Page MenuHomeVyOS Platform
Create Task
Maniphest T674

IPsec script neither sets a default DH group for IKE nor warns that it should be set
Closed, ResolvedPublicBUG
Actions

Description

Create an IKE group without DH group:

ike-group Foo {
    proposal 1 {
        encryption aes128
        hash sha1
    }
}

In ipsec.conf you get: ike=aes128-sha1!

And then in logs you get:

Jun  1 02:29:11 vyos-test charon: 14[CFG] a DH group is mandatory in IKE proposals
Jun  1 02:29:11 vyos-test charon: 14[CFG] skipped invalid proposal string: aes128-sha1

We should set the default to whatever it was in 1.1.8 I suppose, for compatibility reasons. I think it was DH group 2.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0
Why the issue appeared?
Issues in third-party code

Related Objects

Event Timeline

dmbaturin renamed this task from IPsec script neither sets a default DH group for IKE neither warns that it should be set to IPsec script neither sets a default DH group for IKE nor warns that it should be set.Jun 1 2018, 2:35 AM
dmbaturin claimed this task.
dmbaturin triaged this task as High priority.
dmbaturin created this task.
dmbaturin edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux.Jun 3 2018, 3:36 AM
dmbaturin changed Why the issue appeared? from Will be filled on close to Issues in third-party code.
dmbaturin moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc1) board.
pasik added a subscriber: pasik.Jun 19 2018, 5:05 PM
syncer closed this task as Resolved.Jul 3 2018, 7:19 AM
syncer added a project: VyOS-1.2.0-GA.Oct 15 2018, 10:54 PM
dmbaturin merged a task: T374: Different default IKE DH Group behaviour between v1.1.7 and v999 Nightlies.Nov 11 2018, 10:14 AM
dmbaturin added subscribers: JulesT, syncer, c-po.