Page MenuHomeVyOS Platform

Config migration does not work as expected when update from 1.3.2 to 1.4.0 (with NAT with wildcard and sysctl parameters)
Needs testing, NormalPublicBUG

Assigned To
Authored By
a.hajiyev
Mon, Jul 1, 7:06 AM
Referenced Files
F4502659: vyos-migrate.log
Mon, Jul 1, 7:06 AM
F4502658: config-1.3.2.boot
Mon, Jul 1, 7:06 AM
F4502656: journal.txt
Mon, Jul 1, 7:06 AM
F4502653: config-1.4.boot
Mon, Jul 1, 7:06 AM
F4502654: journal.txt
Mon, Jul 1, 7:06 AM

Description

The configuration:

set interfaces bonding bond0 description 'WAN interface'
set interfaces bonding bond0 member interface 'eth2'
set interfaces bonding bond0 member interface 'eth1'
set interfaces bonding bond0 mode '802.3ad'
set interfaces bonding bond0 vif 20 address '192.168.20.1/30'
set interfaces bonding bond0 vif 21 address '192.168.21.1/30'
set interfaces ethernet eth3 address '172.16.10.1/24'
set interfaces ethernet eth3 description 'LAN interface'
set interfaces vti vti10 address '10.0.0.2/31'

set system sysctl custom net.ipv4.conf.bond0/21.disable_policy value '1'
set system sysctl custom net.ipv4.conf.bond0/20.disable_policy value '1'

set nat destination rule 10 destination address '192.168.21.10/24'
set nat destination rule 10 inbound-interface 'vti+'
set nat destination rule 10 translation address '172.16.10.10'
set nat destination rule 20 destination address '192.168.21.11/24'
set nat destination rule 20 inbound-interface 'vti+'
set nat destination rule 20 translation address '172.16.10.20'

set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'bond0.21'
set vpn ipsec site-to-site peer 192.168.21.2 authentication id '192.168.21.1'
set vpn ipsec site-to-site peer 192.168.21.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.21.2 authentication pre-shared-secret 'secretkey'
set vpn ipsec site-to-site peer 192.168.21.2 authentication remote-id '192.168.21.2'
set vpn ipsec site-to-site peer 192.168.21.2 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.168.21.2 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer 192.168.21.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.168.21.2 local-address '192.168.21.1'
set vpn ipsec site-to-site peer 192.168.21.2 vti bind 'vti10'
set vpn ipsec site-to-site peer 192.168.21.2 vti esp-group 'ESP_DEFAULT'

set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10
vyos@R-01:~$ show version | grep -i version
Version:          VyOS 1.3.2

Updating from 1.3.2 to 1.4.0
After the reboot, the configuration disappears

set interfaces ethernet eth0 address '10.55.8.131/24'
set interfaces ethernet eth0 hw-id '00:0c:29:77:b2:d3'
set interfaces ethernet eth1 hw-id '00:0c:29:77:b2:dd'
set interfaces ethernet eth2 hw-id '00:0c:29:77:b2:e7'
set interfaces ethernet eth3 hw-id '00:0c:29:77:b2:f1'
set interfaces ethernet eth4 hw-id '00:0c:29:77:b2:fb'
set interfaces ethernet eth5 hw-id '00:0c:29:77:b2:05'
set interfaces ethernet eth6 hw-id '00:0c:29:77:b2:0f'
set interfaces ethernet eth7 hw-id '00:0c:29:77:b2:19'
set interfaces loopback lo
set service ntp allow-client address '0.0.0.0/0'
set service ntp allow-client address '::/0'
set service ntp server time1.vyos.net
set service ntp server time2.vyos.net
set service ntp server time3.vyos.net
set service ssh
set system config-management commit-revisions '100'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system console device ttyS0 speed '115200'
set system host-name 'R-01'
set system login user vyos authentication encrypted-password '$6$AzazUuOLH$C3XO4LEzUjiSa2BSlfu3LY8tsRoR.88Xm7CxKtwyXM4N3u5hV8fpIH0SJq.M4Cab.qeUWaUaiRwU8elCD8H7k/'
set system login user vyos authentication plaintext-password ''
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'

Attaching config boot files and logs{F4502654}

Details

Difficulty level
Unknown (require assessment)
Version
1.4
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

n.fort changed the task status from Open to In progress.Tue, Jul 2, 12:32 PM
n.fort claimed this task.
n.fort subscribed.
syncer triaged this task as Normal priority.Wed, Jul 3, 1:26 PM
n.fort changed the task status from In progress to Needs testing.Thu, Jul 4, 10:59 AM