Page MenuHomeVyOS Platform

Ipsec/l2tp remote access stops working after reboot (when vrrp is present in the configuration).
Closed, WontfixPublicBUG

Description

Hello.

Not sure if this is a bug per se, or different configuration is needed for it to work. I have only noticed it after upgrading to 1.1.8 from 1.1.7 (which involved a reboot) The same behaviour happens on 1.1.7 and 1.1.8.

Steps to reproduce on clean vyos installation:

  1. load & commit basic config that has ipsec/l2tp remote access configured
interfaces {
    ethernet eth0 {
        address 192.168.1.100/24
        duplex auto 
        smp_affinity auto
        speed auto
    loopback lo {
    }
  }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 192.168.1.1 {
            }
        }
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password $1$5HsQse2v$VQLh5eeEp4ZzGmCG/PRBA1
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password ""
            url http://packages.vyos.net/vyos
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username testuser {
                        password testpassword
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.10.10.1
                stop 10.10.10.254
            }
            dns-servers {
                server-1 8.8.8.8
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret testpresharedkeysecret
                }
                ike-lifetime 3600
            }
            outside-address 192.168.1.100
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]" === */
/* Release version: VyOS 1.1.7 */
  1. Ipsec/l2tp remote access works fine (tested on Windows 10 and IOS) at this stage.
  1. load & commit config that has only vrrp added to the previous configuration.
interfaces {
    ethernet eth0 {
        address 192.168.100.100/24
        duplex auto 
        smp_affinity auto
        speed auto        
        vrrp {
            vrrp-group 1 {
                advertise-interval 1
                preempt true
                sync-group sunc1
                virtual-address 192.168.1.100/24
            }
        }

    loopback lo {
    }
  }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 192.168.1.1 {
            }
        }
    }
}
system {
    config-management {
        commit-revisions 20
    }
    console {
        device ttyS0 {
            speed 9600
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password $1$5HsQse2v$VQLh5eeEp4ZzGmCG/PRBA1
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    package {
        auto-sync 1
        repository community {
            components main
            distribution helium
            password ""
            url http://packages.vyos.net/vyos
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username testuser {
                        password testpassword
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.10.10.1
                stop 10.10.10.254
            }
            dns-servers {
                server-1 8.8.8.8
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret testpresharedkeysecret
                }
                ike-lifetime 3600
            }
            outside-address 192.168.1.100
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]" === */
/* Release version: VyOS 1.1.7 */
  1. Ipsec/l2tp remote access works fine (tested on Windows 10 and IOS) at this stage. I can restart vpn or vrrp services and I can always reconnect without a problem.
  1. reboot vyos system
  1. suddenly it is impossible to connect via l2tp/ipsec. restarting vpn or vrrp services does not help.

Details

Difficulty level
Unknown (require assessment)
Version
1.1.7, 1.1.8
Why the issue appeared?
Will be filled on close

Event Timeline

syncer triaged this task as Low priority.
syncer added subscribers: Unknown Object (User), syncer.

@Unicron check please

please retest on 1.2 and resubmit if the issue still exists