Setting up libstrongswan (5.7.2-1) ...
Setting up libstrongswan-extra-plugins (5.7.2-1) ...
dpkg: dependency problems prevent configuration of libstrongswan-standard-plugins:
 libstrongswan-standard-plugins depends on libssl1.0.0 (>= 1.0.2~beta3); however:
  Version of libssl1.0.0:amd64 on system is 1.0.1t-1+deb8u14.

Aug 5 2021, 12:37 PM · Bugs, VyOS 1.3 Equuleus (1.3.9), test

Unknown Object (User) added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.

strongswan.tar2 MBDownload

I have patched packages for 1.2.8. It works on my routers in the virtual environment.
Instruction:

Upload package to the router
Unarchiv it

sudo tar -xvf strongswan.tar

Install packages

sudo dpkg -i *.deb

Reboot router or reconfigure IPSec

Aug 5 2021, 10:14 AM · Bugs, VyOS 1.3 Equuleus (1.3.9), test

Viacheslav added a subtask for T2816: Rewrite IPsec scripts with the new XML/Python approach: T3723: op-mode IPSec show vpn ipsec sa output with underscores.

Aug 5 2021, 8:20 AM · VyOS 1.4 Sagitta

Viacheslav added a parent task for T3723: op-mode IPSec show vpn ipsec sa output with underscores: T2816: Rewrite IPsec scripts with the new XML/Python approach.

Aug 5 2021, 8:20 AM · VyOS 1.4 Sagitta

Viacheslav created T3723: op-mode IPSec show vpn ipsec sa output with underscores.

Aug 5 2021, 8:19 AM · VyOS 1.4 Sagitta

Viacheslav added a subtask for T2816: Rewrite IPsec scripts with the new XML/Python approach: T3722: op-mode IPSec show vpn ike sa always shows L-TIME 0.

Aug 5 2021, 8:14 AM · VyOS 1.4 Sagitta

Viacheslav added a parent task for T3722: op-mode IPSec show vpn ike sa always shows L-TIME 0: T2816: Rewrite IPsec scripts with the new XML/Python approach.

Aug 5 2021, 8:14 AM · VyOS 1.4 Sagitta (1.4.0-epa1), Restricted Project, VyOS 1.5 Circinus

Viacheslav created T3722: op-mode IPSec show vpn ike sa always shows L-TIME 0.

Aug 5 2021, 8:11 AM · VyOS 1.4 Sagitta (1.4.0-epa1), Restricted Project, VyOS 1.5 Circinus

Viacheslav added a comment to T3219: Typo in openvpn server client config for IPv6 iroute.

As I understand there are 2 bugs:

It expected --iroute-ipv6, i.e

iroute-ipv6 2001:470:1f14:af1:: ffff:ffff:ffff:ffff::

Something wrong with such format (ipv6 address/ ipv4 mask)

ifconfig-push 2001:470:1f14:af1::2 255.255.240.0

Aug 5 2021, 7:58 AM · VyOS 1.3 Equuleus (1.3.0-epa1)

Aug 4 2021

c-po closed T3704: Add ability to interact with Areca RAID adapers as Resolved.

Aug 4 2021, 7:06 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta

c-po claimed T3719: Restart vpn shows some missed files.

Aug 4 2021, 6:59 PM · VyOS 1.4 Sagitta

c-po claimed T3720: IPSec set vti secondary address cause interface disable.

Aug 4 2021, 6:58 PM · VyOS 1.4 Sagitta

c-po closed T3718: VPN IPsec IKE group by default not use DH-group 2, a subtask of T2816: Rewrite IPsec scripts with the new XML/Python approach, as Resolved.

Aug 4 2021, 6:50 PM · VyOS 1.4 Sagitta

c-po closed T3718: VPN IPsec IKE group by default not use DH-group 2 as Resolved.

Aug 4 2021, 6:50 PM · VyOS 1.4 Sagitta

c-po committed rVYOSONEX947f8290ea70: ipsec: T3718: fix default processing of ike dh-group proposals.

