Page MenuHomeVyOS Platform
Create Task
Maniphest T2647

ipsec disableuniqreqids generate a wrong ipsec.conf
Closed, ResolvedPublic
Actions

Description

Looks like the script /opt/vyatta/sbin/vpn-config.pl generate a wrong configuration options in the setup section;

In the specific the command

vpn ipsec disable-uniqreqids

add disableuniqreqids=yes to the ipsec.conf but according to the man page it should be

uniqueids = yes | no | never | replace | keep

whether a particular participant ID should be kept unique, with any new IKE_SA using an ID
deemed to replace all old ones using that ID. Participant IDs normally are unique, so a new
IKE_SA using the same ID is almost invariably intended to replace an old one.
The difference between no and never is that the daemon will replace old IKE_SAs when receiving an
INITIAL_CONTACT notify if the option is no but will ignore these notifies if never is configured.
The daemon also accepts the value replace which is identical to yes and the value keep to reject
new IKE_SA setups and keep the duplicate established earlier.

I suppose the problem is here

/opt/vyatta/sbin/vpn-config.pl

# Set plutoopts:
# Disable uniqreqids?
#
if ($vcVPN->exists('ipsec disable-uniqreqids')) {
    $genout .= "\tdisableuniqreqids=yes\n";
}

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3-rolling-202006230700
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

fabio.prina created this task.Jun 25 2020, 10:41 AM
fabio.prina created this object in space S1 VyOS Public.
dmbaturin assigned this task to erkin.Aug 20 2020, 3:57 PM
dmbaturin added a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.
dmbaturin removed a parent task: T2816: Rewrite IPsec scripts with the new XML/Python approach.
dmbaturin added a project: VyOS 1.3 Equuleus.
pasik added a subscriber: pasik.Aug 21 2020, 7:37 AM
erkin closed this task as Resolved.Aug 22 2020, 3:02 PM
cyberflow added a subscriber: cyberflow.Nov 10 2020, 11:03 AM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 23 2020, 5:24 PM
Unknown Object (User) reopened this task as Backport candidate.EditedFeb 9 2021, 12:18 PM
Unknown Object (User) added a project: VyOS 1.2 Crux (VyOS 1.2.7).
Unknown Object (User) added a subscriber: Unknown Object (User).

We need to change this and for CRUX

vyos@RTR1# run show version | match Version
Version:          VyOS 1.2.6-S1
[edit]
# Log
Feb  9 15:12:16 RTR1 ipsec_starter[2036]: # unknown keyword 'disableuniqreqids'
erkin closed this task as Resolved.Feb 20 2021, 12:38 AM
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.7) board.Jul 19 2021, 8:49 PM
dmbaturin removed a project: VyOS 1.3 Equuleus.Sep 10 2021, 2:39 PM