T5715: op-cmd: Fix for "restart vpn" command

[srividya0208]

Change Summary

"Restart vpn" command is failing even though ipsec is configured post this fix https://vyos.dev/R30:6e3334dec6143b7c18c6cec15344d84eb900ebb5 applied

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T5715

Related PR(s)

Component(s) name

ipsec

Proposed changes

Before change:

vyos@vyos# run restart vpn
IPsec VPN not configured

After change:

vyos@vyos# run restart vpn
Restarting IPsec process...

How to test

Add this configuration:

set vpn ipsec esp-group MyESPGroup compression 'disable'
set vpn ipsec esp-group MyESPGroup lifetime '3600'
set vpn ipsec esp-group MyESPGroup mode 'tunnel'
set vpn ipsec esp-group MyESPGroup pfs 'enable'
set vpn ipsec esp-group MyESPGroup proposal 1 encryption 'aes256'
set vpn ipsec esp-group MyESPGroup proposal 1 hash 'sha1'
set vpn ipsec ike-group MyIKEGroup close-action 'none'
set vpn ipsec ike-group MyIKEGroup ikev2-reauth 'no'
set vpn ipsec ike-group MyIKEGroup key-exchange 'ikev1'
set vpn ipsec ike-group MyIKEGroup lifetime '86400'
set vpn ipsec ike-group MyIKEGroup proposal 1 dh-group '2'
set vpn ipsec ike-group MyIKEGroup proposal 1 encryption 'aes256'
set vpn ipsec ike-group MyIKEGroup proposal 1 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.217.80.94 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.217.80.94 authentication pre-shared-secret 'nosecret'
set vpn ipsec site-to-site peer 10.217.80.94 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.217.80.94 default-esp-group 'MyESPGroup'
set vpn ipsec site-to-site peer 10.217.80.94 ike-group 'MyIKEGroup'
set vpn ipsec site-to-site peer 10.217.80.94 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 10.217.80.94 local-address '10.217.80.110'
set vpn ipsec site-to-site peer 10.217.80.94 vti bind 'vti0'
set interfaces vti vti0 address '172.16.1.2/31'

Then run this command:
$restart vpn

Smoketest result

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[fett0]

@dmbaturin @sever-sever can someone check it ?

[sever-sever]

As for me, we should revert it, @dmbaturin is the author of the previous change #36

[dmbaturin]

Since the ipsec-interfaces option is not mandatory, reverting the old PR doesn't actually fix the real issue — that there are valid configs that make charon non-restartable from op mode. I'll look into the vyatta-cfg causes of the false negative in returnValues.

[jvilafe]

Hi, I have 1.3.4 with set vpn ipsec ipsec-interfaces interface 'eth0', but restart vpn fails...

set vpn ipsec ike-group IKEv2_DMVPN proposal 3 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec profile DMVPN authentication mode 'pre-shared-secret'

user@.hub01:~$ show vpn ipsec status
IPSec Process Running PID: 3090

8 Active IPsec Tunnels

IPsec Interfaces :
eth0 (no IP on interface statically configured as local-ip for any VPN peer)
user@.hub01:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal

---

dmvpn up 24m25s 2K/2K 26/30 xxx.xxx.xxx.xxx N/A CHACHA20_POLY1305/ECP_521
user@.hub01:$ restart vpn
IPsec VPN not configured
user@.hub01:$

[sever-sever]

Hi, I have 1.3.4 with set vpn ipsec ipsec-interfaces interface 'eth0', but restart vpn fails...

@jvilafe You can make suggested changes in this PR in your router

sudo nano -c /opt/vyatta/share/vyatta-op/templates/restart/vpn/node.def

But the proper fix will be later

[jvilafe]

mmm
I made this changes in node.def.in file, but it doesn't works for me...
I think it doesn't work for me because I have the issue despite having the correct entry in the ipsec configuration.
restart VPN does not work even though I have ipsec-interfaces configured. Maybe it's because I use profile for DMVPN and there is no static IP interface configured?

show vpn ipsec status
IPSec Process Running PID: 19305

12 Active IPsec Tunnels

IPsec Interfaces :
eth0 (no IP on interface statically configured as local-ip for any VPN peer)

[sever-sever]

Propose a new fix #38