Page MenuHomeVyOS Platform
Create Task
Maniphest T6969

Issues with OSPF Route Redistribution
Needs reporter action, HighPublicBUG
Actions

Description

A bug has been encountered during the migration from VyOS 1.3.8 to VyOS 1.4.1. The configuration involves an IPsec VPN with a VTI interface and OSPF.

In version 1.3.8, the following commands were used for route redistribution:

set protocols ospf redistribute connected metric-type '2'
set protocols ospf redistribute kernel metric-type '2'
set protocols ospf redistribute static metric-type '2'

This configuration successfully transmitted both static routes and VTI routes. However, after migrating to VyOS 1.4.1, only static routes with a destination IP are being transmitted.

For instance, the following static route transmits without issues:

set protocols static route 172.31.0.0/16 next-hop 169.254.x.x distance '10'
O>* 172.31.0.0/16 [110/20] via 10.xx.xx.xx, eth0.xx, weight 1, 00:21:48

In contrast, routes using the VTI interface are not being transmitted:

set protocols static route 169.254.x.x/30 interface 'vti2' distance '20'
set protocols static route 10.x.x.0/16 interface vti0 distance '10'

Details

Version
1.3.8, 1.4.1
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedBUGdmbaturinT6973 Migration fail root task for 1.4.1
 Needs reporter actionBUGNoneT6969 Issues with OSPF Route Redistribution

Event Timeline

danielcshn created this task.Dec 21 2024, 2:25 AM
danielcshn updated the task description. (Show Details)Dec 21 2024, 2:28 AM
pasik subscribed.Dec 21 2024, 9:26 AM
Viacheslav added a parent task: T6973: Migration fail root task for 1.4.1.Dec 22 2024, 12:56 PM
dmbaturin triaged this task as High priority.Dec 23 2024, 2:28 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.3), VyOS Rolling, VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.May 6 2025, 2:53 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.4); removed VyOS 1.4 Sagitta (1.4.3).Jul 14 2025, 2:05 PM
hedrok subscribed.Sep 25 2025, 12:31 PM
This comment was removed by hedrok.
hedrok added a comment.Sep 25 2025, 12:37 PM

Cannot reproduce on 1.4.4 and rolling with the following configuration:

topology

left [VyOS]
right [VyOS]
R-ipsec [VyOS]
left.eth0 [192.100.2.1/24] -- [192.100.2.2/24] right.eth0
left.eth1 [192.0.2.1/4] -- [198.51.100.1/4] R-ipsec.eth1

left:

set system host-name left

set interfaces ethernet eth0 address '192.100.2.1/24'
set protocols ospf area 0.0.0.0 network '192.100.2.0/24'
set protocols ospf parameters router-id '192.100.2.1'

set protocols ospf redistribute connected metric-type '2'
set protocols ospf redistribute kernel metric-type '2'
set protocols ospf redistribute static metric-type '2'

set interfaces ethernet eth1 address '192.0.2.1/4'


# Reported to work:
set protocols static route 172.31.0.0/16 next-hop 192.0.2.2 distance '10'
# Reported not to work:
set protocols static route 10.72.0.0/16 interface vti10 distance '10'

# VPN IPSEC interface configuration:
set interfaces vti vti10 address '10.0.0.2/31'
set interfaces vti vti10 description 'VPN Virtual Tunnel Interface'

# VPN IPSEC configuration
set vpn ipsec authentication psk peer_198-51-100-1 id '192.0.2.1'
set vpn ipsec authentication psk peer_198-51-100-1 id '198.51.100.1'
set vpn ipsec authentication psk peer_198-51-100-1 secret 'S$cretK$y11'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer peer_198-51-100-1 authentication local-id '192.0.2.1'
set vpn ipsec site-to-site peer peer_198-51-100-1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_198-51-100-1 authentication remote-id '198.51.100.1'
set vpn ipsec site-to-site peer peer_198-51-100-1 connection-type 'initiate'
set vpn ipsec site-to-site peer peer_198-51-100-1 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer peer_198-51-100-1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_198-51-100-1 local-address '192.0.2.1'
set vpn ipsec site-to-site peer peer_198-51-100-1 remote-address '198.51.100.1'
set vpn ipsec site-to-site peer peer_198-51-100-1 vti bind 'vti10'
set vpn ipsec site-to-site peer peer_198-51-100-1 vti esp-group 'ESP_DEFAULT'

R-ipsec:

set system host-name R-ipsec
set interfaces ethernet eth1 address '198.51.100.1/4'

# VPN IPSEC interface configuration:
set interfaces vti vti10 address '10.0.0.3/31'
set interfaces vti vti10 description 'VPN Virtual Tunnel Interface'

# VPN IPSEC configuration
set vpn ipsec authentication psk peer_192-0-2-1 id '192.0.2.1'
set vpn ipsec authentication psk peer_192-0-2-1 id '198.51.100.1'
set vpn ipsec authentication psk peer_192-0-2-1 secret 'S$cretK$y11'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec options disable-route-autoinstall
set vpn ipsec site-to-site peer peer_192-0-2-1 authentication local-id '198.51.100.1'
set vpn ipsec site-to-site peer peer_192-0-2-1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer peer_192-0-2-1 authentication remote-id '192.0.2.1'
set vpn ipsec site-to-site peer peer_192-0-2-1 connection-type 'initiate'
set vpn ipsec site-to-site peer peer_192-0-2-1 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer peer_192-0-2-1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer peer_192-0-2-1 local-address '198.51.100.1'
set vpn ipsec site-to-site peer peer_192-0-2-1 remote-address '192.0.2.1'
set vpn ipsec site-to-site peer peer_192-0-2-1 vti bind 'vti10'
set vpn ipsec site-to-site peer peer_192-0-2-1 vti esp-group 'ESP_DEFAULT'

right:

set system host-name right
set interfaces ethernet eth0 address '192.100.2.2/24'
set protocols ospf area 0.0.0.0 network '192.100.2.0/24'
set protocols ospf parameters router-id '192.100.2.2'
set protocols ospf redistribute kernel metric-type '2'

With this configuration I can see route on interface vti properly distributed. On right:

vyos@vyos:~$ show ip route ospf
...
O>* 10.72.0.0/16 [110/20] via 192.100.2.1, eth0, weight 1, 00:11:34

@danielcshn Could you please retest it and if it still reproduces give topology and full configuration? Thank you.

Viacheslav changed the task status from Open to Needs reporter action.Sep 25 2025, 1:09 PM
dmbaturin removed a project: VyOS 1.4 Sagitta (1.4.4).Wed, Nov 19, 2:20 PM