Page MenuHomeVyOS Platform

[VPN-IPSEC] not boot config after reboot
Open, Requires assessmentPublicBUG

Description

Hi

I found an issues that it doesn't allow to load vpn-ipsec config ,in fact , it lost the configuration on VyOS-CLI .Let me show this behavior:

Current settings:

 set vpn ipsec esp-group vyos-esp-aws compression 'disable'
set vpn ipsec esp-group vyos-esp-aws lifetime '3600'
set vpn ipsec esp-group vyos-esp-aws mode 'tunnel'
set vpn ipsec esp-group vyos-esp-aws pfs 'dh-group14'
set vpn ipsec esp-group vyos-esp-aws proposal 1 encryption 'aes256'
set vpn ipsec esp-group vyos-esp-aws proposal 1 hash 'sha256'
set vpn ipsec ike-group vyos-ike-aws close-action 'none'
set vpn ipsec ike-group vyos-ike-aws dead-peer-detection action 'restart'
set vpn ipsec ike-group vyos-ike-aws dead-peer-detection interval '15'
set vpn ipsec ike-group vyos-ike-aws dead-peer-detection timeout '30'
set vpn ipsec ike-group vyos-ike-aws ikev2-reauth 'yes'
set vpn ipsec ike-group vyos-ike-aws key-exchange 'ikev2'
set vpn ipsec ike-group vyos-ike-aws lifetime '28800'
set vpn ipsec ike-group vyos-ike-aws proposal 1 dh-group '14'
set vpn ipsec ike-group vyos-ike-aws proposal 1 encryption 'aes256'
set vpn ipsec ike-group vyos-ike-aws proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 18.218.254.206 authentication mode 'pre-shared-secret'
'T0pSecr3tP@ss'
set vpn ipsec site-to-site peer 18.218.254.206 connection-type 'initiate'
set vpn ipsec site-to-site peer 18.218.254.206 default-esp-group 'vyos-esp-aws'
set vpn ipsec site-to-site peer 18.218.254.206 dhcp-interface 'eth0'
set vpn ipsec site-to-site peer 18.218.254.206 ike-group 'vyos-ike-aws'
set vpn ipsec site-to-site peer 18.218.254.206 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 18.218.254.206 tunnel 10 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 18.218.254.206 tunnel 10 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 18.218.254.206 tunnel 10 local prefix '192.168.12.0/24'
set vpn ipsec site-to-site peer 18.218.254.206 tunnel 10 remote prefix '10.0.6.0/24

# interfaces  

set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 hw-id '50:00:00:02:00:00'
set interfaces ethernet eth1 address '192.168.12.10/24'

The problem appears to be that VyOS allowed me to switch eth0 from DHCP to static (it didn't show any warning message or helper indicated an issues)

#applied this configuration 

delete interfaces ethernet eth0 dhcp
set interfaces ethernet eth0 address '192.168.122.110/24'
set protocols static route 0.0.0.0/0 next-hop 192.168.122.1
commit
save

reboot VyOS instance but fails to load vpn-ipsec configuration (but it doesn't show any issues when booting) , however when we load /config/config.boot , it shows :

vyos@vpn# load /config/config.boot
Loading configuration from '/config/config.boot'
Load complete. Use 'commit' to make changes effective.
[edit]

###error after commit 

vyos@vpn# commit
[ vpn ipsec site-to-site peer 18.218.254.206 dhcp-interface ]
VPN configuration error: The specified interface is not configured for dhcp.


[[vpn]] failed
Commit failed
[edit]
vyos@vpn#

it originates because this command is present set vpn ipsec site-to-site peer 18.218.254.206 dhcp-interface 'eth0' , here is another case with this issue :

https://forum.vyos.io/t/entire-vpn-ipsec-config-lost-on-reboot/8321/3

Details

Difficulty level
Hard (possibly days)
Version
VyOS 1.3.0(
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

fernando renamed this task from [VPN-IPSEC] no boot config after reboot to [VPN-IPSEC] not boot config after reboot.Fri, Jan 14, 9:50 PM