Page MenuHomeVyOS Platform
Create Task
Maniphest T2895

VPN IPsec "leftsubnet" declared 2 times
Closed, ResolvedPublicBUG
Actions

Description

VPN IPsec "leftsubnet" declared 2 times

set vpn ipsec esp-group grp-ESP compression 'disable'
set vpn ipsec esp-group grp-ESP lifetime '28800'
set vpn ipsec esp-group grp-ESP mode 'tunnel'
set vpn ipsec esp-group grp-ESP pfs 'dh-group19'
set vpn ipsec esp-group grp-ESP proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group grp-ESP proposal 10 hash 'sha256'
set vpn ipsec ike-group grp-IKE dead-peer-detection action 'hold'
set vpn ipsec ike-group grp-IKE dead-peer-detection interval '30'
set vpn ipsec ike-group grp-IKE dead-peer-detection timeout '120'
set vpn ipsec ike-group grp-IKE ikev2-reauth 'no'
set vpn ipsec ike-group grp-IKE key-exchange 'ikev2'
set vpn ipsec ike-group grp-IKE lifetime '86400'
set vpn ipsec ike-group grp-IKE mobike 'disable'
set vpn ipsec ike-group grp-IKE proposal 10 dh-group '19'
set vpn ipsec ike-group grp-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group grp-IKE proposal 10 hash 'sha256'
set vpn ipsec ipsec-interfaces interface eth1
set vpn ipsec site-to-site peer 100.64.0.2 authentication id '100.64.0.1'
set vpn ipsec site-to-site peer 100.64.0.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 100.64.0.2 authentication pre-shared-secret SSSeeccRetT
set vpn ipsec site-to-site peer 100.64.0.2 authentication remote-id '100.64.0.2'
set vpn ipsec site-to-site peer 100.64.0.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 100.64.0.2 ike-group 'grp-IKE'
set vpn ipsec site-to-site peer 100.64.0.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 100.64.0.2 local-address '100.64.0.1'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 esp-group 'grp-ESP'
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 local prefix 10.10.1.0/24
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 remote prefix 10.23.222.0/24

ipsec.conf

vyos@r2-roll# cat /etc/ipsec.conf | head -17
# generated by /opt/vyatta/sbin/vpn-config.pl

config setup
	

conn %default
	keyexchange=ikev1


conn peer-100.64.0.2-tunnel-0
	left=100.64.0.1
	leftid="100.64.0.1"
	right=100.64.0.2
	rightid="100.64.0.2"
	leftsubnet=10.10.1.0/24
	rightsubnet=10.23.222.0/24
	leftsubnet=10.10.1.0/24

VyOS 1.3-rolling-202009170118 + 1.2.6-epa1

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3-rolling-202009170118
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav created this task.Sep 18 2020, 6:09 PM
pasik added a subscriber: pasik.Sep 19 2020, 10:16 AM
Viacheslav claimed this task.Sep 22 2020, 11:19 AM

It declared 2 times, because there is 2 checks

if (defined($leftsubnet))

https://github.com/vyos/vyatta-cfg-vpn/blob/current/scripts/vpn-config.pl#L531-L532
https://github.com/vyos/vyatta-cfg-vpn/blob/current/scripts/vpn-config.pl#L617-L646

and each check generate own part for "leftsubnet" configuration.

I think we can safely get rid of the first check.

Viacheslav added a comment.EditedSep 22 2020, 11:48 AM

PR for rolling https://github.com/vyos/vyatta-cfg-vpn/pull/38

vyos@r2-roll# cat /etc/ipsec.conf | grep "leftsubnet"
	leftsubnet=10.10.1.0/24
[edit]
vyos@r2-roll#
set vpn ipsec site-to-site peer 100.64.0.2 tunnel 0 protocol tcp

vyos@r2-roll# commit
[edit]
vyos@r2-roll# 
[edit]
vyos@r2-roll# cat /etc/ipsec.conf | grep "leftsubnet"
	leftsubnet=10.10.1.0/24[tcp/%any]
[edit]
vyos@r2-roll#
Viacheslav added a comment.Oct 21 2020, 7:55 AM

Do we need it for "crux"?
This does not affect the work of VPN service.

erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 1:03 PM
erkin removed a subscriber: Active contributors.
Viacheslav closed this task as Resolved.Sep 6 2021, 1:29 PM
Viacheslav edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed VyOS 1.2 Crux, VyOS 1.3 Equuleus.