Page MenuHomeVyOS Platform

ipsec disableuniqreqids generate a wrong ipsec.conf
Closed, ResolvedPublic


Looks like the script /opt/vyatta/sbin/ generate a wrong configuration options in the setup section;

In the specific the command

vpn ipsec disable-uniqreqids

add disableuniqreqids=yes to the ipsec.conf but according to the man page it should be

uniqueids = yes | no | never | replace | keep

whether a particular participant ID should be kept unique, with any new IKE_SA using an ID
deemed to replace all old ones using that ID. Participant IDs normally are unique, so a new
IKE_SA using the same ID is almost invariably intended to replace an old one.
The difference between no and never is that the daemon will replace old IKE_SAs when receiving an
INITIAL_CONTACT notify if the option is no but will ignore these notifies if never is configured.
The daemon also accepts the value replace which is identical to yes and the value keep to reject
new IKE_SA setups and keep the duplicate established earlier.

I suppose the problem is here


# Set plutoopts:
# Disable uniqreqids?
if ($vcVPN->exists('ipsec disable-uniqreqids')) {
    $genout .= "\tdisableuniqreqids=yes\n";


Difficulty level
Unknown (require assessment)
VyOS 1.3-rolling-202006230700
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Unknown Object (User) reopened this task as Backport candidate.EditedFeb 9 2021, 12:18 PM
Unknown Object (User) added a project: VyOS 1.2 Crux (VyOS 1.2.7).
Unknown Object (User) subscribed.

We need to change this and for CRUX

vyos@RTR1# run show version | match Version
Version:          VyOS 1.2.6-S1
# Log
Feb  9 15:12:16 RTR1 ipsec_starter[2036]: # unknown keyword 'disableuniqreqids'