Hi
I found an issues that it doesn't allow to load vpn-ipsec config ,in fact , it lost the configuration on VyOS-CLI .Let me show this behavior:
Current settings:
set vpn ipsec esp-group vyos-esp-aws compression 'disable' set vpn ipsec esp-group vyos-esp-aws lifetime '3600' set vpn ipsec esp-group vyos-esp-aws mode 'tunnel' set vpn ipsec esp-group vyos-esp-aws pfs 'dh-group14' set vpn ipsec esp-group vyos-esp-aws proposal 1 encryption 'aes256' set vpn ipsec esp-group vyos-esp-aws proposal 1 hash 'sha256' set vpn ipsec ike-group vyos-ike-aws close-action 'none' set vpn ipsec ike-group vyos-ike-aws dead-peer-detection action 'restart' set vpn ipsec ike-group vyos-ike-aws dead-peer-detection interval '15' set vpn ipsec ike-group vyos-ike-aws dead-peer-detection timeout '30' set vpn ipsec ike-group vyos-ike-aws ikev2-reauth 'yes' set vpn ipsec ike-group vyos-ike-aws key-exchange 'ikev2' set vpn ipsec ike-group vyos-ike-aws lifetime '28800' set vpn ipsec ike-group vyos-ike-aws proposal 1 dh-group '14' set vpn ipsec ike-group vyos-ike-aws proposal 1 encryption 'aes256' set vpn ipsec ike-group vyos-ike-aws proposal 1 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec site-to-site peer 18.218.254.206 authentication mode 'pre-shared-secret' '[email protected]' set vpn ipsec site-to-site peer 18.218.254.206 connection-type 'initiate' set vpn ipsec site-to-site peer 18.218.254.206 default-esp-group 'vyos-esp-aws' set vpn ipsec site-to-site peer 18.218.254.206 dhcp-interface 'eth0' set vpn ipsec site-to-site peer 18.218.254.206 ike-group 'vyos-ike-aws' set vpn ipsec site-to-site peer 18.218.254.206 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 18.218.254.206 tunnel 10 allow-nat-networks 'disable' set vpn ipsec site-to-site peer 18.218.254.206 tunnel 10 allow-public-networks 'disable' set vpn ipsec site-to-site peer 18.218.254.206 tunnel 10 local prefix '192.168.12.0/24' set vpn ipsec site-to-site peer 18.218.254.206 tunnel 10 remote prefix '10.0.6.0/24 # interfaces set interfaces ethernet eth0 address dhcp set interfaces ethernet eth0 hw-id '50:00:00:02:00:00' set interfaces ethernet eth1 address '192.168.12.10/24'
The problem appears to be that VyOS allowed me to switch eth0 from DHCP to static (it didn't show any warning message or helper indicated an issues)
#applied this configuration delete interfaces ethernet eth0 dhcp set interfaces ethernet eth0 address '192.168.122.110/24' set protocols static route 0.0.0.0/0 next-hop 192.168.122.1 commit save
reboot VyOS instance but fails to load vpn-ipsec configuration (but it doesn't show any issues when booting) , however when we load /config/config.boot , it shows :
[email protected]# load /config/config.boot Loading configuration from '/config/config.boot' Load complete. Use 'commit' to make changes effective. [edit] ###error after commit [email protected]# commit [ vpn ipsec site-to-site peer 18.218.254.206 dhcp-interface ] VPN configuration error: The specified interface is not configured for dhcp. [[vpn]] failed Commit failed [edit] [email protected]#
it originates because this command is present set vpn ipsec site-to-site peer 18.218.254.206 dhcp-interface 'eth0' , here is another case with this issue :
https://forum.vyos.io/t/entire-vpn-ipsec-config-lost-on-reboot/8321/3