Thu, Nov 16
As I undestand it is possible now to create multiple auth ID's
vyos@r4# set vpn ipsec authentication psk FOO id Possible completions: <text> ID used for authentication
Not sure about other options.
Tested in VyOS 1.4-rolling-202311100309 (AES)
Tested in VyOS 1.4-rolling-202311100309 (3DES)
In VyOS 1.3.4
I have a similar setup where I have two VyOS VMs used as VPN routers with some firewalling enabled. Since I use OSPF for dynamic routing I am not able to synchronize the sessions between both routers so in case one VPN routers fails the other one can take over flawlessly. Having conntrack-sync configuration separated from VRRP would be a great benefit.
I did tests in VyOS 1.4-rolling-202311100309
Tested in VyOS 1.4-rolling-202311100309
Tried with single quotes: ''
This can be done in other areas such as firewall rules already:
Wed, Nov 15
vyos@r4# run show int Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address MAC MTU S/L Description ----------- ----------------- ----------------- ----- ----- ------------- dum0 203.0.113.1/32 96:44:ad:c5:a1:a5 1500 u/u eth0 192.168.122.14/24 52:54:00:f1:fd:77 1500 u/u WAN eth1 192.0.2.1/24 52:54:00:04:33:2b 1500 u/u LAN-eth1 eth2 - 52:54:00:40:2e:af 1504 u/u LAN-eth2 eth3 - 52:54:00:09:a4:b4 1500 A/D eth4 - 52:54:00:2c:51:09 1500 A/D eth5 - 52:54:00:f3:1d:e8 1500 A/D lo 127.0.0.1/8 00:00:00:00:00:00 65536 u/u ::1/128
looks great from my perspective (I've just updated our nodes. Tested on Community Edition client on windows and Connect V3 client on windows and Tunnelblick on Mac all working as expected. (I tested with; 1.5-rolling-202311150738).
I don’t know how this exactly works, but can unidirectional conntrack-sync on router1 sync its connections to router2 and vice versa: router2 sync its own connections to router1 or its not going to work this way?
to keep track of this request on git
Fix was merged into 1.4 and 1.5.
I had entered the command as you have suggested and I think it's working somehow.
This is still an issue in 1.5. I tried importing a cert signed by my own CA and got the same error.
Tested VyOS 1.4-rolling-202311100309
@JeffWDH looks good to me. It definitely should fix this.
Tue, Nov 14
I have created a PR: https://github.com/vyos/vyatta-wanloadbalance/pull/21
The item in the config_dict is type list, like this: ['us', 'ca'] so it gets skipped by the convert_to_set_commands function.
I wonder if we should use permanent API call queries that don't depend on the path.
@watson.ash Will be fixed in the next rolling release. Could you check it (after 2023-11-14)
And we can backport it if all works fine.
New patch for migration scripts in 1.5: https://github.com/vyos/vyos-1x/pull/2480
download(local_path, urlstring, False, True, source_host, source_port)
Fixes the issue for API
This is probably obsoleted. I've upgraded few times since then and came to version 8.5 which does not seem to suffer this. Thank you.
And we had to stop activities on the project due to other issue described in
Contact me via Slack for testing
The fear of having the HTTP-API part of nginx compromised by another virtualhost config (as in they are sharing the same process) should be overcome by having a dedicated config file and start a 2nd nginx process.
Mon, Nov 13
Hi @aserkin ! I should have some time to help you. For this issue, I would need
- artifacts collected from running zebra under Valgrind
- a reference configuration that I can replicate in a lab
I will ping you over Slack for additional details and assistance.
I have created a draft pull request for FRR, but I can still see a bunch of odd bugs.
I'm going to activate it after additional testing by the team.
Most issues involve Wireshark's inability to parse packets correctly and display an exception, although the demons seem to run fine.
I`m back after a long break and will follow up on this feature.
Here is a summary of things that have happened since the last update:
1. In my absence, the feature testing got broken as a result of migrating from the `mininet` to the `munet` framework From debugging, I have identified a root cause to be - bpf fs was not inherited by the `munet` router. The solution is to hop into the router mount namespace for the test run.
Because there is a long-running development for operation data retrieval, we can postpone this ticket until an effort is finished.
Then, I can open a feature request or visit the yang meeting and start a discussion about the data pagination functionality.
Currently, my idea is to simulate pagination at the fs level by having a split of requested JSON.
This solution involves:
- Fetching an operation data from the demon
vtysh -c "show yang operational-data /frr-vrf:lib/vrf[name='default']/frr-zebra:zebra/ribs zebra" > big.json
- Fetching flat data stream and formating it 1 item (prefix) per line with jq -c option
jq -c '."frr-vrf:lib" .vrf ."frr-zebra:zebra" .ribs .rib .route' big.json | split -l 100 -d
- Splitting result by the number of lines (objects), saving into files on the filesystem
Now, UI can display 1 of the resulting files at a time. These files may be regenerated on page refresh.
Such a solution will utilize extra disk space, although it can be avoided by using pipes and other
streaming utilities like awk/sed