Large-community and large-community-list it is different functions.
It seems all works fine
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed Search
Aug 17 2021
Aug 17 2021
Viacheslav changed the status of T690: Allow OpenVPN servers to push routes with custom metric values from Open to Needs testing.
@darkdragon-001 It will be available in the next rolling release, can you test it?
Aug 16 2021
Aug 16 2021
PR for current https://github.com/vyos/vyos-1x/pull/974
Viacheslav moved T3738: openvpn fails if server and authentication are configured from Need Triage to Finished on the VyOS 1.3 Equuleus board.
Fixed, 1.3-beta-202108151336
vyos@r4-1.3# run show conf com | match openvpn set interfaces openvpn vtun10 encryption cipher 'aes256' set interfaces openvpn vtun10 hash 'sha512' set interfaces openvpn vtun10 local-host '192.168.122.14' set interfaces openvpn vtun10 local-port '1194' set interfaces openvpn vtun10 mode 'server' set interfaces openvpn vtun10 persistent-tunnel set interfaces openvpn vtun10 protocol 'udp' set interfaces openvpn vtun10 server client client1 ip '10.10.0.10' set interfaces openvpn vtun10 server domain-name 'vyos.net' set interfaces openvpn vtun10 server max-connections '250' set interfaces openvpn vtun10 server name-server '172.16.254.30' set interfaces openvpn vtun10 server subnet '10.10.0.0/24' set interfaces openvpn vtun10 server topology 'subnet' set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ca.crt' set interfaces openvpn vtun10 tls cert-file '/config/auth/central.crt' set interfaces openvpn vtun10 tls dh-file '/config/auth/dh.pem' set interfaces openvpn vtun10 tls key-file '/config/auth/central.key' set interfaces openvpn vtun10 tls tls-version-min '1.0' set interfaces openvpn vtun10 use-lzo-compression [edit] vyos@r4-1.3# vyos@r4-1.3# set interfaces openvpn vtun10 authentication username foo [edit] vyos@r4-1.3# commit
Aug 15 2021
Aug 15 2021
Aug 14 2021
Aug 14 2021
erkin closed T1083: Implement persistent/random address and port mapping options for NAT rules, a subtask of T3710: Upgrade the kernel in 1.3 to 5.10, as Resolved.
erkin closed T1083: Implement persistent/random address and port mapping options for NAT rules as Resolved.
I can confirm that this works fine on the latest 1.3 nightly.
erkin closed T521: Network services may fail if vyatta-router.service startup takes longer than a few seconds as Resolved.
I cannot replicate this in 1.2.8 or 1.3.0-rc5. No matter how long vyos-router.service (even absurdly high times) stalls, ssh.service happily starts. This was probably resolved a long time ago, making this a ghost bug.
Aug 13 2021
Aug 13 2021
Viacheslav moved T3738: openvpn fails if server and authentication are configured from Open to Backport Candidates on the VyOS 1.4 Sagitta board.
PR for current https://github.com/vyos/vyos-1x/pull/967
Aug 12 2021
Aug 12 2021
c-po changed the status of T3746: Inform users logging into the system about a pending reboot from Open to In progress.
c-po added a subtask for T3710: Upgrade the kernel in 1.3 to 5.10: T3318: Update Linux Kernel to v5.4.208 / 5.10.142.
Unknown Object (User) changed the status of T2432: dhcpd: Can't create new lease file: Permission denied from Unknown Status to Resolved.
Another bug.
From time to time I get errors in debug mode ("touch /tmp/vyos.frr.debug" and "sudo systemctl stop vyos-configd") when changing lsp-mtu size
vyos@r1-roll# set protocols isis lsp-mtu 1308 [edit] vyos@r1-roll# commit [ protocols isis ]
erkin changed the status of T521: Network services may fail if vyatta-router.service startup takes longer than a few seconds from Open to In progress.
c-po added a comment to T3737: openvpn-option needs to be able to support quotes as since openvpn 2.4..
