Page MenuHomeVyOS Platform
Create Task
Maniphest T4004

IPsec ike-group parameters are not saved correctly (after reboot)
Closed, ResolvedPublicBUG
Actions

Description

Tested in VyOS 1.3.0-epa3

Create ike-group and save:

vyos@vyos:~$ configure
vyos@vyos# set vpn ipsec ike-group IKE close-action 'none'
vyos@vyos# set vpn ipsec ike-group IKE ikev2-reauth 'no'
vyos@vyos# set vpn ipsec ike-group IKE lifetime '86400'
vyos@vyos# set vpn ipsec ike-group IKE proposal 2 dh-group '2'
vyos@vyos# set vpn ipsec ike-group IKE proposal 2 encryption 'aes128'
vyos@vyos# set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
[edit]
vyos@vyos# commit
vyos@vyos# save

Check config:
vyos@vyos:~$ show configuration commands

set vpn ipsec ike-group IKE close-action 'none'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE lifetime '86400'
set vpn ipsec ike-group IKE proposal 2 dh-group '2'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'

Reboot.
Check config after:

set vpn ipsec ike-group IKE close-action 'none'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '86400'
set vpn ipsec ike-group IKE proposal 2 dh-group '2'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'

Notice the following NEW lines:
set vpn ipsec ike-group IKE key-exchange 'ikev1'

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3.0-epa3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Unknown Object (User) created this task.Nov 18 2021, 3:53 AM
Viacheslav added a subscriber: Viacheslav.Nov 18 2021, 8:12 AM

I don't think that it is a bug.
If you don't set any value, it gets default value ikev1
https://github.com/vyos/vyatta-cfg-vpn/blob/d2d4361bffaa0b99c85c7fbf46ddd760ae6512f0/templates/vpn/ipsec/ike-group/node.tag/key-exchange/node.def#L3

Unknown Object (User) added a comment.Nov 20 2021, 9:39 AM

A feature request was made with a change in behavior:
https://phabricator.vyos.net/T4005
(Feature Request: IPsec IKEv1 + IKEv2 for one peer)

Unknown Object (User) closed this task as Resolved.Nov 20 2021, 9:39 AM
Unknown Object (User) claimed this task.
pasik added a subscriber: pasik.Nov 20 2021, 9:51 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa3) board.Nov 24 2021, 7:38 AM