Page MenuHomeVyOS Platform

DMVPN with IPSec does not work in HUB mode
Closed, ResolvedPublicBUG


If DMVPN use IPSec, related configuration for strongSwan adding via /etc/swanctl/swanctl.conf and reloading configuration with swanctl -q. So, it is not stored inside the strongSwan configuration file permanently and requires reloading with swanctl -q to make configuration active.
Inside in apply function exists ipsec restart operation.

When running after the DMVPN config (, it restarts strongSwan and, as a result, remove DMVPN-related connections configuration.
If VyOS configured as spoke, this is not critical, as swanctl -q additionally runs by opennhrp-script, but if it acts as a hub, DMVPN IPSec configuration will never being active.


Difficulty level
Normal (likely a few hours)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

zsdc changed the task status from Open to Confirmed.Nov 2 2019, 5:09 PM
zsdc created this task.
syncer triaged this task as High priority.
syncer changed the task status from Needs testing to Backport pending.Jan 1 2020, 1:08 PM
syncer reassigned this task from Dmitry to c-po.
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.5) board.

This was only a problem in rolling and is fixed

erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 6:23 PM