Page MenuHomeVyOS Platform
Create Task
Maniphest T8001

Commit fails removing VTI interface in IPsec config
Closed, ResolvedPublicBUG
Actions

Description

There is a couple related issues appear. The first issue is the following:

vyos@vyos# comp
[interfaces]
- vti vti1 {
- }
[protocols static]
- route 192.168.202.0/24 {
-     interface vti1 {
-     }
- }
[vpn ipsec site-to-site peer B]
- vti {
-     bind "vti1"
- }
+ tunnel 0 {
+     local {
+         prefix "192.168.102.0/24"
+     }
+     remote {
+         prefix "192.168.202.0/24"
+     }
+ }

[edit]
vyos@vyos# commit
[ vpn ipsec ]
Traceback (most recent call last):
  File "/usr/libexec/vyos/services/vyos-configd", line 157, in run_script
    script.apply(c)
  File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 776, in apply
    remove_vti_updown_db()
  File "/usr/lib/python3/dist-packages/vyos/utils/vti_updown_db.py", line 67, in remove_vti_updown_db
    db.commit(lambda _: None)
  File "/usr/lib/python3/dist-packages/vyos/utils/vti_updown_db.py", line 177, in commit
    vti_link_up = (vti_link['operstate'] != 'DOWN' if 'operstate' in vti_link else False)
                                                      ^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument of type 'NoneType' is not iterable

[[vpn ipsec]] failed
Commit failed

Steps to reproduce:

del interfaces vti vti1
del protocols static route 192.168.202.0/24
del vpn ipsec site-to-site peer B vti

set vpn ipsec site-to-site peer B tunnel 0 local prefix '192.168.102.0/24'
set vpn ipsec site-to-site peer B tunnel 0 remote prefix '192.168.202.0/24'

commit

Config:

vyos@vyos# run sh conf comm|grep vti
set interfaces vti vti1
set protocols static route 192.168.202.0/24 interface vti1
set vpn ipsec site-to-site peer B vti bind 'vti1'
[edit]
vyos@vyos# run sh conf comm|grep vpn
set vpn ipsec authentication psk psk1 id 'A'
set vpn ipsec authentication psk psk1 id 'B'
set vpn ipsec authentication psk psk1 secret 'AB'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 10 encryption 'aes256'
set vpn ipsec esp-group esp1 proposal 10 hash 'sha256'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'clear'
set vpn ipsec ike-group ike1 proposal 10 encryption 'camellia256ccm96'
set vpn ipsec ike-group ike1 proposal 10 hash 'sha256'
set vpn ipsec interface 'eth3'
set vpn ipsec site-to-site peer B authentication local-id 'A'
set vpn ipsec site-to-site peer B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer B authentication remote-id 'B'
set vpn ipsec site-to-site peer B connection-type 'initiate'
set vpn ipsec site-to-site peer B default-esp-group 'esp1'
set vpn ipsec site-to-site peer B ike-group 'ike1'
set vpn ipsec site-to-site peer B local-address '192.168.99.1'
set vpn ipsec site-to-site peer B remote-address '192.168.99.3'
set vpn ipsec site-to-site peer B vti bind 'vti1'
[edit]

The second one appears on automatic re-establishing of ipsec tunnel after commit which unbinds vti from ipsec tunnel:

