Page MenuHomeVyOS Platform
People pavel-altair

pavel-altair (Pavel)
User

Projects

User does not belong to any projects.

User Details

User Since
May 27 2024, 10:44 AM (16 w, 9 h)

Recent Activity
View All

Jun 17 2024

pavel-altair added a comment to T6407: Generate ipsec profile error.

all work!
Thank you

Jun 17 2024, 2:58 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus

Jun 14 2024

pavel-altair added a comment to T6407: Generate ipsec profile error.
vyos@vyos:~$ generate ipsec profile windows-remote-access support remote ipsec.somedomain
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/ikev2_profile_generator.py", line 153, in <module>
    cert_data = load_certificate(pki['certificate'][cert_name]['certificate'])
                                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
KeyError: 'certificate'
vyos@vyos:~$ show ver | match Version:
Version:          VyOS 1.5-rolling-202406130020
vyos@vyos:~$
Jun 14 2024, 6:56 AM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus

Jun 12 2024

pavel-altair added a comment to T6407: Generate ipsec profile error.

In upgrade process

Jun 12 2024, 7:20 AM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus

Jun 10 2024

pavel-altair added a comment to T6407: Generate ipsec profile error.
vyos@vyos:~$ dpkg -l | grep vyos-1x
ii  vyos-1x                              1.5dev0-1669-g77cb661d8          amd64        VyOS configuration scripts and data
ii  vyos-1x-vmware                       1.5dev0-1669-g77cb661d8          amd64        VyOS configuration scripts and data for VMware
vyos@vyos:~$
Jun 10 2024, 6:35 AM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus

Jun 9 2024

pavel-altair added a comment to T6407: Generate ipsec profile error.
vyos@vyos# show vpn ipsec | commands 
set esp-group vpn lifetime '3600'
set esp-group vpn pfs 'enable'
set esp-group vpn proposal 10 encryption 'aes128gcm128'
set esp-group vpn proposal 10 hash 'sha256'
set ike-group vpn key-exchange 'ikev2'
set ike-group vpn lifetime '7200'
set ike-group vpn proposal 10 dh-group '14'
set ike-group vpn proposal 10 encryption 'aes128gcm128'
set ike-group vpn proposal 10 hash 'sha256'
set interface 'eth0'
set options virtual-ip
set remote-access connection support authentication client-mode 'eap-mschapv2'
set remote-access connection support authentication local-id 'ipsec.somedomain'
set remote-access connection support authentication local-users username test password 'test'
set remote-access connection support authentication server-mode 'x509'
set remote-access connection support authentication x509 ca-certificate 'isrgrootx1'
set remote-access connection support authentication x509 ca-certificate 'lets-encrypt-r3'
set remote-access connection support authentication x509 certificate 'vpn2'
set remote-access connection support description 'support remote access'
set remote-access connection support esp-group 'vpn'
set remote-access connection support ike-group 'vpn'
set remote-access connection support local-address 'ip on eth0'
set remote-access connection support pool 'support'
set remote-access pool support name-server '1.1.1.1'
set remote-access pool support name-server '9.9.9.9'
set remote-access pool support prefix '192.168.120.64/27'
[edit]
vyos@vyos#
Jun 9 2024, 6:12 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus
pavel-altair added a comment to T6407: Generate ipsec profile error.
vyos@vyos:~$ generate ipsec profile windows-remote-access support remote ipsec.somedomain 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/ikev2_profile_generator.py", line 154, in <module>
    cert = load_certificate(pki['certificate'][cert_name]['certificate'])
                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
KeyError: 'certificate'
vyos@vyos:~$ show ver
Version:          VyOS 1.5-rolling-202406060020
Release train:    current
Release flavor:   generic
Jun 9 2024, 6:01 PM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus

May 31 2024

pavel-altair reopened T6407: Generate ipsec profile error as "Open".
May 31 2024, 11:49 AM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus
pavel-altair added a comment to T6407: Generate ipsec profile error.

In https://github.com/vyos/vyos-rolling-nightly-builds/releases/tag/1.5-rolling-202405301617 wrote

May 31 2024, 11:48 AM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus

May 30 2024

pavel-altair added a comment to T6417: Common storage location for accounts for different VPNs.
set resource-group username-group <my-users> username user01 password '09078081'
set resource-group username-group <my-users> username user02 password 'fmndskl82'

set service pppoe-server authentication local-users username-group 'my-users'
set vpn l2tp remote-access authentication local-users username-group 'my-users'
set vpn sstp authentication local-users username-group 'my-users'
set vpn openconnect authentication local-users username-group 'my-users'

Looks like what I was talking about

May 30 2024, 12:32 PM · VyOS 1.5 Circinus
pavel-altair added a comment to T6417: Common storage location for accounts for different VPNs.
In T6417#190336, @Viacheslav wrote:

It is not clear why it should be ignored? If they should be ignored they must not be in the CLI at all.
Why not use RADIUS authentication for it?

Do I get it wrong? Local RADIUS server seems like overhead here. Are we talking about the local “chap-secrets” file that can be reused by other daemons or RADIUS?
Clarify please the feature request.

Need a general place to store accounts for VPN; whether it is a local radius server or chap-secrets file(this option seems simpler and more correct) is not so important.
A separate radius server is another point of failure and a separate infrastructure object. Wants to have a boxed solution where everything is available at once

May 30 2024, 7:49 AM · VyOS 1.5 Circinus

May 29 2024

pavel-altair added a comment to T6417: Common storage location for accounts for different VPNs.
In T6417#190277, @Viacheslav wrote:

It probably cannot be a universal solution due to specific per-user options.
For example, for opencoonect, you can add otp if you want on a per-user basis and not do it for other users.

vyos@r4# set vpn openconnect authentication local-users username foo 
Possible completions:
   disable              Disable instance
 > otp                  2FA OTP authentication parameters
   password             Password used for authentication

Another case specific client IP address or rate limit

vyos@r4# set vpn sstp authentication local-users username foo 
Possible completions:
   disable              Disable instance
   password             Password for authentication
 > rate-limit           Upload/Download speed limits
   static-ip            Static client IP address (default: *)

Though it could be only for accel-ppp based configuration sstp/l2tp/pptp

specific per-user options can ignored if the protocol does not support them

May 29 2024, 5:43 PM · VyOS 1.5 Circinus
pavel-altair created T6417: Common storage location for accounts for different VPNs.
May 29 2024, 2:57 PM · VyOS 1.5 Circinus

May 27 2024

pavel-altair created T6408: Duplicate lines on 'show log vpn'.
May 27 2024, 3:57 PM · VyOS 1.5 Circinus
pavel-altair created T6407: Generate ipsec profile error.
May 27 2024, 10:51 AM · VyOS 1.4 Sagitta (1.4.0-GA), VyOS 1.5 Circinus