We have this problem in more then one case. The solution so gar is to use " as quote which we later on render in Jinja2
Sounds like a missing validator. Wo should prevent users from doing such things ;)
Aug 11 2021
Aug 11 2021
I added a new neighbor belonging to the sub-AS 65031 to the existing bgp configuration:
To reproduce in 1.4:
Viacheslav added a comment to T3737: openvpn-option needs to be able to support quotes as since openvpn 2.4..
As Workaround in T3350 set raw option "config /path/to/config/file"
UnicronNL triaged T3738: openvpn fails if server and authentication are configured as Normal priority.
UnicronNL added projects to T3736: openvpn-option keeps and adds double dashes ''--": test, VyOS 1.3 Equuleus.
Aug 10 2021
Aug 10 2021
Aug 9 2021
Aug 9 2021
Unknown Object (User) added a comment to T3731: verify_accel_ppp_base_service return wrong config error for SSP.
PR for Equuleus https://github.com/vyos/vyos-1x/pull/959
Unknown Object (User) changed the status of T3731: verify_accel_ppp_base_service return wrong config error for SSP from Open to In progress.
https://github.com/vyos/vyatta-cfg-vpn/commit/2cec760601a6e85ca8e0b6a30c173196a97a777a
Back-ported the dhcp ip check loop to 1.3
Viacheslav added a comment to T3537: Unable to override the default OSPFv3 link cost for wireguard interface.
@dtoux Did you test it in 1.3.0-rc5?
Unknown Object (User) closed T2776: QAT acceleration not working for IPSec AES-128 (CBC) / SHA256 tunnel as Invalid.
Unknown Object (User) added a comment to T2776: QAT acceleration not working for IPSec AES-128 (CBC) / SHA256 tunnel .
Tested on 1.3-rc5, all works properly
set vpn ipsec esp-group ESP_DEFAULT compression 'disable' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
Flow served QAT
vyos@R2-QAT# run show system acceleration qat device qat_dev0 flows +------------------------------------------------+ | FW Statistics for Qat Device | +------------------------------------------------+ | Firmware Requests [AE 0]: 60046 | | Firmware Responses[AE 0]: 60046 | +------------------------------------------------+ | Firmware Requests [AE 1]: 112720 | | Firmware Responses[AE 1]: 112720 | +------------------------------------------------+ | Firmware Requests [AE 2]: 219657 | | Firmware Responses[AE 2]: 219657 | +------------------------------------------------+ | Firmware Requests [AE 3]: 60046 | | Firmware Responses[AE 3]: 60046 | +------------------------------------------------+ | Firmware Requests [AE 4]: 112722 | | Firmware Responses[AE 4]: 112722 | +------------------------------------------------+ | Firmware Requests [AE 5]: 219657 | | Firmware Responses[AE 5]: 219657 | +------------------------------------------------+
Interrupts
vyos@R2-QAT# run show system acceleration qat interrupts 140: 44039 0 0 0 0 0 0 0 IR-PCI-MSI 524288-edge qat0-bundle0 141: 0 42358 0 0 0 0 0 0 IR-PCI-MSI 524289-edge qat0-bundle1 142: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524290-edge qat0-bundle2 143: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524291-edge qat0-bundle3 144: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524292-edge qat0-bundle4 145: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524293-edge qat0-bundle5 146: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524294-edge qat0-bundle6 147: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524295-edge qat0-bundle7 148: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524296-edge qat0-bundle8 149: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524297-edge qat0-bundle9 150: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524298-edge qat0-bundle10 151: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524299-edge qat0-bundle11 152: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524300-edge qat0-bundle12 153: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524301-edge qat0-bundle13 154: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524302-edge qat0-bundle14 155: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524303-edge qat0-bundle15 156: 0 0 0 0 0 0 0 0 IR-PCI-MSI 524304-edge qat0-ae-cluster
Unknown Object (User) changed the status of T3695: OpenConnect reports commit success when ocserv fails to start due to SSL cert/key file issues from Open to Needs testing.
PR for 1.3 https://github.com/vyos/vyos-1x/pull/957
Aug 8 2021
Aug 8 2021
c-po added a comment to T2027: get_config_dict is failing when the configuration section is empty/missing.
