Page MenuHomeVyOS Platform

DPD interval and timeout do not work in DMVPN
Open, Requires assessmentPublicBUG

Description

If we configure DMVPN with IPSEC, DPD timeout and interval are not set in swanctl.conf file.

Configuration:

set interfaces ethernet eth0 address '10.0.1.2/24'
set interfaces ethernet eth0 hw-id '0c:4b:e8:6d:00:00'
set interfaces ethernet eth1 address '192.168.1.1/24'
set interfaces ethernet eth1 hw-id '0c:4b:e8:6d:00:01'
set interfaces ethernet eth2 hw-id '0c:4b:e8:6d:00:02'
set interfaces ethernet eth3 hw-id '0c:4b:e8:6d:00:03'
set interfaces loopback lo
set interfaces tunnel tun100 address '10.10.100.1/24'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 mtu '1400'
set interfaces tunnel tun100 multicast 'enable'
set interfaces tunnel tun100 parameters ip key '1'
set interfaces tunnel tun100 source-address '10.0.1.2'
set protocols bgp address-family ipv4-unicast network 192.168.1.0/24
set protocols bgp local-as '65000'
set protocols bgp neighbor 10.10.100.2 address-family ipv4-unicast route-reflector-client
set protocols bgp neighbor 10.10.100.2 remote-as '65000'
set protocols bgp neighbor 10.10.100.3 address-family ipv4-unicast route-reflector-client
set protocols bgp neighbor 10.10.100.3 remote-as '65000'
set protocols bgp parameters router-id '1.1.1.1'
set protocols nhrp tunnel tun100 cisco-authentication 'dmvpn'
set protocols nhrp tunnel tun100 holding-time '300'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 shortcut
set protocols static route 0.0.0.0/0 next-hop 10.0.1.1
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system host-name 'vyos'
set system login user vyos authentication encrypted-password '$6$MjV2YvKQ56q$QbL562qhRoyUu8OaqrXagicvcsNpF1HssCY06ZxxghDJkBCfSfTE/4FlFB41xZcd/HqYyVBuRt8Zyq3ozJ0dc.'
set system login user vyos authentication plaintext-password ''
set system ntp server time1.vyos.net
set system ntp server time2.vyos.net
set system ntp server time3.vyos.net
set system syslog global facility all level 'notice'
set system syslog global facility protocols level 'debug'
set vpn ipsec esp-group ESP-HUB compression 'disable'
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB close-action 'none'
set vpn ipsec ike-group IKE-HUB dead-peer-detection action 'restart'
set vpn ipsec ike-group IKE-HUB dead-peer-detection interval '3'
set vpn ipsec ike-group IKE-HUB dead-peer-detection timeout '30'
set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
set vpn ipsec interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'dmvpn'

swanctl.conf

[email protected]:~$ sudo cat /etc/swanctl/swanctl.conf
### Autogenerated by vpn_ipsec.py ###

connections {
    dmvpn-NHRPVPN-tun100 {
        proposals = aes256-sha1-modp1024,aes128-sha1-modp1024
        version = 2
        rekey_time = 3600s
        keyingtries = 0
        local {
            auth = psk
        }
        remote {
            auth = psk
        }
        children {
            dmvpn {
                esp_proposals = aes256-sha1-modp1024,3des-md5-modp1024
                rekey_time = 1800s
                rand_time = 540s
                local_ts = dynamic[gre]
                remote_ts = dynamic[gre]
                mode = transport
                start_action = trap
                dpd_action = restart
            }
        }
    }

}

pools {
}

secrets {
    ike-dmvpn-tun100 {
        secret = dmvpn
    }
}

It does not work only in 1.4

I tested it with vyos-1.3.1-S1. DPD parameters are set there.

Details

Difficulty level
Easy (less than an hour)
Version
vyos-1.4-rolling-202208010217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)