Aug 4 2021, 6:49 PM

c-po added a comment to T3219: Typo in openvpn server client config for IPv6 iroute.

@SrividyaA does this configuration work or not?

Aug 4 2021, 6:37 PM · VyOS 1.3 Equuleus (1.3.0-epa1)

SrividyaA added a comment to T3219: Typo in openvpn server client config for IPv6 iroute.

set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha512'
set interfaces openvpn vtun10 local-host '10.2.0.15'
set interfaces openvpn vtun10 local-port '1194'
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 server client client1 ip '2001:470:1f14:af1::2'
set interfaces openvpn vtun10 server client client1 subnet '2001:470:1f14:af1::/64'
set interfaces openvpn vtun10 server push-route '2001:db8:0:abc::/64'
set interfaces openvpn vtun10 server subnet '10.140.0.0/20'
set interfaces openvpn vtun10 server topology 'subnet'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ea1/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/ea1/central.crt'
set interfaces openvpn vtun10 tls dh-file '/config/auth/ea1/dh.pem'
set interfaces openvpn vtun10 tls key-file '/config/auth/ea1/central.key'

Aug 4 2021, 5:15 PM · VyOS 1.3 Equuleus (1.3.0-epa1)

runar created T3721: ARM64: 1.4: Fastnetmon in current is a precompiled custom "blob" and amd64 only. (blocks all arm64 builds).

Aug 4 2021, 4:51 PM

jestabro changed the status of T3474: Revisit storing syntax version of interface definitions in XML file, a subtask of T1962: Add syntax version to schema, from Open to In progress.

Aug 4 2021, 4:37 PM · VyOS 1.3 Equuleus (1.3.0)

jestabro changed the status of T3474: Revisit storing syntax version of interface definitions in XML file, a subtask of T3475: XML dictionary cache unable to process syntaxVersion elements, from Open to In progress.

Aug 4 2021, 4:37 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta

jestabro changed the status of T3474: Revisit storing syntax version of interface definitions in XML file from Open to In progress.

Aug 4 2021, 4:37 PM · VyOS 1.4 Sagitta (1.4.0-epa1)

jestabro committed rVYOSONEX3a814957f412: configquery: T3402: remove restriction of query to active config.

Aug 4 2021, 3:00 PM

jestabro committed rVYOSONEX62fd0c326173: configquery: T3402: fix imports.

Aug 4 2021, 1:18 PM

Viacheslav closed T320: OSPF does not redistribute connected routes associated with virtual tunnel interfaces as Resolved.

I don't see this bug in 1.3.0-rc5,

Aug 4 2021, 11:24 AM · VyOS 1.3 Equuleus (1.3.0-epa1)

Aug 3 2021

c-po committed rVYOSONEXd9d183b6cbcb: isis: T1316: rename Jinja2 template to match other FRR daemons.

Aug 3 2021, 9:38 PM

c-po committed rVYOSONEXd77a2f56ea7e: isis: T1316: rename Jinja2 template to match other FRR daemons.

Aug 3 2021, 9:36 PM

c-po committed rVYOSONEXb55761ba5159: isis: T3693: bugfix Jinja2 template.

Aug 3 2021, 9:36 PM

jestabro committed rVYOSONEX5a11647335dc: configquery: T3402: add op-mode get_config_dict.

Aug 3 2021, 9:28 PM

c-po added a comment to T3694: Static routes not installed into kernel nor frr.

@stepler I created https://github.com/FRRouting/frr/pull/9281 for "easier" debugging

Aug 3 2021, 9:27 PM · VyOS 1.4 Sagitta

lawrencepan added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.

OK , Thank you!

Aug 3 2021, 7:55 PM · Bugs, VyOS 1.3 Equuleus (1.3.9), test

Viacheslav committed rVYOSONEX7637a15bc064: l2tpv3: T1594: Fix timeout before set l2tpv3 interface.

Aug 3 2021, 7:29 PM

GitHub <noreply@github.com> committed rVYOSONEXbc9936e5bebd: Merge pull request #950 from sever-sever/T1594 (authored by c-po).

