Fixed in T4660
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
All Stories
Nov 24 2022
I have the same problem. This is a kernel configuration issue. The following settings must be made:
Nov 23 2022
Issue not present in 1.3.2 image! Thanks
This task can be closed since the PR is merged.
Nov 22 2022
Thanks sir,
In T4823#138040, @chesskuo wrote:Hello sir,
In vyos-1.4-rolling-202211220318-amd64.iso, the broken syntax was fixed, but I notice a wired behavior on connection.<conn>.remote.id.
The default value on swanctl.conf will be <name> when I don't set site-to-site -> peer <name> -> authentication -> remote-id.
Hello sir,
@trae32566 My apologies for the inconveniences. You are right. The criteria for triggering this action shall be narrowed down further.
It would be necessary to issue the warning if and only if such colliding peers also specify the exact same remote endpoint addresses (with empty endpoints also being accounted as to be the same).
In other words, we need to identify incoming peers and apply the rule only to them, not the outgoing ones which already have specific remote endpoint addresses statically defined.
This breaks a perfectly valid use case which I utilize regularly: using IPv4 + IPv6 peers with the same public key. Why would I want to create multiple keys for the exact same devices going over IPv4 and IPv6? If you want to include a warning, fine, but don't limit functionality based on someone's interpretation of how something will be used. I understand where this came from, but any time you limit functionality, you limit your users. As Donald Knuth once said:
Unix was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
@Viacheslav Thank you sir!!!
Nov 21 2022
This is a nice addition but it requires also implementation of RFC 8781 for it to work. It has been merged in latest radvd https://github.com/radvd-project/radvd/commit/a6460662c6ac2b13307a8977ef068825b66fbce0 but it still hasnt been released
I think the issue is realated to this: https://blog.ipspace.net/2014/09/ipv6-neighbor-discovery-nd-and.html
I add here what I just found and I can reproduce the issue everytime.
You can test with 3-5 servers, the config is basic for each server:
Could you provide config from several items?
How many nodes do we need to reproduce it?
Nov 20 2022
1.3 backport https://github.com/vyos/vyos-1x/pull/1670
ipsec site-to-site peer <name> - it is just a connection name and is not related to the IP address
I'll take a look at TS
vyos@r14# set policy route-map FOO rule 100 action permit [edit] vyos@r14# set policy route-map FOO rule 50 action 'deny' [edit] vyos@r14# set policy route-map FOO rule 50 continue '100' [edit] vyos@r14# [edit] vyos@r14# commit [ policy ] rule 50 "continue" cannot be used with action deny!
Pull request: https://github.com/vyos/vyos-build/pull/286
Nov 19 2022
Thanks
Don’t think that there should be a migration
As new keys were added several days ago.
@Viacheslav Works!
It works as expected now on 1.4-rolling-202211190627, but my system failed to boot with the old key types in the config, so I had to remove them before switching to the new image. Thanks for the quick fix!