VPN IPsec check dpd and close action for empty values
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	Viacheslav
	Jan 30 2023, 10:48 AM

Description

We shouldn't generate config with empty dpd and close actions for children SAs

set vpn ipsec authentication psk bar id '192.0.2.1'
set vpn ipsec authentication psk bar id '192.0.2.3'
set vpn ipsec authentication psk bar id '192.0.2.1.local.peer-b'
set vpn ipsec authentication psk bar id '192.0.2.2.peer-b'
set vpn ipsec authentication psk bar secret 'SecretBar'
set vpn ipsec authentication psk baz id 'fsdfdf'
set vpn ipsec authentication psk baz secret 'bazdfwefsecrettt'
set vpn ipsec esp-group ESP-group-b lifetime '1800'
set vpn ipsec esp-group ESP-group-b mode 'tunnel'
set vpn ipsec esp-group ESP-group-b pfs 'enable'
set vpn ipsec esp-group ESP-group-b proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-group-b proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-group-b key-exchange 'ikev1'
set vpn ipsec ike-group IKE-group-b lifetime '3600'
set vpn ipsec ike-group IKE-group-b proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-group-b proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-group-b proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '192.0.2.2.peer-b'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '192.0.2.1.local.peer-b'
set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKE-group-b'
set vpn ipsec site-to-site peer OFFICE-B local-address '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-B remote-address '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'ESP-group-b'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '10.0.0.0/21'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '192.168.0.0/24'

children section Incorrect empty "=" for dpd and close nation

vyos@r2# cat /etc/swanctl/swanctl.conf 
### Autogenerated by vpn_ipsec.py ###

connections {
    OFFICE-B {
        proposals = aes256-sha256-modp2048
        version = 1
        local_addrs = 192.0.2.2 # dhcp:no
        remote_addrs = 192.0.2.1
        dpd_timeout = 120
        dpd_delay = 30
        rekey_time = 3600s
        mobike = yes
        keyingtries = 1
        local {
            id = "192.0.2.2.peer-b"
            auth = psk
        }
        remote {
            id = "192.0.2.1.local.peer-b"
            auth = psk
        }
        children {
            OFFICE-B-tunnel-0 {
                esp_proposals = aes128-sha1-modp2048
                life_time = 1800s
                local_ts = 10.0.0.0/21
                remote_ts = 192.168.0.0/24
                ipcomp = no
                mode = tunnel
                start_action = trap
                dpd_action = 
                close_action = 
            }
        }
    }

}

Details

Difficulty level: Easy (less than an hour)
Version: VyOS 1.4-rolling-202301300918
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Event Timeline

Viacheslav created this task.Jan 30 2023, 10:48 AM

pasik added a subscriber: pasik.Jan 30 2023, 12:08 PM

Viacheslav assigned this task to a.apostoliuk.Feb 6 2023, 9:53 AM

a.apostoliuk changed the task status from Open to Needs testing.Feb 14 2023, 7:54 AM

a.apostoliuk closed this task as Resolved.Feb 14 2023, 8:16 AM

a.apostoliuk moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.

VPN IPsec check dpd and close action for empty valuesClosed, ResolvedPublicBUGActions

Description

Details

Event Timeline

VPN IPsec check dpd and close action for empty values
Closed, ResolvedPublicBUG
Actions