Put in pull request https://github.com/vyos/vyos-1x/pull/1423

That's what commit 5e510e45f6f9 did :)

As I remember fastnetmon wasn’t rewritten to dict
And requires manual set default value in config dictionary

You can find the latest version of the demo implementation here:

1. volodymyrhuti/linux/tree/QPPB_DEMO_V1.1
2. volodymyrhuti/frr/tree/QPPB_DEMO_V1.1

I installed wpa_supplicant version 2.10. But it did not help.
I compared debugs of wpa_supplicant and found the difference

Modyfing file pointed by @Viacheslav , makes ipv6 peer option available.
But while testing config, it's not possible to insert an ipv6 address: validator rejects input.
Validator used: syntax:expression: exec "/opt/vyatta/sbin/vyatta-policy.pl --check-peer-syntax $VAR(@)"; "peer must be either an IP or local"

@daniil Could you re-check it?

It seems wpa_supplicant doesn't support GCM-AES-256
https://w1.fi/wpa_supplicant/devel/dir_4261af1259721e3e39e0d2dd7354b511.html

PR https://github.com/vyos/vyos-1x/pull/1420

I have just tested it again. Macsec does not work.

PR with notice:
https://github.com/vyos/vyos-1x/pull/1419

PR for 1.4: https://github.com/vyos/vyos-1x/pull/1418

This is a behavior "by design". The prefix-len option cannot be used for BGP routes. We should add this notice to the CLI.
Check: http://docs.frrouting.org/en/latest/routemap.html#clicmd-match-ip-address-prefix-len-0-32

While i like the inclusion of NAT64 inside vyos (And the effort vfreex has made), i believe that tayga is not the way to go, it was last updated on 2010-12-12 according to the readme in it. Jool on the other hand has a bigger throughput being kernel module. The only issue i believe is the module compilation cause configuration is quite easy.

Can you check with the latest rolling release? it uses FRR 8.3

Probably a problem with FRR

Will be fixed in the next rolling release. Thanks!

@dannyvanderaa this is true - but as of VyOS 1.3 there is no longer an operator mode due to security issues. Operator level was removed, it will come back once the entire codebase rewrite is complete.

Several access levels are required on our end. In my opinion an operator / read only user should also be able to perform some basic commands (like ping and arp)

Also cipher changes require a reboot. Nice bug - thanks for this riddle ;)

This change currently removes the nstat plugin which is used in the configuration (https://github.com/vyos/vyos-1x/blob/current/data/templates/monitoring/telegraf.j2#L108).
This results in telegraf crashing on startup. Adding the plugin back to the https://github.com/vyos/vyos-build/blob/current/packages/telegraf/plugins/inputs/all/all.go file fixes this (Tested by compiling a patched package and installing it on a broken install).
As far as I can tell this is the only missing plugin.

Also, there are no any Inbound/Outbound packets with aes-256

vyos@r14:~$ sudo ip -s macsec show
7: macsec1: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off 
    cipher suite: GCM-AES-256, using ICV length 16
    TXSC: eeb5e212f04f0001 on SA 0
    stats: OutPktsUntagged InPktsUntagged OutPktsTooLong InPktsNoTag InPktsBadTag InPktsUnknownSCI InPktsNoSCI InPktsOverrun
                         0              0              0           0            0                0           0             0
    stats: OutPktsProtected OutPktsEncrypted OutOctetsProtected OutOctetsEncrypted
                          0                0                  0                  0
    offload: off 
vyos@r14:~$

But service starts without issues:

vyos@r14:~$ sudo systemctl status wpa_supplicant-macsec@vxlan1.service
● wpa_supplicant-macsec@vxlan1.service - WPA supplicant daemon (macsec-specific version)
     Loaded: loaded (/lib/systemd/system/wpa_supplicant-macsec@.service; disabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-07-18 20:07:16 EEST; 18min ago
   Main PID: 1802 (wpa_supplicant)
      Tasks: 1 (limit: 9411)
     Memory: 4.4M
        CPU: 101ms
     CGroup: /system.slice/system-wpa_supplicant\x2dmacsec.slice/wpa_supplicant-macsec@vxlan1.service
             └─1802 /sbin/wpa_supplicant -c/run/wpa_supplicant/vxlan1.conf -Dmacsec_linux -ivxlan1

This might confuse the users as now there is sensitive information again, but a different one.