dmvpn configuration not reapllied after "restart vpn"
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	Viacheslav
	Sep 21 2021, 11:36 AM

Description

To reproduce:

set interfaces dummy dum0 address '203.0.113.1/32'
set interfaces dummy dum0 address '198.51.100.111/32'
set interfaces ethernet eth0 address 'dhcp'
set interfaces tunnel tun0 address '10.0.0.1/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '1'
set interfaces tunnel tun0 source-address '0.0.0.0'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 translation address '198.51.100.111'
set protocols nhrp tunnel tun0 cisco-authentication '12345'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 multicast 'dynamic'
set protocols nhrp tunnel tun0 redirect
set vpn ipsec esp-group ESP-HUB compression 'disable'
set vpn ipsec esp-group ESP-HUB lifetime '1800'
set vpn ipsec esp-group ESP-HUB mode 'transport'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
set vpn ipsec ike-group IKE-HUB close-action 'none'
set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
set vpn ipsec ike-group IKE-HUB lifetime '3600'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'dum0'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'SeCret'
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'

Check swanctl:

vyos@r4-1.3:~$ sudo swanctl -L
dmvpn-NHRPVPN-tun0: IKEv1, reauthentication every 3600s
  local:  %any
  remote: %any
  local pre-shared key authentication:
  remote pre-shared key authentication:
  dmvpn: TRANSPORT, rekeying every 1800s
    local:  dynamic[gre]
    remote: dynamic[gre]
vyos@r4-1.3:~$

Restart vpn an check swanctl:

vyos@r4-1.3:~$ restart vpn 
Restarting IPsec process...
vyos@r4-1.3:~$ 
vyos@r4-1.3:~$ sudo swanctl -L
vyos@r4-1.3:~$

To fix it we need to execute swanctl -q

vyos@r4-1.3:~$ sudo swanctl -L
vyos@r4-1.3:~$ sudo swanctl -q
loaded ike secret 'ike-dmvpn-tun0'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'dmvpn-NHRPVPN-tun0'
successfully loaded 1 connections, 0 unloaded
vyos@r4-1.3:~$ 
vyos@r4-1.3:~$ sudo swanctl -L
dmvpn-NHRPVPN-tun0: IKEv1, reauthentication every 3600s
  local:  %any
  remote: %any
  local pre-shared key authentication:
  remote pre-shared key authentication:
  dmvpn: TRANSPORT, rekeying every 1800s
    local:  dynamic[gre]
    remote: dynamic[gre]
vyos@r4-1.3:~$

Details

Version: VyOS 1.2.8, VyOS 1.3.0-rc6
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Related Objects

Mentioned In: 1.2.9

Event Timeline

Viacheslav created this task.Sep 21 2021, 11:36 AM

PR https://github.com/vyos/vyatta-op-vpn/pull/30

vyos@r4-epa2:~$ restart vpn 
Restarting IPsec process...
loaded ike secret 'ike-dmvpn-tun0'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'dmvpn-NHRPVPN-tun0'
successfully loaded 1 connections, 0 unloaded
vyos@r4-epa2:~$ 
vyos@r4-epa2:~$ sudo swanctl -L
dmvpn-NHRPVPN-tun0: IKEv1, reauthentication every 3600s
  local:  %any
  remote: %any
  local pre-shared key authentication:
  remote pre-shared key authentication:
  dmvpn: TRANSPORT, rekeying every 1800s
    local:  dynamic[gre]
    remote: dynamic[gre]
vyos@r4-epa2:~$

Viacheslav changed the task status from Open to In progress.Oct 31 2021, 3:59 PM

Viacheslav claimed this task.

c-po closed this task as Resolved.Nov 1 2021, 5:28 PM

c-po moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.9) board.

c-po edited projects, added VyOS 1.3 Equuleus (1.3.0-epa3); removed VyOS 1.3 Equuleus (1.3.0-epa1).

c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa3) board.

c-po edited a custom field.

c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

pasik subscribed.Nov 2 2021, 8:58 AM

dmbaturin mentioned this in 1.2.9.Feb 23 2023, 5:20 PM

dmvpn configuration not reapllied after "restart vpn"Closed, ResolvedPublicBUGActions

Description

Details

Related Objects

Event Timeline

dmvpn configuration not reapllied after "restart vpn"
Closed, ResolvedPublicBUG
Actions