP-GRP-VTI mode 'tunnel'
set vpn ipsec esp-group ESP-GRP-VTI pfs 'enable'
set vpn ipsec esp-group ESP-GRP-VTI proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-GRP-VTI proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-GRP-VTI ikev2-reauth 'no'
set vpn ipsec ike-group IKE-GRP-VTI key-exchange 'ikev1'
set vpn ipsec ike-group IKE-GRP-VTI lifetime '3600'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-GRP-VTI proposal 1 hash 'sha1'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret 'SeCrEt'
set vpn ipsec site-to-site peer 192.0.2.1 ike-group 'IKE-GRP-VTI'
set vpn ipsec site-to-site peer 192.0.2.1 local-address '192.0.2.2'
set vpn ipsec site-to-site peer 192.0.2.1 vti bind 'vti2'
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group 'ESP-GRP-VTI'

Add or remove secondary address to vti2 interface:

[email protected]:~$ show int vti 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
vti2             10.0.0.2/30                       u/u  
[email protected]:~$ conf
[edit]
[email protected]# set interfaces vti vti2 address 100.64.222.1/24
[edit]
[email protected]# commit
[edit]
[email protected]# run show interfaces vti 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
vti2             10.0.0.2/30                       A/D  
                 100.64.222.1/24

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.4-rolling-202107280117
Why the issue appeared?
Implementation mistake
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

c-po triaged this task as Normal priority.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Implementation mistake.