Aug 3 2021, 7:29 PM

c-po changed the status of T3718: VPN IPsec IKE group by default not use DH-group 2, a subtask of T2816: Rewrite IPsec scripts with the new XML/Python approach, from Open to Confirmed.

Aug 3 2021, 7:25 PM · VyOS 1.4 Sagitta

c-po changed the status of T3718: VPN IPsec IKE group by default not use DH-group 2 from Open to Confirmed.

Aug 3 2021, 7:25 PM · VyOS 1.4 Sagitta

c-po updated the task description for T3318: Update Linux Kernel to v5.4.208 / 5.10.142.

Aug 3 2021, 7:17 PM · VyOS 1.3 Equuleus (1.3.2), VyOS 1.4 Sagitta

c-po updated the task description for T3318: Update Linux Kernel to v5.4.208 / 5.10.142.

Aug 3 2021, 7:16 PM · VyOS 1.3 Equuleus (1.3.2), VyOS 1.4 Sagitta

c-po added a comment to T3694: Static routes not installed into kernel nor frr.

I tried this locally and you can do no router bgp 100 vrf blue before no vni 2000, my vtysh instance does not scream for an error - it more feels like a programming issue on our side.

Aug 3 2021, 7:04 PM · VyOS 1.4 Sagitta

Viacheslav added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.

In T2851#99364, @lawrencepan wrote:

Aug 3 2021, 5:27 PM · Bugs, VyOS 1.3 Equuleus (1.3.9), test

lawrencepan added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.

sudo ip rule add prio 219 from 192.0.2.48/30 to 192.0.2.48/30 lookup main
}

Aug 3 2021, 5:15 PM · Bugs, VyOS 1.3 Equuleus (1.3.9), test

Viacheslav added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.

As a workaround it can help in such cases:

Aug 3 2021, 4:58 PM · Bugs, VyOS 1.3 Equuleus (1.3.9), test

lawrencepan added a comment to T2851: Invalid passthrough routes installing by strongSwan into table 220.

I get the same issue in 1.2.8.

Aug 3 2021, 4:46 PM · Bugs, VyOS 1.3 Equuleus (1.3.9), test

jestabro committed rVYOSONEX1d8f1f2a8a28: configquery: T3402: add class using configtree to list tag node values.

Aug 3 2021, 3:59 PM

Viacheslav updated the task description for T3720: IPSec set vti secondary address cause interface disable.

Aug 3 2021, 3:45 PM · VyOS 1.4 Sagitta

jestabro reopened T3402: Add VyOS programming library for operational level commands as "Open".

Aug 3 2021, 3:34 PM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta

Viacheslav added a subtask for T2816: Rewrite IPsec scripts with the new XML/Python approach: T3720: IPSec set vti secondary address cause interface disable.

Aug 3 2021, 3:29 PM · VyOS 1.4 Sagitta

Viacheslav added a parent task for T3720: IPSec set vti secondary address cause interface disable: T2816: Rewrite IPsec scripts with the new XML/Python approach.

Aug 3 2021, 3:29 PM · VyOS 1.4 Sagitta

Viacheslav created T3720: IPSec set vti secondary address cause interface disable.

Aug 3 2021, 3:29 PM · VyOS 1.4 Sagitta

Viacheslav updated the task description for T3719: Restart vpn shows some missed files.

Aug 3 2021, 3:20 PM · VyOS 1.4 Sagitta

Viacheslav added a subtask for T2816: Rewrite IPsec scripts with the new XML/Python approach: T3719: Restart vpn shows some missed files.

Aug 3 2021, 3:19 PM · VyOS 1.4 Sagitta

Viacheslav added a parent task for T3719: Restart vpn shows some missed files: T2816: Rewrite IPsec scripts with the new XML/Python approach.

Aug 3 2021, 3:19 PM · VyOS 1.4 Sagitta

Viacheslav created T3719: Restart vpn shows some missed files.

