PR https://github.com/vyos/vyos-1x/pull/1430
vyos@r14:~$ show vrf Name State MAC address Flags Interfaces ------ ------- ----------------- ------------------------ --------------- foo up be:e3:5c:f1:54:99 noarp,master,up,lower_up eth1.50,eth1.55 bar up 1e:7c:94:da:e0:35 noarp,master,up,lower_up n/a vyos@r14:~$
New PR (Notice corrected):
https://github.com/vyos/vyos-1x/pull/1427
I have added a pull request for this:
PR https://github.com/vyos/vyos-1x/pull/1428
vyos@r14:~$ reset vpn ipsec-peer 2001:db8::2
CHILD_SA {21241} closed successfully
CHILD_SA {21243} closed successfully
CHILD_SA {21245} closed successfully
CHILD_SA {21244} closed successfully
CHILD_SA {21247} closed successfully
CHILD_SA {21246} closed successfully
CHILD_SA {21249} closed successfully
CHILD_SA {21248} closed successfully
closing CHILD_SA peer_2001-db8--2_tunnel_0{21250} with SPIs cab47d6b_i (0 bytes) c3cbba13_o (0 bytes) and TS 2001:db8:1111::/64 === 2001:db8:2222::/64
sending DELETE for ESP CHILD_SA with SPI cab47d6b
generating INFORMATIONAL request 14065 [ D ]
sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (69 bytes)
received packet: from 2001:db8::2[500] to 2001:db8::1[500] (69 bytes)
parsed INFORMATIONAL response 14065 [ D ]
received DELETE for ESP CHILD_SA with SPI c3cbba13
CHILD_SA closed
CHILD_SA {21250} closed successfully
establishing CHILD_SA peer_2001-db8--2_tunnel_0{21251}
generating CREATE_CHILD_SA request 14066 [ SA No KE TSi TSr ]
sending packet: from 2001:db8::1[500] to 2001:db8::2[500] (497 bytes)
received packet: from 2001:db8::2[500] to 2001:db8::1[500] (497 bytes)
parsed CREATE_CHILD_SA response 14066 [ SA No KE TSi TSr ]
selected proposal: ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ
CHILD_SA peer_2001-db8--2_tunnel_0{21251} established with SPIs ccaff1e5_i c5a2b674_o and TS 2001:db8:1111::/64 === 2001:db8:2222::/64
connection 'peer_2001-db8--2_tunnel_0' established successfully
Peer reset result: success
vyos@r14:~$Commit fails b/c of frr-reload output: 200 % Local-AS allowed only for EBGP peers - we should add an appropriate verify() stage I guess.
PR https://github.com/vyos/vyos-1x/pull/1426
An example with only one rule 10 raw output
vyos@r14:~$ /usr/libexec/vyos/op_mode/nat.py show_rules --direction source --raw
[
{
"rule": {
"family": "ip",
"table": "nat",
"chain": "POSTROUTING",
"handle": 114,
"comment": "SRC-NAT-10",
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "oifname"
}
},
"right": "eth0"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"masquerade": null
}
]
}
}
]
vyos@r14:~$PR to new format + IPv6 entries https://github.com/vyos/vyos-1x/pull/1425
Unfortunately not all commands are present when using the bgp <afi> syntax. We should find the remaining ones and then move all to the new syntax - less confusing
@Viacheslav yep that one works...
@aalmenar try the next command
vyos@r14# run reset bgp ipv6
Possible completions:
<h:h:h:h:h:h:h:h>
IPv6 neighbor to clear
1-4294967295 Reset peers with the AS number
all Clear all peers
external Reset all external peers
peer-group Reset all members of peer-group@aaliddell I am not too concerned about tayga's maintenance. It have been proved to work well for years, and the package is already a part of the official repository of debian. Actually debian's tayga package includes a few patches: https://salsa.debian.org/debian/tayga/-/tree/debian/master/debian/patches
I just leave it here. We must not return to bug T2189 with this fix.
