In T1019#26665, @runar wrote:Hmm, please enligthen me. Google BBR is a new way to handle congesition instead of the traditional way tcp deals with it. This functionallity needs to be enabled in the end host systems starting the tcp session to have any impact on troughput and congestion control.. as vyos is a router and are not responsible to start tcp sessions on behalf of any end system, what is the benefit of adding this functionallity?
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Mar 2 2022
Mar 2 2022
Aug 20 2020
Aug 20 2020
Apr 29 2019
Apr 29 2019
Feb 20 2019
Feb 20 2019
windflag triaged T1256: Execute "show ipsec vpn ipsec sa" returns incorrect results as Normal priority.
Feb 11 2019
Feb 11 2019
Just to add extra info to this ticket, I had a openvpn-option that i wanted to add but it contained a single quote. I was not able to do this (in version 1.8.x this worked).
Jan 16 2019
Jan 16 2019
Hello,
how to test new versions of vyos
I can not download version 1.2 epa2
Thank you in advance for the information
Jan 6 2019
Jan 6 2019
c-po added a parent task for T419: Support setting dstport for VXLAN interfaces: T1067: VXLAN support improvements.
Jan 3 2019
Jan 3 2019
syncer moved T1081: GitHub Phabricator connection is broken from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
Dec 17 2018
Dec 17 2018
syncer moved T958: Problems with wireguard description from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
syncer edited projects for T958: Problems with wireguard description, added: VyOS 1.2 Crux (VyOS 1.2.0-rc10), VyOS-1.2.0-GA; removed VyOS 1.2 Crux.
Dec 7 2018
Dec 7 2018
dongjunbo edited projects for T1088: Can't change pasword of vyos, added: VyOS 1.2 Crux (VyOS 1.2.0-rc10); removed VyOS 1.2 Crux ( VyOS 1.2.0-rc11).
Dec 6 2018
Dec 6 2018
all these commands show the same output:
show vpn ipsec sa
show vpn ipsec sa verbose
show vpn debug
sudo ipsec statusall
oj
~$ show vpn ipsec sa
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/show_ipsec_sa.py", line 51, in <module> raise e File "/usr/libexec/vyos/op_mode/show_ipsec_sa.py", line 45, in <module>
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.4-amd64-vyos, x86_64):
uptime: 7 minutes, since Dec 06 15:06:21 2018 malloc: sbrk 2965504, mmap 0, used 1546144, free 1419360 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 48 loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
it seems that vyos-kernel was disabled
syncer moved T956: Incorrect output of "run show vpn ipsec sa" from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
syncer moved T969: Console device speed has no effect on GRUB configuration from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
syncer moved T1006: Eliminate unnecessary IP address validation utilities from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
syncer moved T1001: show config commands - breaks when using backslashes in values from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
syncer moved T1019: Enable Google BBR support at kernel compile time from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
syncer moved T1053: Error when re-configuring an interface from DHCP to static IP from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
syncer moved T1045: static route dhcp-interface failes on bootup from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
syncer moved T419: Support setting dstport for VXLAN interfaces from Backlog to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
syncer moved T816: ipaddrcheck / libcidr but on IPv6 network validation from In Progress to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
Dec 5 2018
Dec 5 2018
syncer moved T984: BGP received routes not installed to FIB from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
👍 cool. Since we've confirmed that as a solution, I think it's safe to close.
adding a static route towards the vultr gateway fixes this, as @bswinnerton pointed out.
I ended up moving away from VyOS but the more that I think this problem, I wonder if it's due to mutihop being on and not having a route to the next hop.
- Does anyone actually need a graphical frame buffer for Vyos? I would expect it to run mostly headless.
- Is the frame buffer tied to or necessary to solve the EFI issues @c-po raised?
I just tested "show vpn ipsec sa" on latest rolling (vyos-1.2.0-rolling+201812050337) and get exactly the output of "sudo ipsec statusall"
frolswe added a comment to T1047: Configuration saved on a livecd cannot be carried over to the installed image.
This works fine for me on rc10. Thanks.
And in rc10 it is back to being sluggish with CONFIG_FB_VGA16=y :(
@dmbaturin Hello, sorry for delay. We tested rc10 today, it not crashed but still writing a lot of errors to logs (in the attach).
messages.vyos.txt194 KBDownload
@kroy - I tried doing an upgrade to match all routers to the same version and it ended quite badly.. all four had their OSPF instance die.
Dec 4 2018
Dec 4 2018
Upgrade to 1.2.0-rc10 and BGP is still working fine. It starts at boot and loads all BGP peers and several full tables.
I'll add here that I've got a reasonably complex OSPF setup with around 10 hosts. I converted it over to VyOS when the first RC came out and I haven't seen this issue at all, and I'm constantly rebooting hosts. Currently upgraded the whole setup to RC10 and not a single host crashed. It's worth adding that I've had a bunch of Mikrotiks in the mix at a time and no problem there either.
dmbaturin renamed T1047: Configuration saved on a livecd cannot be carried over to the installed image from Configuration does not propagate to install image. to Configuration saved on a livecd cannot be carried over to the installed image.
Tested with 1.2.0-rolling+201812010337. Still many bugs, very hard to diagnostic it properly.
Minimal list TODO, for we can continue testing:
Dec 3 2018
Dec 3 2018
hagbard added a comment to T1028: Suspending and resuming VyOS in VMware will result in loss of static ip addresses.
The vmware tools scripts work as expected, they are stopping and starting the network config as they are supposed to do, but are using debian defaults. So they are not executing the config. I'm going to check of we can extend it a little somewhere to execute the config again when 'resume' happens. In general that won't be an easy fix.
