Forgot about the process "vyos-http-api-server". The process must be launched in the required vrf. Otherwise, we get an error: Otherwise, we get an error:

If anyone actually wants support for source port parameter, feel free to reopen this, but the interface parameter is a no-go. In the meantime, rewriting vyatta-config-mgmt takes precedence.

That's a good idea. What remains in that repo was hardly touched in a decade.

PR https://github.com/vyos/vyatta-cfg-vpn/pull/52

It doesn't matter what you add mobike disable or enable
A possible reason it generates incorrect swanctl.conf for option mobike

@nikeshhajari thanks, I can reproduce it in 1.3:

set interfaces ethernet eth0 address '192.168.122.14/24'
set interfaces tunnel tun0 encapsulation 'gre'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip key '1'
set interfaces tunnel tun0 source-address '192.168.122.14'
set protocols nhrp tunnel tun0 cisco-authentication 'orange'
set protocols nhrp tunnel tun0 holding-time '300'
set protocols nhrp tunnel tun0 multicast 'dynamic'
set protocols nhrp tunnel tun0 redirect
set protocols nhrp tunnel tun0 shortcut
set vpn ipsec esp-group ESP-HUB compression 'disable'
set vpn ipsec esp-group ESP-HUB lifetime '3600'
set vpn ipsec esp-group ESP-HUB mode 'tunnel'
set vpn ipsec esp-group ESP-HUB pfs 'dh-group21'
set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP-HUB proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP-HUB proposal 2 hash 'sha256'
set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
set vpn ipsec ike-group IKE-HUB key-exchange 'ikev2'
set vpn ipsec ike-group IKE-HUB lifetime '28800'
set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '21'
set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '21'
set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
set vpn ipsec profile NHRPVPN authentication pre-shared-secret 'PRE_SHARED_KEY'
set vpn ipsec profile NHRPVPN bind tunnel 'tun0'
set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
commit

Add mobile disable:

set vpn ipsec ike-group IKE-HUB mobike 'disable'
commit
[ vpn ]
Warning: unable to [reload changes to swanctl.conf], received error code 5632

I prefer to rewrite the whole https://github.com/vyos/vyatta-config-mgmt to XML/python

@Viacheslav the only way is by letting it run.
As adviced in the slack I upgraed to differt version, just now it dropped again.
This time it's differtent as the backup still sayes it still the backup node but all traffic to the VRRP address is offline.

A similar bug I see in 1.2 with such configuration:

set service snmp contact 'test'
set service snmp listen-address 192.168.122.12
set service snmp location 'test'
set service snmp v3 user foo auth encrypted-key '0x2e312e332e362e312e362e332e31302e312e322e34'
set service snmp v3 user foo auth type 'sha'
set service snmp v3 user foo privacy encrypted-key '0x'
set service snmp v3 user foo privacy type 'aes'

end of /etc/snmp/snmpd.conf

# group
group  usm test

Thank you, problem solved!

Working in latest release:

Duplicate PR:
https://github.com/vyos/vyos-1x/pull/1118
Request revoked

VyOS 1.3.0-epa3 with config below works good:

I personally think the interface part is high-effort, low-gain since you can simply use the address of the interface to the same effect, whereas simply providing an interface will force it to decide which address to use on dual-stack systems. It needs to pick between AF_INET and AF_INET6 when creating the socket before setsockopt()ing SO_BINDTODEVICE; although I think we can get away with doing what socket.create_connection() does. Even then, only the SFTP portion of the code directly uses socket — everything else relies on higher level libraries that only expose address and port options. (Also, using a single parameter for both addresses and interfaces is a bad idea, in my opinion, because it's probably more useful to resolve an FQDN string to an address rather than assume all strings are interfaces. But otherwise, we'd need to find a way to resolve conflict between address and interface parameters.) All in all, I don't think the interface parameter is a good idea at all but we'll see.

All parts completely backported to Equuleus.

I opened a new issue for this: T4090.

@m.korobeinikov Could you re-check it and close if necessary?

@ernstjo Do you have any news regarding this issue or should we close it?

@SrividyaA Could you re-check it?

PR https://github.com/vyos/vyos-1x/pull/1117

@daniil can you edit one file?

sudo nano -c +1308 /usr/lib/python3/dist-packages/vyos/ifconfig/interface.py

And replace string:

if not 'redirect' in self._config:

To string:

if not 'redirect' in self._config and not 'traffic_policy' in self._config:

save and reboot the router or just restart vyos-configd

sudo systemctl restart vyos-configd

I think this is the limitation with the Linux interface name, it should not be higher than 16 characters. In you config I see, as an example (bond0.995.130 = 13 chars and additional part .100 = 4) = 17
I know how we can fix it manually, but I'm not sure that it is a good idea.
Accel-PPP supports name changing for created interface by vlan_mon module

[pppoe]
vlan-name=e0.%P.%N
interface=re:^e0\.\d+\.\d+

you can try to change this manually (edit /run/accel-ppp/pppoe.conf) and restart pppoe-server

PR https://github.com/vyos/vyos-1x/pull/1116

@boevering Do you know how to reproduce it?

@Boman I don't see such issue:

vyos@r11-roll# set interfaces bridge br0 enable-vlan 
[edit]
vyos@r11-roll# set interfaces bridge br0 member interface eth2 allowed-vlan 1-4094
[edit]
vyos@r11-roll# 
[edit]
vyos@r11-roll# time commit

Confirmed working in 1.3.0 LTS.

I agree, when offloading is enabled, it is necessary to increase MTU for traffic policing.

@daniil Can you share an example of traffic-policy 1G?

PR https://github.com/vyos/vyos-1x/pull/1115

There is still another bug:

set nat destination rule 120 destination address '203.0.113.1'
set nat destination rule 120 inbound-interface 'eth0'
set nat destination rule 120 protocol 'tcp'
set nat destination rule 120 translation address '192.0.2.40'

PR https://github.com/vyos/vyos-1x/pull/1114

vyos@r11-roll:~$ show nat destination rules 
Rule       Destination                                        Translation                                        Inbound Interface
----       -----------                                        -----------                                        -----------------
100        port 3389                                          192.0.2.40 port 80                                 eth0      
vyos@r11-roll:~$

I'm going to do what I suggested.

@adestis thank you. This issue isn't critical. It's more for to improve the design and for convenience of our customers.
You can use /32 to add a host, but we have to have the opportunity to add hosts without masks.
For example, if you need to create a group consisting of 1000 (or more random hosts), it's more convenient to use configuration without masks.

@c-po I will check it!

@UnicronNL can you rechecknon todays rolling image? It behaved differently for me

I set the banners via set system login pre-login 'test' and/or set system login post-login 'test'
and then the banners are set. (and the default is overwritten)

Well deleting the login banner results in the "default" behavior as expected.

PR https://github.com/vyos/vyatta-cluster/pull/5