PR https://github.com/vyos/vyos-1x/pull/1465

PR https://github.com/vyos/vyos-1x/pull/1464

I've verified this behavior with 1.4-rolling-202207290217 and 1.4-rolling-202204250217.

PR https://github.com/vyos/vyos-1x/pull/1463
PR https://github.com/vyos/vyatta-cfg-system/pull/184

Hi Viacheslav
Sorry, i probably misspelled the config option. Actually it's availabe at [radius] section of accel-ppp.conf.
Below is the [radius] section from my /run/accel-pppd/l2tp.conf after i changed
/usr/libexec/vyos/conf_mode/vpn_l2tp.py:

What version you are using?

@aserkin Could you send an example of the required accel-ppp section? And how do you see this command in VyOS CLI?

Allow me to proof the opposite.

As remarked and as expected, this option is not enable by default.
Proofs:

• Fist scenario: no ping-check option introduced in configuration:

In T2518#127884, @jack9603301 wrote:

@ajgnet If you have a way to limit the dynamic prefix to a known prefix, then using 1:1 NAT66 prefix translation should work (only the host segment is dynamic)

Yes, would be great to fully support dynamic prefix when the prefix is not known

Will be fixed in https://github.com/vyos/vyos-1x/pull/1458

PR: https://github.com/vyos/vyos-1x/pull/1461

ping-check shouldn't be allowed by default
To enable it you have to set set service dhcp-server shared-network-name Lan01 ping-check
There is no configuration in generated .conf:

vyos@r14# cat /run/dhcp-server/dhcpd.conf | grep ping
[edit]
vyos@r14#

See also https://github.com/accel-ppp/accel-ppp/issues/57
Testing this patch, PPPoE session with the Phicomm router now stays up, the missing part after "else" is to remove IPv6 configuration from ppp interface (not sure how to do it properly).

diff
diff --git a/accel-pppd/ppp/ppp_ipv6cp.c b/accel-pppd/ppp/ppp_ipv6cp.c
index 1194b31..2bac31b 100644
--- a/accel-pppd/ppp/ppp_ipv6cp.c
+++ b/accel-pppd/ppp/ppp_ipv6cp.c
@@ -738,7 +738,10 @@ static void ipv6cp_recv(struct ppp_handler_t*h)
                        if (conf_ppp_verbose)
                                log_ppp_info2("recv [IPV6CP TermReq id=%x]\n", hdr->id);
                        ppp_fsm_recv_term_req(&ipv6cp->fsm);
-                       ap_session_terminate(&ipv6cp->ppp->ses, TERM_USER_REQUEST, 0);
+                       if (conf_ipv6 == IPV6_REQUIRE)
+                               ap_session_terminate(&ipv6cp->ppp->ses, TERM_USER_REQUEST, 0);
+                       else
+                               ppp_layer_passive(ipv6cp->ppp, &ipv6cp->ld);
                        break;
                case TERMACK:
                        if (conf_ppp_verbose)

I have tested macsec with gcm-aes-256. It works. (1.4-rolling-202208080217)

I have tested on 1.4-rolling-202208080217.
The first problem was fixed.
The second problem is not fixed

Log messages - http://91.224.224.43/phicomm/phicomm6.log
PPPoE server config:

Hello, This functionality for nat66 is described here:
https://phabricator.vyos.net/T4586

hi, you can set this to a subtask of my task

PR https://github.com/vyos/vyos-1x/pull/1462

PR checks if openconnect port is listened by another service https://github.com/vyos/vyos-1x/pull/1460

It is already present in 1.4

vyos@r14:~$ show conf com | match bgp
set protocols bgp listen limit '1000'
set protocols bgp listen range 192.0.2.0/24 peer-group 'FOO'
set protocols bgp local-as '65001'
set protocols bgp peer-group FOO remote-as '65001'

It appeared after this commit
It doesn't like this check https://github.com/vyos/vyos-1x/blob/2a10ffa4b5074be27458159fa94d6227d0e5c7f7/src/op_mode/openconnect-control.py#L63-L65
Check root user https://github.com/vyos/vyos-1x/blob/2a10ffa4b5074be27458159fa94d6227d0e5c7f7/python/vyos/util.py#L625-L626

Would it be an option to instead just add new listen-interface and upstream-interface statements, same as for dhcp-relay6? Then keep interface completely unchanged to avoid breaking weird usages, but add some deprecation notice to the CLI.

Currently thinking on how to implement this.
One option could be:

@hensur You haven't dealt with this for a long time

PR https://github.com/vyos/vyos-1x/pull/1458
Formatted output

vyos@r14:~$ show vpn ipsec sa
Connection                 State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ---------------------------------------
peer_2001-db8--2_tunnel_0  up       9m15s     0B/0B           0/0               2001:db8::2       2001:db8::2  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
peer_2001-db8--2_tunnel_0  up       24m9s     0B/0B           0/0               2001:db8::2       2001:db8::2  AES_CBC_256/HMAC_SHA2_256_128/MODP_2048
vyos@r14:~$

From the strongswan 5.9.6 changelog:

Actively initiating duplicate CHILD_SAs within the same IKE_SA is now largely prevented. This can happen if trap policies are installed and an IKE_SA with its CHILD_SAs is reestablished (e.g. with break-before-make reauthentication or dpd_action=restart). This does not prevent duplicates if they are initiated by the two peers concurrently.