Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T6084: Add NHRP dependency for IPsec and fix NHRP empty config bug #3079

Merged
merged 1 commit into from Mar 4, 2024
Merged

T6084: Add NHRP dependency for IPsec and fix NHRP empty config bug #3079

merged 1 commit into from Mar 4, 2024

Conversation

sever-sever
Copy link
Member

Change Summary

If we have any vpn ipsec and protocol nhrp configuration, we get the empty configuration file /run/opennhrp/opennhrp.conf after rebooting the system.

Using config dependency instead of the old resync_nhrp function fixes this issue

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

nhrp

Proposed changes

How to test

Add this configuration and reboot the system

set interfaces ethernet eth1 address '192.0.2.14/24'
set interfaces ethernet eth1 description 'WAN'

set vpn ipsec esp-group group-ESP lifetime '3600'
set vpn ipsec esp-group group-ESP mode 'tunnel'
set vpn ipsec esp-group group-ESP pfs 'dh-group14'
set vpn ipsec esp-group group-ESP proposal 10 encryption 'aes128'
set vpn ipsec esp-group group-ESP proposal 10 hash 'sha1'
set vpn ipsec ike-group group-IKE close-action 'none'
set vpn ipsec ike-group group-IKE disable-mobike
set vpn ipsec ike-group group-IKE key-exchange 'ikev2'
set vpn ipsec ike-group group-IKE lifetime '28000'
set vpn ipsec ike-group group-IKE proposal 10 dh-group '14'
set vpn ipsec ike-group group-IKE proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group group-IKE proposal 10 hash 'sha1'
set vpn ipsec interface 'eth1'

set interfaces tunnel tun100 address '192.168.250.4/24'
set interfaces tunnel tun100 encapsulation 'gre'
set interfaces tunnel tun100 parameters ip key '1'
set interfaces tunnel tun100 source-address '192.0.2.14'

set protocols nhrp tunnel tun100 cisco-authentication 'secret'
set protocols nhrp tunnel tun100 holding-time '30'
set protocols nhrp tunnel tun100 multicast 'dynamic'
set protocols nhrp tunnel tun100 redirect
set protocols nhrp tunnel tun100 shortcut

Before the fix we have empty opennhrp.conf file:

vyos@r1-right:~$ cat /run/opennhrp/opennhrp.conf 
# Created by VyOS - manual changes will be overwritten

vyos@r1-right:~$

After the fix, we have correct config:

vyos@r4:~$ cat /run/opennhrp/opennhrp.conf 
# Created by VyOS - manual changes will be overwritten

interface tun100 #hub 
    cisco-authentication secret
    holding-time 30
    multicast dynamic
    redirect
    shortcut

vyos@r4:~$

Smoketest result

vyos@r4:~$ /usr/libexec/vyos/tests/smoke/cli/test_protocols_nhrp.py
test_config (__main__.TestProtocolsNHRP.test_config) ... ok

----------------------------------------------------------------------
Ran 1 test in 8.666s

OK


vyos@r4:~$ /usr/libexec/vyos/tests/smoke/cli/test_vpn_ipsec.py
test_dhcp_fail_handling (__main__.TestVPNIPsec.test_dhcp_fail_handling) ... You should set correct remote-address "peer main-branch remote-address x.x.x.x"

Failed to get address from dhcp-interface on site-to-site peer main-branch -- skipped
ok
test_dmvpn (__main__.TestVPNIPsec.test_dmvpn) ... ok
test_flex_vpn_vips (__main__.TestVPNIPsec.test_flex_vpn_vips) ... ok
test_remote_access (__main__.TestVPNIPsec.test_remote_access) ... 
Missing esp-group on vyos-rw remote-access config

ok
test_remote_access_eap_tls (__main__.TestVPNIPsec.test_remote_access_eap_tls) ... 
Missing esp-group on vyos-rw remote-access config

ok
test_remote_access_x509 (__main__.TestVPNIPsec.test_remote_access_x509) ... 
Missing esp-group on vyos-rw remote-access config

ok
test_site_to_site (__main__.TestVPNIPsec.test_site_to_site) ... ok
test_site_to_site_vti (__main__.TestVPNIPsec.test_site_to_site_vti) ... 
WARNING: It's recommended to use ipsec vti with the next command
[set vpn ipsec option disable-route-autoinstall]

ok
test_site_to_site_x509 (__main__.TestVPNIPsec.test_site_to_site_x509) ... 
WARNING: It's recommended to use ipsec vti with the next command
[set vpn ipsec option disable-route-autoinstall]

ok

----------------------------------------------------------------------
Ran 9 tests in 62.948s

OK
vyos@r4:~$

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@sever-sever
T6084: Add NHRP dependency for IPsec and fix NHRP empty config bug
689fea2 
If we have any `vpn ipsec` and `protocol nhrp` configuration we
get the empty configuration file `/run/opennhrp/opennhrp.conf`
after rebooting the system.

Use config dependency instead of the old `resync_nhrp` function
fixes this issue
@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, zdc, jestabro and c-po and removed request for a team March 4, 2024 10:34
@dmbaturin dmbaturin merged commit dc21e56 into vyos:current Mar 4, 2024
8 checks passed
@dmbaturin
Copy link
Member

Shall we backport to Sagitta once it gets a bit more testing?

@sever-sever
Copy link
Member Author

Shall we backport to Sagitta once it gets a bit more testing?

@dmbaturin Yes, we definitely shall!

@sever-sever
Copy link
Member Author

@Mergifyio backport sagitta

@mergify Mergify
Copy link

mergify bot commented Mar 5, 2024

backport sagitta

🟠 Pending

  • Backport to branch sagitta in progress

@mergify mergify bot mentioned this pull request Mar 5, 2024
Merged
@mergify Mergify
Copy link

mergify bot commented Mar 5, 2024

backport sagitta

✅ Backports have been created

c-po added a commit that referenced this pull request Mar 6, 2024
@c-po
Merge pull request #3086 from vyos/mergify/bp/sagitta/pr-3079
cf90659 
T6084: Add NHRP dependency for IPsec and fix NHRP empty config bug (backport #3079)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin was automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev was automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

@c-po c-po Awaiting requested review from c-po c-po was automatically assigned from vyos/reviewers

Assignees

@sever-sever sever-sever

Labels
current
Milestone
No milestone
2 participants
@sever-sever @dmbaturin