Page MenuHomeVyOS Platform
Create Task
Maniphest T4968

VPN IPsec check dpd and close action for empty values
Closed, ResolvedPublicBUG
Actions

Description

We shouldn't generate config with empty dpd and close actions for children SAs

set vpn ipsec authentication psk bar id '192.0.2.1'
set vpn ipsec authentication psk bar id '192.0.2.3'
set vpn ipsec authentication psk bar id '192.0.2.1.local.peer-b'
set vpn ipsec authentication psk bar id '192.0.2.2.peer-b'
set vpn ipsec authentication psk bar secret 'SecretBar'
set vpn ipsec authentication psk baz id 'fsdfdf'
set vpn ipsec authentication psk baz secret 'bazdfwefsecrettt'
set vpn ipsec esp-group ESP-group-b lifetime '1800'
set vpn ipsec esp-group ESP-group-b mode 'tunnel'
set vpn ipsec esp-group ESP-group-b pfs 'enable'
set vpn ipsec esp-group ESP-group-b proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-group-b proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-group-b key-exchange 'ikev1'
set vpn ipsec ike-group IKE-group-b lifetime '3600'
set vpn ipsec ike-group IKE-group-b proposal 1 dh-group '14'
set vpn ipsec ike-group IKE-group-b proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-group-b proposal 1 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer OFFICE-B authentication local-id '192.0.2.2.peer-b'
set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '192.0.2.1.local.peer-b'
set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond'
set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKE-group-b'
set vpn ipsec site-to-site peer OFFICE-B local-address '192.0.2.2'
set vpn ipsec site-to-site peer OFFICE-B remote-address '192.0.2.1'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 esp-group 'ESP-group-b'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 local prefix '10.0.0.0/21'
set vpn ipsec site-to-site peer OFFICE-B tunnel 0 remote prefix '192.168.0.0/24'

children section Incorrect empty "=" for dpd and close nation

vyos@r2# cat /etc/swanctl/swanctl.conf 
### Autogenerated by vpn_ipsec.py ###

connections {
    OFFICE-B {
        proposals = aes256-sha256-modp2048
        version = 1
        local_addrs = 192.0.2.2 # dhcp:no
        remote_addrs = 192.0.2.1
        dpd_timeout = 120
        dpd_delay = 30
        rekey_time = 3600s
        mobike = yes
        keyingtries = 1
        local {
            id = "192.0.2.2.peer-b"
            auth = psk
        }
        remote {
            id = "192.0.2.1.local.peer-b"
            auth = psk
        }
        children {
            OFFICE-B-tunnel-0 {
                esp_proposals = aes128-sha1-modp2048
                life_time = 1800s
                local_ts = 10.0.0.0/21
                remote_ts = 192.168.0.0/24
                ipcomp = no
                mode = tunnel
                start_action = trap
                dpd_action = 
                close_action = 
            }
        }
    }

}

Details

Version
VyOS 1.4-rolling-202301300918
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects