Different default IKE DH Group behaviour between v1.1.7 and v999 Nightlies
Open, Needs TriagePublicBUG

Description

Hey all.

So... this one kicked my arse for a while today looking at upgrading existing vyos firewalls to the nightly.

Specifically, site-to-site VPNs in 1.1.7 that don't specify an IKE dh-group will (silently) default to dh-group 2. It looks to me like the nightly doesn't specify a DH group at all under those circumstances, which is a duff configuration to my understanding.

I don't know if there's a configuration upgrade script that's run when versions are upgraded, but I think this needs to go from an implicit configuration to an explicit one.

Details

Difficulty level
Unknown (require assessment)
Version
1.1.7 -> v999.201708292137
Why the issue appeared?
Will be filled on close
JulesT created this task.Aug 30 2017, 4:40 PM
c-po added a subscriber: c-po.Sep 1 2017, 10:16 AM

Just to give some more information.

I just extracted my old configuration (1.1.7 with show configuration commands) and re-imported it in VyOS 1.2.x.

This gave me:
VPN configuration error: 'dh-group' must be specified in ike-group "IKE-HUB" proposal "1" dh-group.

Yeah, C-po. That doesn't surprise me.

I think the only problem really is that if you upgrade from 1.1.7, to the nightly, this doesn't get caught, so you end up with a duff configuration that's already de-facto accepted.