Page MenuHomeVyOS Platform
Create Task
Maniphest T6157

Can not create two GRE tunnels to the same DST but from different SRC addresses
Needs testing, NormalPublicBUG
Actions

Description

Cannot create two GRE tunnels to the same DST but from different SRC addresses
Configuration:

set interfaces ethernet eth1 address '10.0.0.2/24'
set interfaces ethernet eth2 address '10.0.1.2/24'
set protocols static route 0.0.0.0/0 next-hop 10.0.0.1

Adding tunnels

set interfaces tunnel tun100 address '192.168.8.100/31'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 ip adjust-mss '1436'
set interfaces tunnel tun100 remote '10.0.10.2'
set interfaces tunnel tun100 source-address '10.0.0.2'

set interfaces tunnel tun102 address '192.168.8.104/31'
set interfaces tunnel tun102 encapsulation 'gre'
set interfaces tunnel tun102 ip adjust-mss '1436'
set interfaces tunnel tun102 remote '10.0.10.2'
set interfaces tunnel tun102 source-address '10.0.1.2'

Getting error after commit

vyos@vyos# commit
[ interfaces tunnel tun100 ]
Missing required "ip key" parameter when running more then one GRE based
tunnel on the same source-interface/source-address

[[interfaces tunnel tun100]] failed
[ interfaces tunnel tun102 ]
Missing required "ip key" parameter when running more then one GRE based
tunnel on the same source-interface/source-address

[[interfaces tunnel tun102]] failed
Commit failed
[edit]
vyos@vyos#

After adding such interfaces manually everything works. I can ping all remote sites through tunnels.

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.5-rolling-202403220018, VyOS 1.3.6
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

a.apostoliuk created this task.Mar 22 2024, 12:05 PM
a.apostoliuk triaged this task as Normal priority.
pasik subscribed.Mar 22 2024, 12:54 PM
c-po moved this task from 1.4.0 to 1.4.0-epa3 on the VyOS 1.4 Sagitta board.Mar 22 2024, 7:16 PM
c-po edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.4 Sagitta (1.4.0).
c-po moved this task from 1.4.0-epa3 to 1.4.0 on the VyOS 1.4 Sagitta board.
c-po edited projects, added VyOS 1.4 Sagitta (1.4.0); removed VyOS 1.4 Sagitta (1.4.0-epa3).
a.apostoliuk changed the task status from Open to In progress.Apr 4 2024, 11:08 AM
a.apostoliuk claimed this task.
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta (1.4.0).May 7 2024, 8:02 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.8); removed VyOS 1.3 Equuleus (1.3.7).May 13 2024, 7:31 PM
a.apostoliuk changed the task status from In progress to Open.May 17 2024, 7:37 AM
a.apostoliuk removed a.apostoliuk as the assignee of this task.
talmakion subscribed.May 25 2024, 9:52 AM

As far as I can tell the test will always error if the remote matches and neither source-interface and source-address are configured differently, including the case where they're both blank (source-interface == None on both tunnels triggers this particular case).

The test can be modified to instead check that at least one out of (source-if, source-address, remote) differ against existing tunnels which will allow the tunnel to be created cleanly, I've attached a patch that works this way.

However, it can't easily check things like one tunnel configured with the source-address of an interface, another tunnel configured with the same IF directly as source-interface - this doesn't stop ip from working underneath and creating the tunnel, but will likely confuse NAT & conntrack.

{F4328120}

talmakion attached a referenced file: Unknown Object (File). (Show Details)May 25 2024, 10:21 AM
talmakion added a comment.May 31 2024, 11:58 AM

I've created a PR for this that fixed a mistake with my original patch: https://github.com/vyos/vyos-1x/pull/3570

Viacheslav changed the task status from Open to In progress.May 31 2024, 12:37 PM
Viacheslav assigned this task to talmakion.
Restricted Repository Identity mentioned this in rVYOSONEXd150067ef254: Merge pull request #3570 from talmakion/bugfix/T6157.May 31 2024, 2:35 PM
Restricted Repository Identity mentioned this in rVYOSONEX34024e630ec7: tunnel: T6157: fixing GRE tunnel uniqueness checks.May 31 2024, 2:35 PM
talmakion added a comment.Jun 11 2024, 2:07 PM

@a.apostoliuk this one should be resolved in the current rolling release, if you're able to check it out?

dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.9); removed VyOS 1.3 Equuleus (1.3.8).Jun 20 2024, 10:17 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.1); removed VyOS 1.3 Equuleus (1.3.9), VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus.Jul 2 2024, 7:29 PM
talmakion changed the task status from In progress to Needs testing.Aug 1 2024, 1:46 PM
dmbaturin added a project: Restricted Project.Sep 15 2024, 5:03 PM