The charon identifier also shows IKE name of the SA; this way, we can identify peers in the logs https://github.com/vyos/vyos-build/blob/b809886538eaad66b8756be8f5e758584f88e6a6/data/live-build-config/hooks/live/30-strongswan-configs.chroot#L41-L54
The current show log vpn does https://github.com/vyos/vyos-1x/blob/48e5266e2bca8d1d7a2ee4bacbe0e6628de3fa66/op-mode-definitions/show-log.xml.in#L710
Feed Search
May 28 2024
May 28 2024
Viacheslav triaged T6412: CGNAT allocation calculation may sometimes be incorrect as Normal priority.
Viacheslav renamed T6411: CGNAT does not rely on seq number from CGNAt does not rely on seq number to CGNAT does not rely on seq number.
Viacheslav added a parent task for T6411: CGNAT does not rely on seq number: T5169: Add CGNAT Carrier-Grade NAT based on nftables.
Viacheslav added a comment to T6408: Duplicate lines on 'show log vpn'.
May 27 2024
May 27 2024
Viacheslav added a comment to T6398: Missing the package kpartx for the container vyos-build:current-arm64.
The dependency allowed for 386/amd64 only https://github.com/vyos/vyos-build/blob/b809886538eaad66b8756be8f5e758584f88e6a6/docker/Dockerfile#L281
Though the package is available for ARM
Viacheslav added a comment to T6407: ipsec profile generation error.
As several CA were allowed some time ago it is a bug with op-mode generator.
There is a list of CA's https://github.com/vyos/vyos-1x/blob/48e5266e2bca8d1d7a2ee4bacbe0e6628de3fa66/src/op_mode/ikev2_profile_generator.py#L147
The template https://github.com/vyos/vyos-1x/blob/current/data/templates/ipsec/windows_profile.j2
May 25 2024
May 25 2024
Viacheslav triaged T6396: MINOR Typo: set system conntrack timeout custom ipv4 rule X as Normal priority.
Viacheslav triaged T6398: Missing the package kpartx for the container vyos-build:current-arm64 as Normal priority.
May 24 2024
May 24 2024
Viacheslav moved T6391: load-balancing reverse-proxy: typo in timeout help from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-GA) board.
Viacheslav added a comment to T6211: VRF support for Kea-based DHCP server.
Probably the best way will be moving the config to the vrf section (not implemented)
For example:
set vrf name foo service dhcp-server shared-network-name eth1 option default-router '192.168.1.1' set vrf name foo service dhcp-server shared-network-name eth1 subnet 192.168.1.0/24 lease '300' set vrf name foo service dhcp-server shared-network-name eth1 subnet 192.168.1.0/24 range default start '192.168.1.10' set vrf name foo service dhcp-server shared-network-name eth1 subnet 192.168.1.0/24 range default stop '192.168.1.100' set vrf name foo service dhcp-server shared-network-name eth1 subnet 192.168.1.0/24 subnet-id '1'
And start several instances, each with its configuration.
Viacheslav added a comment to T6393: Port mirroring to tunnel interface fails during boot.
The similar task for redirect T260
May 23 2024
May 23 2024
Viacheslav moved T6381: Typos in select ConfigError messages in dhcpv6-server from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav edited projects for T6387: Bump conntrack to version 1:1.4.7-1, added: VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta.
Viacheslav closed T6357: Create test repository to validate setup, a subtask of T6309: Check code quality with CodeQL, as Resolved.
May 22 2024
May 22 2024
Viacheslav triaged T6382: Add dkms in order to make firmware updates of NIC's possible as Wishlist priority.
Viacheslav moved T6384: rollback-soft should tell the user to compare and commit from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-GA) board.
Viacheslav edited projects for T6373: QoS Policy Limiter - classes for marked traffic do not work, added: VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.
Viacheslav moved T3493: DHCPv6 does not have prefix range validation from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-GA) board.
Viacheslav added a comment to T3493: DHCPv6 does not have prefix range validation.
Does 1.5 has the same bug?
Viacheslav triaged T6379: "generate openvpn" uses "comp-lzo no", which leads to problems on Android-Clients as Normal priority.
Viacheslav closed T6366: CGNAT add the ability to show allocation per external or internal address, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, as Resolved.
May 21 2024
May 21 2024
Viacheslav added a comment to T6247: Add CGN "full cone" EIF support per RFC6888 REQ-7.
Viacheslav changed the status of T6366: CGNAT add the ability to show allocation per external or internal address, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, from Open to In progress.
Viacheslav changed the status of T6366: CGNAT add the ability to show allocation per external or internal address from Open to In progress.
Viacheslav added a comment to T5584: System cannot boot with commit-arachive location sftp in some cases.
@jestabro It was a report from the user; unfortunately, I do not have more details.
May 20 2024
May 20 2024
Viacheslav closed T6364: CGNAT drop hard limit that allowed only one translation rule, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, as Resolved.
Viacheslav updated the task description for T5169: Add CGNAT Carrier-Grade NAT based on nftables.
