Page MenuHomeVyOS Platform
Create Task
Maniphest T374

Different default IKE DH Group behaviour between v1.1.7 and v999 Nightlies
Closed, DuplicatePublicBUG
Actions

Description

Hey all.

So... this one kicked my arse for a while today looking at upgrading existing vyos firewalls to the nightly.

Specifically, site-to-site VPNs in 1.1.7 that don't specify an IKE dh-group will (silently) default to dh-group 2. It looks to me like the nightly doesn't specify a DH group at all under those circumstances, which is a duff configuration to my understanding.

I don't know if there's a configuration upgrade script that's run when versions are upgraded, but I think this needs to go from an implicit configuration to an explicit one.

Details

Difficulty level
Unknown (require assessment)
Version
1.1.7 -> v999.201708292137
Why the issue appeared?
Will be filled on close

Event Timeline

JulesT created this task.Aug 30 2017, 4:40 PM
c-po added a subscriber: c-po.Sep 1 2017, 10:16 AM

Just to give some more information.

I just extracted my old configuration (1.1.7 with show configuration commands) and re-imported it in VyOS 1.2.x.

This gave me:
VPN configuration error: 'dh-group' must be specified in ike-group "IKE-HUB" proposal "1" dh-group.

JulesT added a comment.Sep 3 2017, 12:34 PM

Yeah, C-po. That doesn't surprise me.

I think the only problem really is that if you upgrade from 1.1.7, to the nightly, this doesn't get caught, so you end up with a duff configuration that's already de-facto accepted.

syncer triaged this task as Low priority.Dec 21 2017, 9:55 PM
pasik added a subscriber: pasik.Oct 1 2018, 9:53 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc4); removed VyOS 1.2 Crux.Oct 13 2018, 10:09 AM
syncer added a subscriber: syncer.Oct 13 2018, 6:52 PM

@c-po what we do with this ?

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc5); removed VyOS 1.2 Crux (VyOS 1.2.0-rc4).Oct 24 2018, 4:40 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc6); removed VyOS 1.2 Crux (VyOS 1.2.0-rc5).Oct 29 2018, 6:16 PM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc7); removed VyOS 1.2 Crux (VyOS 1.2.0-rc6).Nov 6 2018, 12:57 AM
dmbaturin closed this task as a duplicate of T674: IPsec script neither sets a default DH group for IKE nor warns that it should be set.Nov 11 2018, 10:14 AM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc7) board.Nov 13 2018, 3:49 AM
syncer added a project: VyOS-1.2.0-GA.Jan 25 2019, 2:38 PM