That's XPN support but GCM-AES-256 was added back in 2018 in https://w1.fi/cgit/hostap/commit/?id=1ff8605775
Put in pull request https://github.com/vyos/vyos-1x/pull/1423
That's what commit 5e510e45f6f9 did :)
As I remember fastnetmon wasn’t rewritten to dict
And requires manual set default value in config dictionary
You can find the latest version of the demo implementation here:
I installed wpa_supplicant version 2.10. But it did not help.
I compared debugs of wpa_supplicant and found the difference
Modyfing file pointed by @Viacheslav , makes ipv6 peer option available.
But while testing config, it's not possible to insert an ipv6 address: validator rejects input.
Validator used: syntax:expression: exec "/opt/vyatta/sbin/vyatta-policy.pl --check-peer-syntax $VAR(@)"; "peer must be either an IP or local"
@daniil Could you re-check it?
It seems wpa_supplicant doesn't support GCM-AES-256
https://w1.fi/wpa_supplicant/devel/dir_4261af1259721e3e39e0d2dd7354b511.html
I have just tested it again. Macsec does not work.
PR with notice:
https://github.com/vyos/vyos-1x/pull/1419
PR for 1.4: https://github.com/vyos/vyos-1x/pull/1418
This is a behavior "by design". The prefix-len option cannot be used for BGP routes. We should add this notice to the CLI.
Check: http://docs.frrouting.org/en/latest/routemap.html#clicmd-match-ip-address-prefix-len-0-32
While i like the inclusion of NAT64 inside vyos (And the effort vfreex has made), i believe that tayga is not the way to go, it was last updated on 2010-12-12 according to the readme in it. Jool on the other hand has a bigger throughput being kernel module. The only issue i believe is the module compilation cause configuration is quite easy.
Can you check with the latest rolling release? it uses FRR 8.3
Probably a problem with FRR
Will be fixed in the next rolling release. Thanks!
@dannyvanderaa this is true - but as of VyOS 1.3 there is no longer an operator mode due to security issues. Operator level was removed, it will come back once the entire codebase rewrite is complete.
Several access levels are required on our end. In my opinion an operator / read only user should also be able to perform some basic commands (like ping and arp)
Also cipher changes require a reboot. Nice bug - thanks for this riddle ;)
This change currently removes the nstat plugin which is used in the configuration (https://github.com/vyos/vyos-1x/blob/current/data/templates/monitoring/telegraf.j2#L108).
This results in telegraf crashing on startup. Adding the plugin back to the https://github.com/vyos/vyos-build/blob/current/packages/telegraf/plugins/inputs/all/all.go file fixes this (Tested by compiling a patched package and installing it on a broken install).
As far as I can tell this is the only missing plugin.
Also, there are no any Inbound/Outbound packets with aes-256
vyos@r14:~$ sudo ip -s macsec show
7: macsec1: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off
cipher suite: GCM-AES-256, using ICV length 16
TXSC: eeb5e212f04f0001 on SA 0
stats: OutPktsUntagged InPktsUntagged OutPktsTooLong InPktsNoTag InPktsBadTag InPktsUnknownSCI InPktsNoSCI InPktsOverrun
0 0 0 0 0 0 0 0
stats: OutPktsProtected OutPktsEncrypted OutOctetsProtected OutOctetsEncrypted
0 0 0 0
offload: off
vyos@r14:~$But service starts without issues:
vyos@r14:~$ sudo systemctl status [email protected] ● [email protected] - WPA supplicant daemon (macsec-specific version) Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled) Active: active (running) since Mon 2022-07-18 20:07:16 EEST; 18min ago Main PID: 1802 (wpa_supplicant) Tasks: 1 (limit: 9411) Memory: 4.4M CPU: 101ms CGroup: /system.slice/system-wpa_supplicant\x2dmacsec.slice/[email protected] └─1802 /sbin/wpa_supplicant -c/run/wpa_supplicant/vxlan1.conf -Dmacsec_linux -ivxlan1
set protocols bgp local-as 200 set protocols bgp peer-group foo remote-as external set protocols bgp peer-group foo address-family ipv4-unicast ipv6-unicast set protocols bgp neighbor 1.1.1.1 peer-group foo commit