del vpn ipsec site-to-site peer B vti
set vpn ipsec site-to-site peer B tunnel 0 local prefix '192.168.102.0/24'
set vpn ipsec site-to-site peer B tunnel 0 remote prefix '192.168.202.0/24'
commit
Nov 11 18:58:26 vyos vti-up-down[5921]: Interface vti1 down-client B-vti
Nov 11 18:58:26 vyos systemd[1]: opt-vyatta-config-tmp-new_config_3415.mount: Deactivated successfully.
Nov 11 18:58:29 vyos commit[5949]: Successful change to active configuration by user vyos on /dev/ttyS0
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown: Traceback (most recent call last):
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:   File "/etc/ipsec.d/vti-up-down", line 65, in <module>
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:     with open_vti_updown_db_for_update() as db:
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:   File "/usr/lib/python3.11/contextlib.py", line 137, in __enter__
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:     return next(self.gen)
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:            ^^^^^^^^^^^^^^
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:   File "/usr/lib/python3/dist-packages/vyos/utils/vti_updown_db.py", line 43, in open_vti_updown_db_for_update
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:     f = open(VTI_WANT_UP_IFLIST, 'r+')
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown: FileNotFoundError: [Errno 2] No such file or directory: '/tmp/ipsec_vti_interfaces'
Nov 11 18:58:29 vyos vti-up-down[5953]: Interface vti1 down-client-v6 B-vti
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown: Traceback (most recent call last):
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:   File "/etc/ipsec.d/vti-up-down", line 65, in <module>
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:     with open_vti_updown_db_for_update() as db:
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:   File "/usr/lib/python3.11/contextlib.py", line 137, in __enter__
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:     return next(self.gen)
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:            ^^^^^^^^^^^^^^
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:   File "/usr/lib/python3/dist-packages/vyos/utils/vti_updown_db.py", line 43, in open_vti_updown_db_for_update
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:     f = open(VTI_WANT_UP_IFLIST, 'r+')
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown:         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Nov 11 18:58:29 vyos charon[5074]: 12[CHD] <B|1> updown: FileNotFoundError: [Errno 2] No such file or directory: '/tmp/ipsec_vti_interfaces'

Details

Version
2025.11.04-0019-rolling
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

a.kudientsov created this task.Nov 10 2025, 6:06 AM
pasik subscribed.Nov 10 2025, 7:25 AM
Viacheslav triaged this task as High priority.Nov 11 2025, 4:02 AM
a.kudientsov updated the task description. (Show Details)Nov 12 2025, 7:33 AM
o.kuchmystyi subscribed.Wed, Nov 26, 11:49 AM

I tried to reproduce these errors for VyOS 2025.11.25-rolling but everything works fine. @a.kudientsov could you re-check it again?

First Issue:

conf
set interfaces vti vti1
set protocols static route 192.168.202.0/24 interface vti1
set vpn ipsec site-to-site peer B vti bind 'vti1'
set vpn ipsec authentication psk psk1 id 'A'
set vpn ipsec authentication psk psk1 id 'B'
set vpn ipsec authentication psk psk1 secret 'AB'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 10 encryption 'aes256'
set vpn ipsec esp-group esp1 proposal 10 hash 'sha256'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'clear'
set vpn ipsec ike-group ike1 proposal 10 encryption 'camellia256ccm96'
set vpn ipsec ike-group ike1 proposal 10 hash 'sha256'
set vpn ipsec interface 'eth3'
set vpn ipsec site-to-site peer B authentication local-id 'A'
set vpn ipsec site-to-site peer B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer B authentication remote-id 'B'
set vpn ipsec site-to-site peer B connection-type 'initiate'
set vpn ipsec site-to-site peer B default-esp-group 'esp1'
set vpn ipsec site-to-site peer B ike-group 'ike1'
set vpn ipsec site-to-site peer B local-address '192.168.99.1'
set vpn ipsec site-to-site peer B remote-address '192.168.99.3'
set vpn ipsec site-to-site peer B vti bind 'vti1'
commit

del interfaces vti vti1
del protocols static route 192.168.202.0/24
del vpn ipsec site-to-site peer B vti
set vpn ipsec site-to-site peer B tunnel 0 local prefix '192.168.102.0/24'
set vpn ipsec site-to-site peer B tunnel 0 remote prefix '192.168.202.0/24'
commit

Second Issue:

conf
set interfaces vti vti1
set protocols static route 192.168.202.0/24 interface vti1
set vpn ipsec site-to-site peer B vti bind 'vti1'
set vpn ipsec authentication psk psk1 id 'A'
set vpn ipsec authentication psk psk1 id 'B'
set vpn ipsec authentication psk psk1 secret 'AB'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 10 encryption 'aes256'
set vpn ipsec esp-group esp1 proposal 10 hash 'sha256'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'clear'
set vpn ipsec ike-group ike1 proposal 10 encryption 'camellia256ccm96'
set vpn ipsec ike-group ike1 proposal 10 hash 'sha256'
set vpn ipsec interface 'eth3'
set vpn ipsec site-to-site peer B authentication local-id 'A'
set vpn ipsec site-to-site peer B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer B authentication remote-id 'B'
set vpn ipsec site-to-site peer B connection-type 'initiate'
set vpn ipsec site-to-site peer B default-esp-group 'esp1'
set vpn ipsec site-to-site peer B ike-group 'ike1'
set vpn ipsec site-to-site peer B local-address '192.168.99.1'
set vpn ipsec site-to-site peer B remote-address '192.168.99.3'
set vpn ipsec site-to-site peer B vti bind 'vti1'
commit

del vpn ipsec site-to-site peer B vti
set vpn ipsec site-to-site peer B tunnel 0 local prefix '192.168.102.0/24'
set vpn ipsec site-to-site peer B tunnel 0 remote prefix '192.168.202.0/24'
commit
a.kudientsov added a comment.EditedWed, Nov 26, 12:10 PM

@o.kuchmystyi
reproduced in 2025.11.26-0020-rolling, it requires an active ipsec tunnel to be established with peer B during commit:

vyos@vyos# commit
[ vpn ipsec ]
Traceback (most recent call last):
  File "/usr/libexec/vyos/services/vyos-configd", line 157, in run_script
    script.apply(c)
  File "/usr/libexec/vyos/conf_mode/vpn_ipsec.py", line 776, in apply
    remove_vti_updown_db()
  File "/usr/lib/python3/dist-packages/vyos/utils/vti_updown_db.py", line 67, in remove_vti_updown_db
    db.commit(lambda _: None)
  File "/usr/lib/python3/dist-packages/vyos/utils/vti_updown_db.py", line 177, in commit
    vti_link_up = (vti_link['operstate'] != 'DOWN' if 'operstate' in vti_link else False)
                                                      ^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument of type 'NoneType' is not iterable

[[vpn ipsec]] failed
Commit failed

Peer B config:

vyos@vyos# run sh conf comm|grep vpn
set vpn ipsec authentication psk psk1 id 'A'
set vpn ipsec authentication psk psk1 id 'B'
set vpn ipsec authentication psk psk1 secret 'AB'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 10 encryption 'aes256'
set vpn ipsec esp-group esp1 proposal 10 hash 'sha256'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'clear'
set vpn ipsec ike-group ike1 proposal 10 encryption 'camellia256ccm96'
set vpn ipsec ike-group ike1 proposal 10 hash 'sha256'
set vpn ipsec interface 'eth2'
set vpn ipsec site-to-site peer A authentication local-id 'B'
set vpn ipsec site-to-site peer A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer A authentication remote-id 'A'
set vpn ipsec site-to-site peer A connection-type 'respond'
set vpn ipsec site-to-site peer A default-esp-group 'esp1'
set vpn ipsec site-to-site peer A ike-group 'ike1'
set vpn ipsec site-to-site peer A local-address '192.168.99.3'
set vpn ipsec site-to-site peer A remote-address '192.168.99.1'
set vpn ipsec site-to-site peer A vti bind 'vti1'
set interfaces vti vti1
set protocols static route 192.168.102.0/24 interface vti1
In T8001#243802, @o.kuchmystyi wrote:

I tried to reproduce these errors for VyOS 2025.11.25-rolling but everything works fine. @a.kudientsov could you re-check it again?

First Issue:

conf
set interfaces vti vti1
set protocols static route 192.168.202.0/24 interface vti1
set vpn ipsec site-to-site peer B vti bind 'vti1'
set vpn ipsec authentication psk psk1 id 'A'
set vpn ipsec authentication psk psk1 id 'B'
set vpn ipsec authentication psk psk1 secret 'AB'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 10 encryption 'aes256'
set vpn ipsec esp-group esp1 proposal 10 hash 'sha256'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'clear'
set vpn ipsec ike-group ike1 proposal 10 encryption 'camellia256ccm96'
set vpn ipsec ike-group ike1 proposal 10 hash 'sha256'
set vpn ipsec interface 'eth3'
set vpn ipsec site-to-site peer B authentication local-id 'A'
set vpn ipsec site-to-site peer B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer B authentication remote-id 'B'
set vpn ipsec site-to-site peer B connection-type 'initiate'
set vpn ipsec site-to-site peer B default-esp-group 'esp1'
set vpn ipsec site-to-site peer B ike-group 'ike1'
set vpn ipsec site-to-site peer B local-address '192.168.99.1'
set vpn ipsec site-to-site peer B remote-address '192.168.99.3'
set vpn ipsec site-to-site peer B vti bind 'vti1'
commit

del interfaces vti vti1
del protocols static route 192.168.202.0/24
del vpn ipsec site-to-site peer B vti
set vpn ipsec site-to-site peer B tunnel 0 local prefix '192.168.102.0/24'
set vpn ipsec site-to-site peer B tunnel 0 remote prefix '192.168.202.0/24'
commit

Second Issue:

conf
set interfaces vti vti1
set protocols static route 192.168.202.0/24 interface vti1
set vpn ipsec site-to-site peer B vti bind 'vti1'
set vpn ipsec authentication psk psk1 id 'A'
set vpn ipsec authentication psk psk1 id 'B'
set vpn ipsec authentication psk psk1 secret 'AB'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 10 encryption 'aes256'
set vpn ipsec esp-group esp1 proposal 10 hash 'sha256'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'clear'
set vpn ipsec ike-group ike1 proposal 10 encryption 'camellia256ccm96'
set vpn ipsec ike-group ike1 proposal 10 hash 'sha256'
set vpn ipsec interface 'eth3'
set vpn ipsec site-to-site peer B authentication local-id 'A'
set vpn ipsec site-to-site peer B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer B authentication remote-id 'B'
set vpn ipsec site-to-site peer B connection-type 'initiate'
set vpn ipsec site-to-site peer B default-esp-group 'esp1'
set vpn ipsec site-to-site peer B ike-group 'ike1'
set vpn ipsec site-to-site peer B local-address '192.168.99.1'
set vpn ipsec site-to-site peer B remote-address '192.168.99.3'
set vpn ipsec site-to-site peer B vti bind 'vti1'
commit

del vpn ipsec site-to-site peer B vti
set vpn ipsec site-to-site peer B tunnel 0 local prefix '192.168.102.0/24'
set vpn ipsec site-to-site peer B tunnel 0 remote prefix '192.168.202.0/24'
commit
o.kuchmystyi added a comment.Fri, Nov 28, 12:38 PM

PR: https://github.com/vyos/vyos-1x/pull/4878

Viacheslav changed the task status from Open to In progress.Fri, Nov 28, 1:04 PM
Viacheslav assigned this task to o.kuchmystyi.
o.kuchmystyi mentioned this in rVYOSONEXe1fd60f8e469: ipsec: T8001: Commit fails removing VTI interface in IPsec config.Thu, Dec 4, 4:18 PM
Restricted Repository Identity mentioned this in rVYOSONEX3c521b49572d: Merge pull request #4878 from alexandr-san4ez/T8001-current.Thu, Dec 4, 4:18 PM
dmbaturin closed this task as Resolved.Thu, Dec 4, 9:21 PM
dmbaturin removed a project: VyOS Rolling.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.