hi,
I tried a minimal sstp config and commit. I got the error message that an ipv4 network for the clients is required.
Why can' I run it with ipv6 only?
Description
Description
Details
Details
- Difficulty level
- Unknown (require assessment)
- Version
- VyOS 1.3-rolling-202006070117
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Unspecified (possibly destroys the router)
- Issue type
- Bug (incorrect behavior)
Related Objects
Related Objects
- Mentioned Here
- T3931: SSTP doesn't work after rewriting to PKI
Event Timeline
Comment Actions
To reproduce:
[edit vpn sstp]
vyos@r4-epa1# compare
[edit vpn sstp]
+authentication {
+ local-users {
+ username foo {
+ password bar
+ }
+ }
+ mode local
+}
+client-ipv6-pool {
+ prefix 2001:db8::/48 {
+ }
+}
+gateway-address 192.168.122.14
+ssl {
+ ca-cert-file /config/user-data/sstp/ca.crt
+ cert-file /config/user-data/sstp/server.crt
+ key-file /config/user-data/sstp/server.key
+}
[edit vpn sstp]
vyos@r4-epa1# commit
[ vpn ]
Note: the IPsec process will not start until you configure some tunnels, profiles, or L2TP/IPsec settings
[ vpn sstp ]
VyOS had an issue completing a command.
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/vpn_sstp.py", line 109, in <module>
verify(c)
File "/usr/libexec/vyos/conf_mode/vpn_sstp.py", line 53, in verify
if not sstp['client_ip_pool']:
KeyError: 'client_ip_pool'Comment Actions
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1039
set vpn sstp authentication local-users username foo password 'bar' set vpn sstp authentication mode 'local' set vpn sstp client-ipv6-pool prefix 2001:db8::/48 set vpn sstp gateway-address '192.168.122.14' set vpn sstp ssl ca-cert-file '/config/user-data/sstp/ca.crt' set vpn sstp ssl cert-file '/config/user-data/sstp/server.crt' set vpn sstp ssl key-file '/config/user-data/sstp/server.key'
Chekc service:
vyos@r4-epa1# commit [edit] vyos@r4-epa1# ps ax | grep sstp 5863 ? Ssl 0:00 /usr/sbin/accel-pppd -d -p /run/accel-pppd/sstp.pid -c /run/accel-pppd/sstp.conf 5901 pts/0 S+ 0:00 grep sstp [edit] vyos@r4-epa1#
Comment Actions
To enable IPv6 only it is required some new options in CLI, which are not presented in 1.3 yet
set vpn sstp ppp-options ipv4 allow(default)|deny set vpn sstp ppp-options ipv6 allow|deny|prefer|require
Also, it is required to load additional modules to sstp.conf:
[modules] ... ipv6_nd ipv6_dhcp ipv6pool [PPP] ... ipv4=deny
It is impossible to check this behavior in 1.4 as it not working after rewriting certificates to PKI T3931
Comment Actions
PR for 1.3 https://github.com/vyos/vyos-1x/pull/1060
set vpn sstp authentication local-users username foo password 'bar' set vpn sstp authentication local-users username foo2 password 'bar2' set vpn sstp authentication mode 'local' set vpn sstp client-ipv6-pool prefix 2001:db8::/48 set vpn sstp gateway-address '192.168.122.14' set vpn sstp ppp-options ipv4 'deny' set vpn sstp ppp-options ipv6 'allow' set vpn sstp ssl ca-cert-file '/config/user-data/sstp/ca.crt' set vpn sstp ssl cert-file '/config/user-data/sstp/server.crt' set vpn sstp ssl key-file '/config/user-data/sstp/server.key'
Check sessions:
vyos@r4-epa2:~$ show sstp-server s sessions statistics vyos@r4-epa2:~$ show sstp-server sessions ifname | username | ip | ip6 | ip6-dp | calling-sid | rate-limit | state | uptime | rx-bytes | tx-bytes --------+----------+-----------------------+-----------------------+--------+-----------------+------------+--------+----------+----------+---------- sstp0 | foo2 | 2001:db8:0:0:200::/64 | 2001:db8:0:0:200::/64 | | 192.168.122.222 | | active | 00:00:09 | 735 B | 506 B vyos@r4-epa2:~$