Page MenuHomeVyOS Platform

OpenNHRP DMVPN configuration file clean after reboot if we have any IPSec configuration
Closed, ResolvedPublicBUG

Description

OpenNHRP DMVPN configuration fuile clean after reboot if we have any IPSec configuration
To reproduce:

set interfaces ethernet eth1 address '192.0.2.14/24'
set interfaces ethernet eth1 description 'WAN'

set vpn ipsec esp-group group-ESP lifetime '3600'
set vpn ipsec esp-group group-ESP mode 'tunnel'
set vpn ipsec esp-group group-ESP pfs 'dh-group14'
set vpn ipsec esp-group group-ESP proposal 10 encryption 'aes128'
set vpn ipsec esp-group group-ESP proposal 10 hash 'sha1'
set vpn ipsec ike-group group-IKE close-action 'none'
set vpn ipsec ike-group group-IKE disable-mobike
set vpn ipsec ike-group group-IKE key-exchange 'ikev2'
set vpn ipsec ike-group group-IKE lifetime '28000'
set vpn ipsec ike-group group-IKE proposal 10 dh-group '14'
set vpn ipsec ike-group group-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group group-IKE proposal 10 hash 'sha1'
set vpn ipsec interface 'eth1'

set interfaces tunnel tun100 address '192.168.250.4/24'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 parameters ip key '1'
set interfaces tunnel tun100 source-address '192.0.2.14'

set protocols nhrp tunnel tun100 cisco-authentication 'secret'
set protocols nhrp tunnel tun100 holding-time '30'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut

Check config before the reboot:

vyos@r1-right# cat /run/opennhrp/opennhrp.conf 
# Created by VyOS - manual changes will be overwritten

interface tun100 #hub 
    cisco-authentication secret
    holding-time 30
    multicast dynamic
    redirect
    shortcut

[edit]
vyos@r1-right# 
[edit]
vyos@r1-right# save
[edit]
vyos@r1-right# run reboot now

Broadcast message from root@r1-right on pts/1 (Fri 2024-03-01 15:46:09 EET):

The system will reboot now!

After reboot the file is clean:

vyos@r1-right:~$ cat /run/opennhrp/opennhrp.conf 
# Created by VyOS - manual changes will be overwritten

vyos@r1-right:~$

Wihout vpn ipsec configuration, the file looks good.

Details

Version
VyOS 1.4.0-epa1
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav triaged this task as High priority.
Viacheslav renamed this task from OpenNHRP DMVPN configuration clean after reboot if we have any IPSec configuration to OpenNHRP DMVPN configuration file clean after reboot if we have any IPSec configuration.Mar 2 2024, 11:22 AM
Viacheslav updated the task description. (Show Details)

If I comment out this line then everything works.

Viacheslav changed the task status from Open to Needs testing.Mar 4 2024, 5:29 PM

For 1.5 fix works as expected

vyos@r4:~$ cat /run/opennhrp/opennhrp.conf
# Created by VyOS - manual changes will be overwritten

interface tun100 #hub 
    cisco-authentication secret
    holding-time 30
    multicast dynamic
    redirect
    shortcut

vyos@r4:~$