1.3.0-rc6 ipsec issues

hello,

I caught two issues with ipsec in latest rc

  1. I should explicitly specify “set vpn ipsec options disable-route-autoinstall” even when I am use
    vti interfaces. otherwise strongswan insert recods in 220 route table. In my case when I shut down
    vti03 router becomes unreachable and I can see the following:

vyos@krasnodar-a:/config$ ip ro sh table 220
default via 10.102.11.11 dev eth2 proto static

in previous versions I did not care about this strongswan option. this bug or feature ?

  1. router does not eat ipsec vpn configuration between reboots - e.g. all vpn ipsec subtree

firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
options {
interface vti01 {
adjust-mss 1396
}
interface vti03 {
adjust-mss 1396
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
high-availability {
vrrp {
group GW-SKUD {
authentication {
password fMeoMbsPYm
type plaintext-password
}
interface eth4.31
priority 254
virtual-address 10.43.233.1/24
vrid 31
}
group GW-LAN-DO {
authentication {
password sEfYdbJrfe
type plaintext-password
}
interface eth4.251
priority 254
virtual-address 10.43.23.1/24
vrid 251
}
}
}
interfaces {
ethernet eth0 {
address 10.100.11.10/24
description RT-IPVPN
}
ethernet eth1 {
address 192.168.1.6/24
description TELEMAX-INET
}
ethernet eth2 {
address 10.102.11.10/24
description MTS-IPVPN
}
ethernet eth3 {
address 10.43.81.16/31
description “PTP >> KRASNODAR-B”
ip {
ospf {
bfd {
}
cost 5
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
}
ethernet eth4 {
vif 31 {
address 10.43.233.2/24
description SKUD
disable {
}
}
vif 50 {
address 192.168.23.150/24
description OLD-LAN
}
vif 81 {
address 192.168.123.2/24
description “TEST VLAN 192.168.123.0”
}
vif 251 {
address 10.43.23.2/24
description “LAN DO”
disable {
}
}
}
loopback lo {
address 10.43.255.23/32
description “OSPF RID”
}
vti vti01 {
address 10.43.81.9/31
description “MTS >> SOCHI-A”
ip {
ospf {
bfd {
}
cost 20
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1436
}
vti vti03 {
address 10.43.81.13/31
description “RTK >> SOCHI-A”
ip {
ospf {
bfd {
}
cost 10
dead-interval 40
hello-interval 10
network point-to-point
priority 1
retransmit-interval 5
transmit-delay 1
}
}
mtu 1436
}
}
protocols {
bfd {
peer 10.43.81.8 {
source {
interface vti01
}
}
peer 10.43.81.12 {
source {
interface vti03
}
}
peer 10.43.81.17 {
source {
interface eth3
}
}
}
ospf {
area 0.43.43.0 {
area-type {
nssa {
no-summary {
}
translate candidate
}
}
network 10.43.255.23/32
network 10.43.81.8/31
network 10.43.81.10/31
network 10.43.81.12/31
network 10.43.81.14/31
network 10.43.81.16/31
network 10.43.233.0/24
network 10.43.23.0/24
network 192.168.23.0/24
network 192.168.123.0/24
}
parameters {
abr-type cisco
router-id 10.43.255.23
}
passive-interface default
passive-interface-exclude vti01
passive-interface-exclude vti03
passive-interface-exclude eth3
}
static {
route 10.100.7.0/24 {
next-hop 10.100.11.240
}
route 192.168.128.64/27 {
next-hop 192.168.23.1
}
route 192.168.132.0/24 {
next-hop 192.168.23.1
}
}
}
service {
lldp {
legacy-protocols {
cdp {
}
}
}
ssh {
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name krasnodar-a
login {
user vyos {
authentication {
encrypted-password $6$N99TKvQk$hpqCmjPlXs7jAUO2ExIxRqRDLbahXX9EPISp.RnR6S9v8regRPBSFStnSqECCPVVvFrmKbjYXc9iJMrTYD72r.
plaintext-password “”
}
}
}
name-server 10.40.28.20
name-server 10.40.28.21
name-server 172.21.100.111
ntp {
server 10.40.28.20
server 10.40.28.21
server 172.21.100.111
}
syslog {
global {
facility all {
level info
}
facility protocols {
level debug
}
}
}
time-zone Europe/Moscow
}
vpn {
ipsec {
esp-group ESP01 {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE01 {
close-action none
dead-peer-detection {
action restart
interval 15
timeout 30
}
ikev2-reauth no
key-exchange ikev2
lifetime 86400
proposal 1 {
dh-group 14
encryption aes256
hash sha256
}
}
options {
disable-route-autoinstall {
}
}
site-to-site {
peer 10.100.7.11 {
authentication {
mode pre-shared-secret
pre-shared-secret k76yjgx6nw2a25umEFcLfD6dFbqKZzYA
remote-id 10.100.7.11
}
connection-type initiate
description “RTK >> SOCHI-A”
ike-group IKE01
ikev2-reauth no
local-address 10.100.11.10
vti {
bind vti03
esp-group ESP01
}
}
peer 10.102.11.11 {
authentication {
mode pre-shared-secret
pre-shared-secret w7d7aq7s2cgekvv8vNfcEVNw3FKryTyz
remote-id 10.102.11.11
}
connection-type initiate
description “MTS >> SOCHI-A”
ike-group IKE01
ikev2-reauth inherit
local-address 10.102.11.10
vti {
bind vti01
esp-group ESP01
}
}
}
}
}
// Warning: Do not remove the following line.
// vyos-config-version: “broadcast-relay@1:cluster@1:config-management@1:conntrack@2:conntrack-sync@2:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@20:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@20:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1”
// Release version: 1.3.0-rc6