A feature request was made with a change in behavior:
https://phabricator.vyos.net/T4005
(Feature Request: IPsec IKEv1 + IKEv2 for one peer)
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Nov 20 2021
pool request:
https://github.com/vyos/vyatta-cfg-vpn/pull/51
Create an Ike-group without a command "key-exchange" (like in VyOS 1.4):
I think this is what it would look like in service dhcp server. I left some comments to explain my thinking a bit, and I tried to make it as flexible as possible (for example the way match options are strings, so future DHCP options can be supported as soon as ISC supports them):
failover { name INT remote 192.168.15.4 source-address 192.168.15.3 status primary } shared-network-name INT { description "Internal connection to ir01" class CLIENT_MAP { rule 10 { action permit # This is equivalent to dhcpd's allow/deny members of match option "agent.circuit_id" value "Vlan200" # This could match any option (ex: dhcp-client-identifier) } } class GUEST_MAP { rule 10 { action permit match option "agent.circuit_id" value "Vlan240" } } subnet 192.168.1.0/24 { class CLIENT_MAP default-router 192.168.1.1 domain-name int.trae32566.org domain-search int.trae32566.org domain-search ipa.trae32566.org domain-search trae32566.org enable-failover name-server 192.168.255.1 name-server 192.168.15.10 name-server 192.168.31.3 ntp-server 192.168.255.2 ntp-server 192.168.15.11 ntp-server 192.168.31.4 range CLIENTS { start 192.168.1.2 stop 192.168.1.240 } server-identifier 192.168.15.2 static-mapping QUEST { ip-address 192.168.1.17 mac-address 80:f3:ef:11:e7:e7 } } subnet 192.168.6.0/24 { class GUEST_MAP default-router 192.168.6.1 enable-failover name-server 1.1.1.1 name-server 1.0.0.1 name-server 8.8.8.8 ntp-server 50.205.57.38 ntp-server 64.225.34.103 ntp-server 129.250.35.251 server-identifier 192.168.15.2 range GUESTS { start 192.168.6.2 stop 192.168.6.254 } } subnet 192.168.15.0/29 { # This tells it indirectly to use the interface eth2, which is on this subnet (is there a better way?) default-router 192.168.15.1 enable-failover range DUMMY { start 192.168.15.2 stop 192.168.15.7 } } }
Nov 19 2021
I would not call this a bug as this is produced on intention.
Submitted this PR: https://github.com/vyos/vyos-1x/pull/1075
I wish I understood this subsystem better as I'd love to get it fixed. I'm going to take a closer look tomorrow
Nov 18 2021
One detail towards a resolution: if the vyos-http-api-server is started manually (without systemd) then the output is not truncated. If one wants to try this, one should configure 'set service https api' (to update Nginx config appropriately); then 'systemctl stop vyos-http-api'; then, as root:
Shows which options moved to the new name in swanctl
Re-tested working on
Thanks, I've confirmed the issue; I should have it resolved soon
I notice my example of the API only focused on one interface (eth0), where the CLI (and the title showed all interfaces). Doesn't change the fact that in either case the API doesn't return data for the description.
I don't think that it is a bug.
If you don't set any value, it gets default value ikev1
https://github.com/vyos/vyatta-cfg-vpn/blob/d2d4361bffaa0b99c85c7fbf46ddd760ae6512f0/templates/vpn/ipsec/ike-group/node.tag/key-exchange/node.def#L3
Nov 17 2021
Since we had to revert to the old NAT implementation due to kernel issues, this had to be back-back-ported to the old Perl code as well.
Nov 16 2021
{ "lldp": { "interface": [ { "eth0": { "via": "LLDP", "rid": "5", "age": "0 day, 00:00:16", "chassis": { "id": { "type": "mac", "value": "3c:61:04:5b:68:c0" }, "descr": "Juniper Networks, Inc. ex2200-c-12t-2g , version 11.4R7.5 Build date: 2013-03-01 09:18:42 UTC ", "capability": [ { "type": "Bridge", "enabled": true }, { "type": "Router", "enabled": true } ] }, "port": { "id": { "type": "local", "value": "521" }, "descr": "ge-0/0/9.0", "ttl": "120" }, "unknown-tlvs": { "unknown-tlv": { "oui": "00,90,69", "subtype": "1", "len": "12", "value": "47,50,30,32,31,33,33,36,30,36,39,36" } } } } ] } }
@daniil Can you provide the output of json format?
New PR was created https://github.com/vyos/vyos-1x/pull/1072
Nevermind, this was added through T3916.
When i remove from /etc/snmp/snmpd.conf ,('::1', '161') in agentaddress it solve the issue....
show system ipv6 disable
show service snmp community public { authorization ro network 11.11.11.0/24 } contact [email protected] listen-address 11.11.11.251 { port 161 } location ru-brn
Nov 16 16:23:27 r1-brn systemd[1]: snmpd.service: Main process exited, code=exited, status=1/FAILURE Nov 16 16:23:27 r1-brn systemd[1]: snmpd.service: Failed with result 'exit-code'.
Nov 15 2021
Nov 15 21:23:22 LR1 systemd[1]: Reloading OpenVPN connection to vtun1. Nov 15 21:23:22 LR1 openvpn-vtun1[13941]: event_wait : Interrupted system call (code=4) Nov 15 21:23:22 LR1 openvpn-vtun1[13941]: Closing TUN/TAP interface Nov 15 21:23:22 LR1 openvpn-vtun1[13941]: net_addr_ptp_v4_del: 10.255.1.1 dev vtun1 Nov 15 21:23:22 LR1 systemd[1]: Reloaded OpenVPN connection to vtun1. Nov 15 21:23:22 LR1 openvpn-vtun1[13941]: SIGHUP[hard,] received, process restarting Nov 15 21:23:22 LR1 openvpn-vtun1[13941]: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled Nov 15 21:23:22 LR1 openvpn-vtun1[13941]: WARNING: file '/run/openvpn/vtun1_shared.key' is group or others accessible Nov 15 21:23:22 LR1 openvpn-vtun1[13941]: OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021 Nov 15 21:23:22 LR1 openvpn-vtun1[13941]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10 Nov 15 21:23:22 LR1 openvpn-vtun1[13941]: Restart pause, 5 second(s)