Aug 3 2021, 3:19 PM · VyOS 1.4 Sagitta

Viacheslav added a subtask for T2816: Rewrite IPsec scripts with the new XML/Python approach: T3718: VPN IPsec IKE group by default not use DH-group 2.

Aug 3 2021, 3:14 PM · VyOS 1.4 Sagitta

Viacheslav added a parent task for T3718: VPN IPsec IKE group by default not use DH-group 2: T2816: Rewrite IPsec scripts with the new XML/Python approach.

Aug 3 2021, 3:14 PM · VyOS 1.4 Sagitta

Viacheslav created T3718: VPN IPsec IKE group by default not use DH-group 2.

Aug 3 2021, 2:36 PM · VyOS 1.4 Sagitta

Viacheslav added a comment to T3717: BGP Peer group without 'remote-as' gives shell error.

@xrobau You have to set remote-as for peer-group or for neighbor

vyos@r4-1.3# set protocols bgp 65001 peer-group FOO 
[edit]
vyos@r4-1.3# set protocols bgp 65001 neighbor 203.0.113.2 peer-group FOO
[edit]
vyos@r4-1.3# set protocols bgp 65001 neighbor 203.0.113.2 remote-as 65002
[edit]
vyos@r4-1.3# commit
[edit]
vyos@r4-1.3#

Aug 3 2021, 11:05 AM · VyOS 1.3 Equuleus (1.3.0), vyos-frr

Unknown Object (User) closed T2432: dhcpd: Can't create new lease file: Permission denied as Unknown Status.

Aug 3 2021, 8:13 AM · VyOS 1.3 Equuleus (1.3.0-epa1), VyOS 1.4 Sagitta

Unknown Object (User) added a comment to T2661: SSTP wrong certificates check.

@Viacheslav I believe it is still actual for 1.3 https://github.com/vyos/vyos-1x/blob/equuleus/src/conf_mode/vpn_sstp.py#L60-L78
I saw we changed the PKI model only for 1.4. Implement PKI model for 1.3-epa1 a risky

Aug 3 2021, 6:42 AM · VyOS 1.3 Equuleus (1.3.0)

Aug 2 2021

stepler added a comment to T3694: Static routes not installed into kernel nor frr.

I figured out the order we need to remove things in:

Aug 2 2021, 8:44 PM · VyOS 1.4 Sagitta

UnicronNL closed T3601: Error in ssh keys for vmware cloud-init if ssh keys is left empty. as Resolved.

https://github.com/vyos/vyos-cloud-init/commit/9dd5fa374ccfd74d46551641fb68428e4860b820
https://github.com/vyos/vyos-cloud-init/commit/e979e3d269ce8cbdb3933a141853bb35b9ed7b74

Aug 2 2021, 8:19 PM · VyOS 1.3 Equuleus (1.3.0-epa1), VyOS 1.4 Sagitta

Viacheslav committed rVYOSONEX055532b731f0: l2tpv3: T1594: Fix timeout before set l2tpv3 interface.

Aug 2 2021, 4:33 PM

GitHub <noreply@github.com> committed rVYOSONEX7a32e9ee70d6: Merge pull request #952 from sever-sever/T1594-curr (authored by c-po).

Aug 2 2021, 4:33 PM

Viacheslav closed T2623: Creating sit tunnel fails with “Can not set “local” for tunnel sit tun1 at tunnel creation” as Resolved.

Fixed, tested in 1.3.0-rc5

set firewall ipv6-name WAN6_IN6
set firewall ipv6-name WAN6_LOCAL6
set interfaces ethernet eth1 address '192.0.2.1/24'
set interfaces ethernet eth1 description 'FOO'
set interfaces tunnel tun1 6rd-prefix '2607:FA48:6ED8::/45'
set interfaces tunnel tun1 6rd-relay-prefix '24.225.128.0/17'
set interfaces tunnel tun1 address '2607:FA48:6ED8:8A50::1/60'
set interfaces tunnel tun1 description 'Videotron 6rd Tunnel'
set interfaces tunnel tun1 encapsulation 'sit'
set interfaces tunnel tun1 firewall in ipv6-name 'WAN6_IN6'
set interfaces tunnel tun1 firewall local ipv6-name 'WAN6_LOCAL6'
set interfaces tunnel tun1 mtu '1480'
set interfaces tunnel tun1 multicast 'disable'
set interfaces tunnel tun1 parameters ip ttl '255'
set interfaces tunnel tun1 remote '192.0.2.2'
set interfaces tunnel tun1 source-address '192.0.2.1'