>>> from vyos.config import Config
>>> conf = Config()
>>> conf.get_config_dict(['service', 'ssh'])
{'ssh': {'disable-host-validation': {}, 'port': ['22']}}
>>> conf.get_config_dict(['service', 'non-existing'])
{}UnicronNL closed T169: Image install should put correct serial console device in created GRUB menu entry as Resolved.
Checks the grub config rule by rule if ttyS/ttyUSB is used then updates the newly to be included grub template to the same.
dmbaturin changed the status of T169: Image install should put correct serial console device in created GRUB menu entry from Open to Needs testing.
Aug 7 2021
Aug 7 2021
I see these error in the openvpn log:
I don't think so the configuration is working, the interface is down. It is not assigning the ipv6 addresses to the tunnel interfaces.
It's not a bug, it's simply a weird syntax. That command could never be used without the delete option, so your config example wouldn't work in 1.2 or 1.1.8 either.
Aug 6 2021
Aug 6 2021
Thanks! This is definitely a non-issue then, closing.
Since we cannot update the kernel in 1.3 due to the QAT issues, we likely need to backport netmap support. It seems to have been introduced by this commit: https://github.com/torvalds/linux/commit/3ff7ddb1353da
dmbaturin changed the status of T1083: Implement persistent/random address and port mapping options for NAT rules, a subtask of T3710: Upgrade the kernel in 1.3 to 5.10, from Open to Needs testing.
dmbaturin changed the status of T1083: Implement persistent/random address and port mapping options for NAT rules from Open to Needs testing.
I've tested it on 1.3 with kernel 5.4.138, and for me the persistent option works as expected. I think it's a non-issue for equuleus already and the task can be closed, though I'd like other people to test that first.
Aug 5 2021
Aug 5 2021
Already rewritten in 1.4 and 1.3 T3535
https://phabricator.vyos.net/rVYOSONEX21527ef4551613fe9b7eed9e4b2ce33ad46fe540
Viacheslav added a project to T681: Shaper QoS policy does not recognize 'lowdelay' DSCP value: VyOS 1.4 Sagitta.
lawrencepan added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.
ipsec start error ..
jestabro added a project to T3574: Add constraintGroup for combining validators with logical AND: test.
Unknown Object (User) added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.
It is not critical, please test without this package "libstrongswan-standard-plugins"
All necessary data is already installed.
lawrencepan added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.
Setting up libstrongswan (5.7.2-1) ... Setting up libstrongswan-extra-plugins (5.7.2-1) ... dpkg: dependency problems prevent configuration of libstrongswan-standard-plugins: libstrongswan-standard-plugins depends on libssl1.0.0 (>= 1.0.2~beta3); however: Version of libssl1.0.0:amd64 on system is 1.0.1t-1+deb8u14.
Unknown Object (User) added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.
strongswan.tar2 MBDownload
I have patched packages for 1.2.8. It works on my routers in the virtual environment.
Instruction:
- Upload package to the router
- Unarchiv it
sudo tar -xvf strongswan.tar
- Install packages
sudo dpkg -i *.deb
- Reboot router or reconfigure IPSec
As I understand there are 2 bugs:
- It expected --iroute-ipv6, i.e
iroute-ipv6 2001:470:1f14:af1:: ffff:ffff:ffff:ffff::
- Something wrong with such format (ipv6 address/ ipv4 mask)
ifconfig-push 2001:470:1f14:af1::2 255.255.240.0
Aug 4 2021
Aug 4 2021
@SrividyaA does this configuration work or not?
set interfaces openvpn vtun10 encryption cipher 'aes256' set interfaces openvpn vtun10 hash 'sha512' set interfaces openvpn vtun10 local-host '10.2.0.15' set interfaces openvpn vtun10 local-port '1194' set interfaces openvpn vtun10 mode 'server' set interfaces openvpn vtun10 persistent-tunnel set interfaces openvpn vtun10 protocol 'udp' set interfaces openvpn vtun10 server client client1 ip '2001:470:1f14:af1::2' set interfaces openvpn vtun10 server client client1 subnet '2001:470:1f14:af1::/64' set interfaces openvpn vtun10 server push-route '2001:db8:0:abc::/64' set interfaces openvpn vtun10 server subnet '10.140.0.0/20' set interfaces openvpn vtun10 server topology 'subnet' set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ea1/ca.crt' set interfaces openvpn vtun10 tls cert-file '/config/auth/ea1/central.crt' set interfaces openvpn vtun10 tls dh-file '/config/auth/ea1/dh.pem' set interfaces openvpn vtun10 tls key-file '/config/auth/ea1/central.key'
Viacheslav closed T320: OSPF does not redistribute connected routes associated with virtual tunnel interfaces as Resolved.
