Page MenuHomeVyOS Platform
Create Task
Maniphest T7562

Command 'set vpn ipsec disable-uniqreqids' does nothing
Closed, ResolvedPublicBUG
Actions

Description

Command 'set vpn ipsec disable-uniqreqids' does nothing

Details

Version
2025.06.06-0019-rolling, 1.4.2
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

a.apostoliuk created this task.Jun 18 2025, 2:32 PM
a.apostoliuk triaged this task as Normal priority.
pasik subscribed.Jun 18 2025, 4:03 PM
dmbaturin edited projects, added VyOS 1.5 Circinus (1.5-stream-2025-Q3); removed VyOS 1.5 Circinus (1.5-stream-2025-Q2).Jul 9 2025, 1:21 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.4); removed VyOS 1.4 Sagitta (1.4.3).Jul 14 2025, 1:44 PM
o.kuchmystyi subscribed.EditedJul 28 2025, 12:45 PM

In VyOS 1.3, this command was used to integrate with StrongSwan's uniqueids=no setting in ipsec.conf, facilitating environments requiring non-unique IKE_SAs. However, with StrongSwan's transition to swanctl.conf, such unique ID management should ideally be performed via the connections.<conn>.unique parameter. More details about the migration you can find here.

Additionally, the current set vpn ipsec remote-access connection rw unique command in newer VyOS versions supports modern uniqueness policies, which align better with updated StrongSwan configurations. https://vyos.dev/T1210

Given the situation, I can propose the following actions:

  1. Deprecate disable-uniqreqids: Phase out this command and guide users to the remote-access uniqueness settings.
  2. Modernize Configurations: Transition settings to use the connections.<conn>.unique parameter, defaulting to similar behavior as uniqueids=no.
  3. Standardize Behavior: Apply the same uniqueness handling as the remote-access settings (L2TP, profile, peer) for consistency across the platform.

Other helpful links:

dmbaturin subscribed.Jul 29 2025, 3:24 PM

I think we should go for option #2, since it's pretty flexible now. The old disable-uniqreqids option can be migrated to never on every connection.

o.kuchmystyi mentioned this in rVYOSONEXc84c7cf16bf4: ipsec: T7562: Add support for `disable-uniqreqids` option in IPsec configs.Aug 12 2025, 2:39 PM
Restricted Repository Identity mentioned this in rVYOSONEX471441d9d654: Merge pull request #4637 from alexandr-san4ez/T7562-current.Aug 12 2025, 2:39 PM
Viacheslav assigned this task to o.kuchmystyi.Sep 25 2025, 12:33 AM
Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q3) board.
Viacheslav subscribed.

PR https://github.com/vyos/vyos-1x/pull/4637

Unknown Object (User) closed this task as Resolved.Oct 8 2025, 12:54 PM
Unknown Object (User) moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.4) board.Oct 8 2025, 5:24 PM
Unknown Object (User) moved this task from Need Triage to Completed on the VyOS Rolling board.
dmbaturin edited projects, added VyOS 1.5 Circinus (2025.11); removed VyOS 1.4 Sagitta (1.4.4), VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS Rolling.Thu, Nov 13, 1:21 AM