Commit:

vyos@r4-1.3# commit
[edit]
vyos@r4-1.3# sudo ip tunnel show
sit0: ipv6/ip remote any local any ttl 64 nopmtudisc 6rd-prefix 2002::/16
tun1: ipv6/ip remote 192.0.2.2 local 192.0.2.1 ttl 255 tos inherit 6rd-prefix 2002::/16
[edit]
vyos@r4-1.3#

Aug 2 2021, 4:09 PM · VyOS 1.3 Equuleus (1.3.0-epa1)

Viacheslav added a subtask for T2199: Rewrite firewall in new XML/Python style: T2194: "show firewall" garbled output.

Aug 2 2021, 3:49 PM · VyOS 1.4 Sagitta (1.4.0-epa2)

Viacheslav added a parent task for T2194: "show firewall" garbled output: T2199: Rewrite firewall in new XML/Python style.

Aug 2 2021, 3:49 PM · VyOS 1.3 Equuleus (1.3.2), test

Viacheslav added a comment to T2434: Duplicate Address Detection Breaks Interfaces.

@trae32566 Can you re-check it?

Aug 2 2021, 3:39 PM · VyOS 1.3 Equuleus (1.3.0-epa1)

Viacheslav added a comment to T2194: "show firewall" garbled output.

There are different outputs from "iptables" between 1.2 and 1.3:

Aug 2 2021, 10:06 AM · VyOS 1.3 Equuleus (1.3.2), test

Viacheslav closed T2161: snmpd cannot start if ipv6 disabled as Resolved.

By default:

vyos@r4-1.3:~$ sudo netstat -tulpn | grep 161
udp        0      0 0.0.0.0:161             0.0.0.0:*                           1405/snmpd          
udp6       0      0 :::161                  :::*                                1405/snmpd          
vyos@r4-1.3:~$

Aug 2 2021, 9:10 AM · VyOS 1.3 Equuleus (1.3.0-epa1)

Viacheslav added a comment to T2005: Two CEASE notifications sent to BGP peers during reboot.

After rebooting router starts with a clean routing configuration.
After that, it loads/commits configuration from /config/config.boot file.
It can be a cause, needs more tests.
It will be must impossible to get another behavior.

Aug 2 2021, 8:37 AM

dmbaturin committed rVYOSONEXf0148b930684: Merge branch 'equuleus' of https://github.com/vyos/vyos-1x into equuleus.

Aug 2 2021, 8:29 AM

dmbaturin committed rVYOSONEX50a139256461: T3697: explicitly wait for the charon process to respond to strokes.

Aug 2 2021, 8:29 AM

Viacheslav added a comment to T1594: l2tpv3 error on IPv6 local-ip.

PR for current version https://github.com/vyos/vyos-1x/pull/952

Aug 2 2021, 7:47 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta, test

sempervictus added a comment to T3692: VyOS build failing due to repo.saltstack.com.

I've cleaned the build space and rebuilt the Docker container - no dice locally or in the CI stack, still fails the same way.
It looks like they're using an AWS CA in the cert chain:

Certificate chain
 0 s:CN = repo.saltstack.com
   i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
 1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
   i:C = US, O = Amazon, CN = Amazon Root CA 1
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority

i do recall the starfield certs being a problem back in the day as well, but guessing its quite unlikely for the base build environment to have an AWS root CA in its trusted list.

Aug 2 2021, 1:51 AM · VyOS 1.4 Sagitta