Viacheslav added a comment to T6368: acme should also be able to listen on IPv6 addresses.
Can you manually edit the node and re-check if it will work for acme
sudo nano -c /opt/vyatta/share/vyatta-cfg/templates/pki/certificate/node.tag/acme/listen-address/node.def
replace:
type: txt
help: Local IPv4 addresses to listen on
val_help: ipv4; IPv4 address to listen for incoming connections
allowed: sh -c "${vyos_completion_dir}/list_local_ips.sh --ipv4"
syntax:expression: exec "${vyos_libexec_dir}/validate-value --exec \"${vyos_validators_dir}/ipv4-address \" --value \'$VAR(@)\'"; "Invalid value"to
type: txt help: Local IPv4 addresses to listen on val_help: ipv4; IPv4 address to listen for incoming connections
May 19 2024
May 19 2024
May 18 2024
May 18 2024
Viacheslav triaged T6366: CGNAT add the ability to show allocation per external or internal address as Wishlist priority.
Viacheslav added a comment to T6364: CGNAT drop hard limit that allowed only one translation rule.
PR https://github.com/vyos/vyos-1x/pull/3483
set nat cgnat pool external ext-01 external-port-range '40000-60000' set nat cgnat pool external ext-01 per-user-limit port '5000' set nat cgnat pool external ext-01 range 192.0.2.1-192.0.2.2 set nat cgnat pool external ext-01 range 192.0.2.11/32
Viacheslav triaged T6364: CGNAT drop hard limit that allowed only one translation rule as Low priority.
Viacheslav changed the status of T6364: CGNAT drop hard limit that allowed only one translation rule, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, from Open to In progress.
Viacheslav changed the status of T6364: CGNAT drop hard limit that allowed only one translation rule from Open to In progress.
May 17 2024
May 17 2024
Viacheslav added a comment to T6344: multiple ntp listen-address commands not working.
Viacheslav added a parent task for T6362: Add a conntrack/translations logger daemon: T5169: Add CGNAT Carrier-Grade NAT based on nftables.
Viacheslav triaged T6360: CGNAT add the ability to exclude (bypass) the translations for specific destinations as Wishlist priority.
Viacheslav closed T6347: CGNAT external pools containing dashes cause Traceback error, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, as Resolved.
Viacheslav closed T6351: CGNAT add check if external and internal pools exists, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, as Resolved.
Viacheslav closed T6350: CGNAT add op-mode to get current port allocation mapping, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, as Resolved.
Viacheslav triaged T6343: Firewall source validation loose end up in complete traffic block on VRF interface as Normal priority.
Viacheslav added a comment to T5835: UPnP port mapping / rule installation fails.
I'd prefer to integrate the Port Control Protocol (PCP) instead.
Viacheslav added a comment to T5835: UPnP port mapping / rule installation fails.
You can still have it in a container easily; as I mentioned, it has never worked since 2021
You do not lose anything.
Viacheslav changed the status of T6350: CGNAT add op-mode to get current port allocation mapping, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, from Open to In progress.
Viacheslav changed the status of T6350: CGNAT add op-mode to get current port allocation mapping from Open to In progress.
May 16 2024
May 16 2024
Viacheslav added a comment to T6350: CGNAT add op-mode to get current port allocation mapping.
PR https://github.com/vyos/vyos-1x/pull/3466
vyos@r4:~$ show nat cgnat allocation Internal IP External IP Port range ------------- --------------- ------------ 100.64.0.0 192.168.122.222 1024-3023 100.64.0.1 192.168.122.222 3024-5023 100.64.0.2 192.168.122.222 5024-7023 100.64.0.3 192.168.122.222 7024-9023 100.64.0.4 192.168.122.222 9024-11023 100.64.0.5 192.168.122.222 11024-13023 100.64.0.6 192.168.122.222 13024-15023 100.64.0.7 192.168.122.222 15024-17023 100.64.0.8 192.168.122.222 17024-19023 100.64.0.9 192.168.122.222 19024-21023 100.64.0.10 192.168.122.222 21024-23023 100.64.0.11 192.168.122.222 23024-25023 100.64.0.12 192.168.122.222 25024-27023 100.64.0.13 192.168.122.222 27024-29023 100.64.0.14 192.168.122.222 29024-31023 100.64.0.15 192.168.122.222 31024-33023 vyos@r4:~$
Viacheslav changed the status of T6351: CGNAT add check if external and internal pools exists, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, from Open to In progress.
Viacheslav changed the status of T6351: CGNAT add check if external and internal pools exists from Open to In progress.
PR https://github.com/vyos/vyos-1x/pull/3464
set nat cgnat pool external ext1 external-port-range '1024-65535' set nat cgnat pool external ext1 per-user-limit port '2000' set nat cgnat pool external ext1 range 192.168.122.222/32 set nat cgnat pool internal int1 range '100.64.0.0/28' set nat cgnat rule 10 source pool 'fake-pool' set nat cgnat rule 10 translation pool 'ext1'
Viacheslav updated the task description for T6351: CGNAT add check if external and internal pools exists.