See tasks T1700 T2943

@jestabro I've created the backport PR just now.

@roedie , thanks.

Will push the backport for 1.3 as well.

So there are 2 options

1. Live it as it is, it works as before (but maybe it is a legacy way)
2. Return the strongswan.service and use it in all required places (conf-mode, op-mode, dmvpn scripts, etc). So old ipsec/starter must not be overlapped with strongswan.service restarts

I found that if IPSEC lifetime is large(28800) then this problem occurs.
If lifetime eq 1800 sec, everything works.

After return strongswan.starer https://github.com/vyos/vyos-1x/commit/f5f43c6639957f95177bb77d2b569e16d4dab9dc
all looks good now, service can be restored without issues

PR https://github.com/vyos/vyos-1x/pull/1745

The similar task T3008

PR: https://github.com/vyos/vyos-1x/pull/1744

I have tested this bug.
After boot everything woks fine without any problems.
But after restart vpn command all these issues began.

1. Error message

vyos charon[2079]: 04[NET] no socket implementation registered, sending failed

2. Swanctl shows unnormal info. IPSEC phase is down.
3. Traffic passes through the tunnel.
4. New process appears

Fixed in T3810

I don't think this is a bug in FRR, but rather a configuration issue. I'm not really familiar with FRR, but as far as I can tell, sending RAs is an intended feature of it that can be disabled per interface: https://docs.frrouting.org/en/latest/ipv6.html#clicmd-ipv6-nd-suppress-ra
Not sure why it's enabled by default, since I couldn't find anything in the generated /etc/frr/frr.conf that would enable it.

Could you open an issue for FRR?
https://github.com/FRRouting/frr/issues

Draft PR: https://github.com/vyos/vyos-1x/pull/1740

In T4917#140239, @b- wrote:

Thanks! That’ll help me with what I’m working on :)From where does this limitation originate, anyway? Is there a way to at least add . to the acceptable characters list, so as to allow for foo.sh?  Would that break something that expects to skip over filenames with dots and other characters?

PR https://github.com/vyos/vyos-1x/pull/1741

The error is in the respective XML op-mode-definitions; arg '--intf-type' should be passed to 'show_interfaces.py' (1.3); 'interfaces.py' (1.4) so that tag node is correctly filtered.

I have checked this config on VyOS 1.4-rolling-202212310809 (Strongswan 5.9.8). The problem is the same.

Thanks! That’ll help me with what I’m working on :)From where does this limitation originate, anyway? Is there a way to at least add . to the acceptable characters list, so as to allow for foo.sh?  Would that break something that expects to skip over filenames with dots and other characters?

Scripts are run in alphabetical order. Their names must consist entirely of ASCII upper- and lower-case letters,ASCII digits, ASCII underscores, and ASCII minus-hyphens.No other characters are allowed.

huh, is it possible that we just don't run commit hooks upon changing only comments?

I just edited the file /opt/vyatta/sbin/install-image in a running system to try testing this, and it works as expected at least for the primary minisign key. I didn't test GPG or 2nd minisign key, but I see no reason why there would be an issue there. I did touch those parts, though, so it's probably worth at least having another set of eyes look at it all.

er wait hold up i made a mistake saving/pushing my changes
edit: fixed

I created a PR, but I'm not certain how to compile this part of VyOS to test this, and I'm hoping someone could help me do so -- a quick glance makes it look to me like this is compiled into a .deb that's then installed by https://github.com/vyos/vyos-build/blob/current/scripts/build-vyos-image ?

In T1237#140040, @Viacheslav wrote:

will be fixed in the next rolling release

The error handling on this line is basically nonexistent, but also the coding style is a little hard to follow.