Setting destination port per VXLAN interface sound much more reasonable
dmbaturin closed T902: VyOS 1.2.0-rc2 fails to load configuration when conntrack modules are disabled in config as Resolved.
I've tested this configuration again and it works for me, so I suppose it's fixed. If it reapprears, feel free to reopen.
dmbaturin closed T337: 'show vpn ipsec sa' output wrong when remote or local prefix not in system subnet as Resolved.
@hagbard "show vpn ipsec sa verbose" is now a thin wrapper for "ipsec statusall" so it's not applicable there either. :)
dmbaturin added a comment to T1047: Configuration saved on a livecd cannot be carried over to the installed image.
...to be fair, I also think there should be a warning when trying to save a config on a livecd. We hear from people once in a while that they forgot they are running from a livecd and lose their config after reboot.
Clearly undesirable behaviour was caused by a combination of two issues: StrongSWAN starting even when IPsec is not present in the VyOS config, and /etc/ipsec.conf staying in place if config was commited but not saved.
dmbaturin renamed T769: StrongSWAN starts when "vpn ipsec" is not present in the config from /etc/ipsec.conf stored persistent with just commit to StrongSWAN starts when "vpn ipsec" is not present in the config.
The only remaining bit is the valid_address utility, which is much more difficult to remove because it's so pervasive (used by the "address" option in every interface type).
dmbaturin changed the status of T1047: Configuration saved on a livecd cannot be carried over to the installed image from Open to Needs testing.
The root cause is that /config is not mounted on livecd anymore, due to the difference in startup scripts.
Ok, the issue is that StrongSWAN uses different format for SAs with zero and non-zero counters!
@jakevis This exact config works for me in rc9. Could you update and re-test?
Dec 2 2018
Dec 2 2018
dmbaturin closed T962: Intel 520 card requires modprobe option when using non-Intel SFP as Resolved.
This should have been resolved by https://github.com/vyos/vyos-build/commit/2896acaf144a6091576e10b65e477ea35243b3c2
I could not reproduce it, in its simplest form:
@begetan - it won't connect at all
Dec 1 2018
Dec 1 2018
This makes sense. As I understand it, it just installs another copy of the .efi file to a more “universal” location.
syncer assigned T1028: Suspending and resuming VyOS in VMware will result in loss of static ip addresses to hagbard.
@hagbardI think we need remove or disable such behavior
Had been resolved already via https://phabricator.vyos.net/T1054 and is available via latest rolling release.
No problem. There is no hurry, I'm happy running RC5 for now.
I tested the shaper, but it seems to me that the Cisco-AVPair library is missing, it may be missing from my Radius server
I will provide a VyOS testing ISO somewhen next week, would be much appreciated if you can test.
Hi, The NICs are all present{F267310}
Certainly. I use this one as my home router so no problem. Is this the version you mean? https://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/debian-testing-amd64-netinst.iso
@SteveP do you have time booting a Debian Buster (testing) ISO on your device and see if your NICs do appear?
Nov 30 2018
Nov 30 2018
syncer moved T1061: Wireguard: Missing option to administrativly shutdown interface from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.0-rc10) board.
https://github.com/vyos/vyos-1x/commit/a29898b2ea15b7d9cea7fade1b27d38967c52d52, will be available with the next latest rolling or via: http://dev.packages.vyos.net/repositories/current/vyos/pool/main/v/vyos-1x/vyos-1x_1.2.0-7_all.deb
Would also like to see this available for Wireguard interfaces as I'm hitting this when using PBR/NATing.
hagbard changed the status of T1061: Wireguard: Missing option to administrativly shutdown interface from Open to In progress.
syncer triaged T1061: Wireguard: Missing option to administrativly shutdown interface as Normal priority.
Yes it will be implemented as soon as it turns out that the switch from the old implementation was successful. We have seen kernel crashes every now and then with the shaper enabled, so I would be keen to know if that happens to you as well to investigate the root cause.
will implement the shaper for bandwidth control? or should I configure manually?
@c-po should we build the latest drivers, or what will be your idea around that?
Is it working at start and fails after some time, or not connection not establishing at all?
it's not so important, just a suggestion, is better concentrate in functions of extreme importance, as ipoe
That is already the case if you don't configure a SN on the server side. So I'm not sure if this setting is not more of a pain instead of a help.
i found using the command man accel-ppp
you can to find it in this link
https://github.com/xebd/accel-ppp/blob/master/accel-pppd/accel-ppp.conf.5
when use value 1, in flag accept-any-service, the server will accept any service name in client side, generally is in blank in client side.
Nov 29 2018
Nov 29 2018
left|rightprotoport has been removed from strongswan since version 5.1. %.6 is running on the latest rolling. Protocols can now be defined via left|rightsubnet (leftsubnet=fec1::1[udp/%any],10.0.0.0/16[%any/53]) .
hagbard changed the status of T1048: [IPSec] Protocol all does not work in IPSec Tunnel from Open to In progress.
Ooops X-fire. I grab the IP and prefix from the interface, that way I know it exists and can be removed and won't have to many test cycles. The subsystem needs to be rewritten at one point, but as you can imagine that is quite a task. DHCPv6 won't be affected since it uses always IP/prefix, but I haven't tested it yet.
This problem is fixed by the following pull request:
https://github.com/vyos/vyatta-cfg-system/pull/89
I did some further investigation on this topic, and it turned out that this is a more general problem, which does not just happen in the specific case I wrote above.
It basically happens anytime when an interface is first configured via DHCPv4 and then DHCPv4 is disabled later.
Actually it returns the IP allocated via DHCP, however the ip-normalize script needs a prefix for the regex, which is not set when dhcp was set.