Feb 20 2019
Feb 11 2019
Just to add extra info to this ticket, I had a openvpn-option that i wanted to add but it contained a single quote. I was not able to do this (in version 1.8.x this worked).
Jan 16 2019
how to test new versions of vyos
I can not download version 1.2 epa2
Thank you in advance for the information
Jan 6 2019
Jan 3 2019
Dec 17 2018
Dec 7 2018
Dec 6 2018
all these commands show the same output:
show vpn ipsec sa
show vpn ipsec sa verbose
show vpn debug
sudo ipsec statusall
~$ show vpn ipsec sa
Traceback (most recent call last):
File "/usr/libexec/vyos/op_mode/show_ipsec_sa.py", line 51, in <module> raise e File "/usr/libexec/vyos/op_mode/show_ipsec_sa.py", line 45, in <module>
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.19.4-amd64-vyos, x86_64):
uptime: 7 minutes, since Dec 06 15:06:21 2018 malloc: sbrk 2965504, mmap 0, used 1546144, free 1419360 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 48 loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs dhcp lookip error-notify certexpire led addrblock counters
Listening IP addresses:
it seems that vyos-kernel was disabled
Dec 5 2018
👍 cool. Since we've confirmed that as a solution, I think it's safe to close.
adding a static route towards the vultr gateway fixes this, as @bswinnerton pointed out.
I ended up moving away from VyOS but the more that I think this problem, I wonder if it's due to mutihop being on and not having a route to the next hop.
- Does anyone actually need a graphical frame buffer for Vyos? I would expect it to run mostly headless.
- Is the frame buffer tied to or necessary to solve the EFI issues @c-po raised?
I just tested "show vpn ipsec sa" on latest rolling (vyos-1.2.0-rolling+201812050337) and get exactly the output of "sudo ipsec statusall"
This works fine for me on rc10. Thanks.
And in rc10 it is back to being sluggish with CONFIG_FB_VGA16=y :(
@dmbaturin Hello, sorry for delay. We tested rc10 today, it not crashed but still writing a lot of errors to logs (in the attach).
@kroy - I tried doing an upgrade to match all routers to the same version and it ended quite badly.. all four had their OSPF instance die.
Dec 4 2018
Upgrade to 1.2.0-rc10 and BGP is still working fine. It starts at boot and loads all BGP peers and several full tables.
I'll add here that I've got a reasonably complex OSPF setup with around 10 hosts. I converted it over to VyOS when the first RC came out and I haven't seen this issue at all, and I'm constantly rebooting hosts. Currently upgraded the whole setup to RC10 and not a single host crashed. It's worth adding that I've had a bunch of Mikrotiks in the mix at a time and no problem there either.
Tested with 1.2.0-rolling+201812010337. Still many bugs, very hard to diagnostic it properly.
Minimal list TODO, for we can continue testing:
Dec 3 2018
The vmware tools scripts work as expected, they are stopping and starting the network config as they are supposed to do, but are using debian defaults. So they are not executing the config. I'm going to check of we can extend it a little somewhere to execute the config again when 'resume' happens. In general that won't be an easy fix.
Setting destination port per VXLAN interface sound much more reasonable
I've tested this configuration again and it works for me, so I suppose it's fixed. If it reapprears, feel free to reopen.
@hagbard "show vpn ipsec sa verbose" is now a thin wrapper for "ipsec statusall" so it's not applicable there either. :)
...to be fair, I also think there should be a warning when trying to save a config on a livecd. We hear from people once in a while that they forgot they are running from a livecd and lose their config after reboot.
Clearly undesirable behaviour was caused by a combination of two issues: StrongSWAN starting even when IPsec is not present in the VyOS config, and /etc/ipsec.conf staying in place if config was commited but not saved.