Page MenuHomeVyOS Platform
Create Task
Maniphest T3843

l2tp configuration not cleared after delete
Closed, ResolvedPublicBUG
Actions

Description

To reproduce add l2tp configuration and delete it:

set interfaces dummy dum0 address 203.0.113.1/32
set vpn ipsec ipsec-interfaces interface dum0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn l2tp remote-access authentication local-users username foo password bar
set vpn l2tp remote-access authentication mode 'local'
set vpn l2tp remote-access authentication require 'chap'
set vpn l2tp remote-access client-ip-pool start 10.200.100.100
set vpn l2tp remote-access client-ip-pool stop 10.200.100.110
set vpn l2tp remote-access description 'VPN-REMOTE'
set vpn l2tp remote-access dns-servers server-1 '1.1.1.1'
set vpn l2tp remote-access idle '1800'
set vpn l2tp remote-access ipsec-settings authentication mode 'pre-shared-secret'
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SeCret
set vpn l2tp remote-access ipsec-settings ike-lifetime '8600'
set vpn l2tp remote-access ipsec-settings lifetime '3600'
set vpn l2tp remote-access outside-address 203.0.113.1

Delete l2tp:

[email protected]# delete vpn l2tp 
[edit]
[email protected]# commit
[ vpn ]
Note: the IPsec process will not start until you configure some tunnels, profiles, or L2TP/IPsec settings

[edit]
[email protected]#

File still present:

[email protected]# sudo cat /etc/ipsec.d/tunnels/remote-access 
### VyOS L2TP VPN Begin ###
conn remote-access
  type=transport
  left=203.0.113.1
  leftsubnet=%dynamic[/1701]
  rightsubnet=%dynamic
  mark_in=%unique
  auto=add
  ike=aes256-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024!
  dpddelay=15
  dpdtimeout=45
  dpdaction=clear
  esp=aes256-sha1,3des-sha1!
  rekey=no
  authby=secret
  leftauth=psk
  rightauth=psk
  ikelifetime=8600
  keylife=3600
### VyOS L2TP VPN End ###[edit]
[email protected]#

Secrets also still present:

[email protected]# sudo cat  /etc/ipsec.secrets 
# generated by /opt/vyatta/sbin/vpn-config.pl

### VyOS L2TP VPN Begin ###
203.0.113.1 %any : PSK "SeCret"
### VyOS L2TP VPN End ###
[edit]
[email protected]#

Swanctl:

[email protected]# sudo swanctl -L
remote-access: IKEv1, no reauthentication, dpd delay 15s
  local:  203.0.113.1
  remote: %any
  local pre-shared key authentication:
    id: 203.0.113.1
  remote pre-shared key authentication:
  remote-access: TRANSPORT, no rekeying, dpd action is clear
    local:  dynamic[0/l2f]
    remote: dynamic
[edit]
[email protected]#

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.2.8, VyOS 1.3.0-rc6
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

Viacheslav created this task.Sep 21 2021, 8:55 AM
Viacheslav changed the task status from Open to Confirmed.
Viacheslav updated the task description. (Show Details)Sep 21 2021, 8:58 AM
Viacheslav updated the task description. (Show Details)
Viacheslav removed a project: VyOS 1.3 Equuleus (1.3.0-epa1).Oct 31 2021, 4:16 PM
dmbaturin closed this task as Resolved N/A.Jan 9 2024, 5:29 PM
dmbaturin subscribed.

No one complained about this issue in a while, but feel free to reopen, if anything.

Viacheslav mentioned this in T5926: IPSEC does not apply after l2tp configuration was changed.Jan 12 2024, 1:55 PM
Viacheslav reopened this task as Open.Jan 12 2024, 1:57 PM
Viacheslav edited projects, added VyOS 1.5 Circinus, VyOS 1.4 Sagitta, VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.2 Crux (VyOS 1.2.9).

It is still a bug and was reproduced in T5926

Viacheslav triaged this task as Normal priority.Jan 20 2024, 2:00 AM
HollyGurza subscribed.Jan 31 2024, 5:53 AM
HollyGurza added a comment.Feb 6 2024, 10:51 AM

https://github.com/vyos/vyos-1x/pull/2944

pasik subscribed.Feb 6 2024, 11:37 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.7); removed VyOS 1.3 Equuleus (1.3.6).Feb 10 2024, 9:17 AM
HollyGurza claimed this task.Feb 12 2024, 11:32 AM
Viacheslav added a comment.Feb 12 2024, 2:24 PM

It cannot be backported to 1.3 as there are no config-mode-dependencies

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.Feb 12 2024, 2:25 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.
dmbaturin closed this task as Resolved.Apr 4 2024, 9:59 PM
dmbaturin removed a project: VyOS 1.3 Equuleus (1.3.7).
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta.