@Viacheslav I believe it is still actual for 1.3 https://github.com/vyos/vyos-1x/blob/equuleus/src/conf_mode/vpn_sstp.py#L60-L78
I saw we changed the PKI model only for 1.4. Implement PKI model for 1.3-epa1 a risky
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Aug 3 2021
Aug 3 2021
Unknown Object (User) closed T2432: dhcpd: Can't create new lease file: Permission denied as Unknown Status.
Unknown Object (User) added a comment to T2661: SSTP wrong certificates check.
Aug 2 2021
Aug 2 2021
I figured out the order we need to remove things in:
UnicronNL closed T3601: Error in ssh keys for vmware cloud-init if ssh keys is left empty. as Resolved.
GitHub <noreply@github.com> committed rVYOSONEX7a32e9ee70d6: Merge pull request #952 from sever-sever/T1594-curr (authored by c-po).
Viacheslav closed T2623: Creating sit tunnel fails with “Can not set “local” for tunnel sit tun1 at tunnel creation” as Resolved.
Fixed, tested in 1.3.0-rc5
set firewall ipv6-name WAN6_IN6 set firewall ipv6-name WAN6_LOCAL6 set interfaces ethernet eth1 address '192.0.2.1/24' set interfaces ethernet eth1 description 'FOO' set interfaces tunnel tun1 6rd-prefix '2607:FA48:6ED8::/45' set interfaces tunnel tun1 6rd-relay-prefix '24.225.128.0/17' set interfaces tunnel tun1 address '2607:FA48:6ED8:8A50::1/60' set interfaces tunnel tun1 description 'Videotron 6rd Tunnel' set interfaces tunnel tun1 encapsulation 'sit' set interfaces tunnel tun1 firewall in ipv6-name 'WAN6_IN6' set interfaces tunnel tun1 firewall local ipv6-name 'WAN6_LOCAL6' set interfaces tunnel tun1 mtu '1480' set interfaces tunnel tun1 multicast 'disable' set interfaces tunnel tun1 parameters ip ttl '255' set interfaces tunnel tun1 remote '192.0.2.2' set interfaces tunnel tun1 source-address '192.0.2.1'
Commit:
vyos@r4-1.3# commit [edit] vyos@r4-1.3# sudo ip tunnel show sit0: ipv6/ip remote any local any ttl 64 nopmtudisc 6rd-prefix 2002::/16 tun1: ipv6/ip remote 192.0.2.2 local 192.0.2.1 ttl 255 tos inherit 6rd-prefix 2002::/16 [edit] vyos@r4-1.3#
Viacheslav added a subtask for T2199: Rewrite firewall in new XML/Python style: T2194: "show firewall" garbled output.
Viacheslav added a parent task for T2194: "show firewall" garbled output: T2199: Rewrite firewall in new XML/Python style.
@trae32566 Can you re-check it?
There are different outputs from "iptables" between 1.2 and 1.3:
By default:
vyos@r4-1.3:~$ sudo netstat -tulpn | grep 161 udp 0 0 0.0.0.0:161 0.0.0.0:* 1405/snmpd udp6 0 0 :::161 :::* 1405/snmpd vyos@r4-1.3:~$
After rebooting router starts with a clean routing configuration.
After that, it loads/commits configuration from /config/config.boot file.
It can be a cause, needs more tests.
It will be must impossible to get another behavior.
PR for current version https://github.com/vyos/vyos-1x/pull/952
I've cleaned the build space and rebuilt the Docker container - no dice locally or in the CI stack, still fails the same way.
It looks like they're using an AWS CA in the cert chain:
Certificate chain 0 s:CN = repo.saltstack.com i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon 1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon i:C = US, O = Amazon, CN = Amazon Root CA 1 2 s:C = US, O = Amazon, CN = Amazon Root CA 1 i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
i do recall the starfield certs being a problem back in the day as well, but guessing its quite unlikely for the base build environment to have an AWS root CA in its trusted list.
Aug 1 2021
Aug 1 2021
c-po moved T1594: l2tpv3 error on IPv6 local-ip from Open to In Progress on the VyOS 1.4 Sagitta board.
c-po moved T3090: Move 'adjust-mss' firewall options to the interface section. from Open to Backlog on the VyOS 1.4 Sagitta board.
c-po moved T3707: Ping incorrect ip host checks from Need Triage to Finished on the VyOS 1.3 Equuleus board.
c-po moved T3707: Ping incorrect ip host checks from Open to Finished on the VyOS 1.4 Sagitta board.
c-po moved T1810: Commit to add new l2tp local user shouldn't disconnect all current l2tp sessions from Open to In Progress on the VyOS 1.4 Sagitta board.
c-po added a project to T3717: BGP Peer group without 'remote-as' gives shell error: VyOS 1.3 Equuleus.
GitHub <noreply@github.com> committed rVYOSONEXd4f25a76e3ff: Merge pull request #943 from Cheeze-It/current (authored by c-po).
I agree it would be nice to have the Cisco Auth functionality, however, the original author of opennhrp themselves recommend using FRR nhrpd instead where possible. It appears that most effort going forward will be put into FRR's nhrpd, and not the original opennhrp.
Jul 31 2021
Jul 31 2021
I have added a test which does not let you delete the default BGP instance when VRF bound instances exist.
c-po moved T3661: [vrf} route-leaking missing command from Need Triage to Finished on the VyOS 1.3 Equuleus board.
c-po moved T3665: Missing VRF support for VxLAN but already documented from Need Triage to Finished on the VyOS 1.3 Equuleus board.
c-po moved T3679: Point the unexpected exception message link to the new rolling release location from Need Triage to Finished on the VyOS 1.3 Equuleus board.
This is causing a configtest failure on 1.4-rolling-202107301807 stemming from not cleaning up after bgp-evpn-l3vpn-pe-router ("Cannot delete default BGP instance. Dependent VRF instances exist"):
c-po moved T3666: VRF bind-to-all - it doesn't apply the settings . from Need Triage to Finished on the VyOS 1.3 Equuleus board.
c-po moved T2049: Update strongSwan cipher suites list for IPSec settings from In Progress to Finished on the VyOS 1.3 Equuleus board.
c-po moved T2328: dhcpv6 server not starting (disable check reversed?) from In Progress to Finished on the VyOS 1.3 Equuleus board.
c-po moved T3685: IPv6 PBR doesn't allow setting of an egress interface from Need Triage to Finished on the VyOS 1.3 Equuleus board.
c-po moved T3687: IS-IS is missing IPv6 support from Need Triage to Finished on the VyOS 1.3 Equuleus board.
c-po moved T3711: service router-advert interface <name> dnssl option has no effects from Need Triage to Finished on the VyOS 1.3 Equuleus board.
I already backported it, but forgot to push. Will be part of the next 1.3 ISO/RC
c-po changed the status of T3716: Linux kernel parameters ignore_routes_with_link_down- ignore disconnected routing connections from Unknown Status to Resolved.
c-po changed Is it a breaking change? from none to behavior on T3716: Linux kernel parameters ignore_routes_with_link_down- ignore disconnected routing connections.
c-po closed T3716: Linux kernel parameters ignore_routes_with_link_down- ignore disconnected routing connections as Unknown Status.
vfreex added a comment to T3711: service router-advert interface <name> dnssl option has no effects.
@Viacheslav Hi, I saw it was fixed in current branch. Is there a plan to backport the fix to 1.3?
@kroy Can you re-check it with your environment? I can't reproduce it in 1.3.0-rc5.
Viacheslav added a comment to T1753: Configuring `ip source-validation loose` doesn't properly configure `sysctl`.
On VyOS 1.2-rolling-201910180117, setting ip source-validation loose seems to have the same outcome as setting it to disable, i.e. results in rp_filter = 0.
What do you expect to see here?
Viacheslav changed the status of T3694: Static routes not installed into kernel nor frr from Confirmed to Needs testing.
Viacheslav closed T3711: service router-advert interface <name> dnssl option has no effects as Resolved.
Fixed in T2745
PR for 1.3 https://github.com/vyos/vyos-1x/pull/950
Using timeouts is a pretty bad idea as they vary on the host CPU or utilisation of a hypervisor.
it should be timeout ~1.8 sec between adding ipv6 address and create l2tp interface
Closing as invalid as the error was towards aarch64 which is yet not supported by VyOS.
I think NHRP Cisco Auth is still missing: https://github.com/FRRouting/frr/blob/master/nhrpd/nhrp_peer.c#L1212
@c-po @Viacheslav
Further news on this topic - FRR 8.0 released yesterday (7/29) which includes the aforementioned nhrpd multicast improvements, among a lot of other nice things:
Jul 30 2021
Jul 30 2021
Viacheslav moved T1176: FRR - BGP replicating routes from Open to Finished on the VyOS 1.4 Sagitta board.
GitHub <noreply@github.com> committed rVYOSONEXc8ca48514865: Merge pull request #949 from sever-sever/T1176-curr (authored by c-po).
GitHub <noreply@github.com> committed rVYOSONEX8cdfe1518767: Merge pull request #947 from bstepler/T3694 (authored by c-po).
By default, FRR uses all neighbors in afi ipv4.
This behavior can be disabled with:
c-po closed T1210: About IKEv2 IPSec VPN remote access, a subtask of T2816: Rewrite IPsec scripts with the new XML/Python approach, as Resolved.
Drivers for RTL8111 and RTL8168 are build into the kernel.
Large community format:
"1:2:3" "1:2:3 5:6:7" "4123456789:4123456780:4123456788" "^5:.*:7$"
Viacheslav updated the task description for T3714: Some sysctl custom parameters disappear after reboot.
As I see it's already fixed:
vyos@r4-1.3# set protocols bgp 64512 neighbor 192.168.5.5 local-as 64513 [edit] vyos@r4-1.3# set protocols bgp 64512 neighbor 192.168.5.5 remote-as 64513 [edit] vyos@r4-1.3# commit [ protocols bgp 64512 neighbor 192.168.5.5 local-as 64513 ] local-as: 64513 and remote-as: 64513 can't be the same
The original issue with the name ( type "u32") was solved.
I'll create a separate task for comm-list bug that can't be used without the "delete" option. (T3712)