Entire vpn ipsec config lost on reboot

tobias · January 13, 2022, 5:59pm

I just rebooted my VyOS 1.3.0 router. On reboot, the entire vpn block in my router config had disappeared. In the commit log, the change appears to have been made by root via vyos-boot-config-loader.

How is this possible? How can simply rebooting result in a change to the device configuration (short of changing images or forgetting to run save, neither of which is the case here)?

tobias@vyos# run show system commit |head -n 2
0   2022-01-13 17:40:58 by root via vyos-boot-config-loader
1   2022-01-13 17:12:55 by tobias via cli

tobias@vyos# compare 1|head -n 2
-vpn {
-    ipsec {

The config in question was added and saved weeks ago, and the change I made immediately before the reboot-generated change DID persist across the reboot:

tobias@vyos# compare 1 2
[edit protocols static]
+route 0.0.0.0/0 {
+    next-hop 192.168.2.1 {
+    }
+}

tobias@vyos# show protocols static route 
 route 0.0.0.0/0 {
     next-hop 192.168.2.1 {
     }
 }

I don’t see anything clearly related in /var/log/messages, but it’s always possible I’m not looking for the right things (commits, references to ipsec or vpn, etc.).

Thanks in advance for the help.

tobias · January 13, 2022, 6:28pm

I tried rolling back to the previous config, and again that entire block was wiped.

# rollback 1
Proceed with reboot? [confirm]

… wait for reboot …

tobias@vyos:~$ show system commit|head -n 4
0   2022-01-13 18:07:33 by root via vyos-boot-config-loader
1   2022-01-13 18:03:02 by tobias via other
2   2022-01-13 17:40:58 by root via vyos-boot-config-loader
3   2022-01-13 17:12:55 by tobias via cli

tobias@vyos:~$ show system commit diff 3|head -n 2
[edit protocols static]
+route 0.0.0.0/0 {
tobias@vyos:~$ show system commit diff 2|head -n 2
-vpn {
-    ipsec {
tobias@vyos:~$ show system commit diff 1|head -n 2
+vpn {
+    ipsec {
tobias@vyos:~$ show system commit diff 0|head -n 2
-vpn {
-    ipsec {

tjh · January 13, 2022, 6:30pm

It sounds like you’ve hit a bug. Your config was there, saved, but when it’s been parsed on reboot, it’s been ignored due to a problem.

Do you have a copy of the config file on the device? Look in /config/archive and examine those files.

If you can find your config saved in one of those, it would be worth logging a Phabriactor ticket and uploading your config there (sanitized) and explaining in detail what happened.

tobias · January 14, 2022, 3:42pm

Thanks for the feedback.

I worked backwards by recreating the config manually and discovered that this is the problematic line:

set vpn ipsec site-to-site peer w.x.w.z dhcp-interface 'eth0'

When attempting to commit this change manually, VyOS says:

VPN configuration error: The specified interface is not configured for dhcp.


[[vpn]] failed
Commit failed
[edit]

The problem appears to be that VyOS allowed me to switch eth0 from DHCP to static (in a prior commit), but it did not also require me to delete this setting at that time.

I will create a ticket and post the link here.

fernando · January 14, 2022, 7:28pm

hi tobias!

it’ll be great ! Could you share your current configuration ? if you don’t have access to Phabriactor we can create this case.

thanks

fernando · January 14, 2022, 9:49pm

Hi tobias!

I was able to reproduce this bug , it was documented in this task
https://phabricator.vyos.net/T4185

you are free to add any comment
re

tobias · January 16, 2022, 3:54pm

Hi @fernando, thanks for reproducing this and making the bug! I tried to create the bug myself, but I’m afraid I am stuck on this screen for a couple days. Do you happen to have permission to approve my account?

fernando · January 17, 2022, 2:54pm

Hi

Sorry! But I couldn’t give permission on this platform(because I don’t , I’ll ask for the admin if he can allow his user.

regards