I don't see this bug in 1.3.0-rc5,
Aug 3 2021
Aug 3 2021
lawrencepan added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.
OK , Thank you!
Viacheslav added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.
In T2851#99364, @lawrencepan wrote:
lawrencepan added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.
sudo ip rule add prio 219 from 192.0.2.48/30 to 192.0.2.48/30 lookup main }
Viacheslav added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.
As a workaround it can help in such cases:
lawrencepan added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.
I get the same issue in 1.2.8.
Unknown Object (User) closed T2432: dhcpd: Can't create new lease file: Permission denied as Unknown Status.
Unknown Object (User) added a comment to T2661: SSTP wrong certificates check.
@Viacheslav I believe it is still actual for 1.3 https://github.com/vyos/vyos-1x/blob/equuleus/src/conf_mode/vpn_sstp.py#L60-L78
I saw we changed the PKI model only for 1.4. Implement PKI model for 1.3-epa1 a risky
Aug 2 2021
Aug 2 2021
UnicronNL closed T3601: Error in ssh keys for vmware cloud-init if ssh keys is left empty. as Resolved.
Viacheslav closed T2623: Creating sit tunnel fails with “Can not set “local” for tunnel sit tun1 at tunnel creation” as Resolved.
Fixed, tested in 1.3.0-rc5
set firewall ipv6-name WAN6_IN6 set firewall ipv6-name WAN6_LOCAL6 set interfaces ethernet eth1 address '192.0.2.1/24' set interfaces ethernet eth1 description 'FOO' set interfaces tunnel tun1 6rd-prefix '2607:FA48:6ED8::/45' set interfaces tunnel tun1 6rd-relay-prefix '24.225.128.0/17' set interfaces tunnel tun1 address '2607:FA48:6ED8:8A50::1/60' set interfaces tunnel tun1 description 'Videotron 6rd Tunnel' set interfaces tunnel tun1 encapsulation 'sit' set interfaces tunnel tun1 firewall in ipv6-name 'WAN6_IN6' set interfaces tunnel tun1 firewall local ipv6-name 'WAN6_LOCAL6' set interfaces tunnel tun1 mtu '1480' set interfaces tunnel tun1 multicast 'disable' set interfaces tunnel tun1 parameters ip ttl '255' set interfaces tunnel tun1 remote '192.0.2.2' set interfaces tunnel tun1 source-address '192.0.2.1'
Commit:
vyos@r4-1.3# commit [edit] vyos@r4-1.3# sudo ip tunnel show sit0: ipv6/ip remote any local any ttl 64 nopmtudisc 6rd-prefix 2002::/16 tun1: ipv6/ip remote 192.0.2.2 local 192.0.2.1 ttl 255 tos inherit 6rd-prefix 2002::/16 [edit] vyos@r4-1.3#
Viacheslav added a parent task for T2194: "show firewall" garbled output: T2199: Rewrite firewall in new XML/Python style.
@trae32566 Can you re-check it?
There are different outputs from "iptables" between 1.2 and 1.3:
By default:
vyos@r4-1.3:~$ sudo netstat -tulpn | grep 161 udp 0 0 0.0.0.0:161 0.0.0.0:* 1405/snmpd udp6 0 0 :::161 :::* 1405/snmpd vyos@r4-1.3:~$
After rebooting router starts with a clean routing configuration.
After that, it loads/commits configuration from /config/config.boot file.
It can be a cause, needs more tests.
It will be must impossible to get another behavior.
PR for current version https://github.com/vyos/vyos-1x/pull/952
Aug 1 2021
Aug 1 2021
c-po moved T1594: l2tpv3 error on IPv6 local-ip from Open to In Progress on the VyOS 1.4 Sagitta board.