<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/data/templates/ipsec, branch fix/T8955-http-api-verify-tls</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=fix%2FT8955-http-api-verify-tls</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=fix%2FT8955-http-api-verify-tls'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-05-27T14:04:17+00:00</updated>
<entry>
<title>ipsec: T8912: Fix log level not respected in system journal</title>
<updated>2026-05-27T14:04:17+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-05-27T13:31:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=3b22850f4fe4163fea73f907ba8fe72777ba8d80'/>
<id>urn:sha1:3b22850f4fe4163fea73f907ba8fe72777ba8d80</id>
<content type='text'>
When setting 'vpn ipsec logging log-level 0', DPD informational
messages (log level 1) were still appearing in the system journal.

The root cause is that charon-systemd reads both `charon-systemd.conf`
and `charon-logging.conf` and applies the higher of the two log levels
to the journal. The VyOS only managed `charon-systemd.conf`, leaving
`charon-logging.conf` at its default level of 1, which silently overrode
the user-configured level.

Fix this by rendering `charon-logging.conf` on every commit with
syslog backend set to -1 (silent), making `charon-systemd.conf`
the sole authoritative source for journal log verbosity.

This also eliminates duplicate log entries in the journal that occurred
when both backends were active and writing to the same destination.
</content>
</entry>
<entry>
<title>ipsec: T7555: Implement `ikev2-reauth` for site-to-site peers</title>
<updated>2026-05-20T09:22:21+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-05-14T09:42:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=b6d24956bd4c7a5e4cb89c0b4331264a96667184'/>
<id>urn:sha1:b6d24956bd4c7a5e4cb89c0b4331264a96667184</id>
<content type='text'>
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
</content>
</entry>
<entry>
<title>T8410: Fix typos and mistakes for comments and messages</title>
<updated>2026-03-27T15:00:17+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2026-03-27T14:43:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=139b0841f8242a5c6ebdafb37380c1fb78342aae'/>
<id>urn:sha1:139b0841f8242a5c6ebdafb37380c1fb78342aae</id>
<content type='text'>
Fix typos and mistakes
No functional changes
</content>
</entry>
<entry>
<title>T8386: fix locat_ts rendering in remote_access.j2</title>
<updated>2026-03-17T07:02:03+00:00</updated>
<author>
<name>Alex Kudentsov</name>
<email>43482574+alexk37@users.noreply.github.com</email>
</author>
<published>2026-03-16T04:06:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=8714825922af321942975d231e6065fb752abb1d'/>
<id>urn:sha1:8714825922af321942975d231e6065fb752abb1d</id>
<content type='text'>
</content>
</entry>
<entry>
<title>T8136: IPSEC PPK Support</title>
<updated>2026-03-04T04:48:18+00:00</updated>
<author>
<name>Giga Murphy</name>
<email>giga1699@gmail.com</email>
</author>
<published>2026-01-02T01:04:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=673ec335b885ae1de8391dd8c48a5fe16b282db5'/>
<id>urn:sha1:673ec335b885ae1de8391dd8c48a5fe16b282db5</id>
<content type='text'>
</content>
</entry>
<entry>
<title>ipsec: T7594: Rename `respond` connection-type in IPSec peer settings to `trap`</title>
<updated>2025-12-04T15:03:54+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-11-28T14:52:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=2dc91c0a96c3d3212387be02b80c58fce7c68bd8'/>
<id>urn:sha1:2dc91c0a96c3d3212387be02b80c58fce7c68bd8</id>
<content type='text'>
The previous 'connection-type respond' option in IPsec site-to-site peers
was misleading - instead of passively waiting for peer initiation, it would
initiate negotiation when matching traffic appeared, potentially causing
SA duplication and renegotiation loops.
</content>
</entry>
<entry>
<title>T8027: vpn: adding config for swanctl "send-cert always"</title>
<updated>2025-11-22T02:22:43+00:00</updated>
<author>
<name>Chris Cowart</name>
<email>ccowart@timesinks.net</email>
</author>
<published>2025-11-16T06:39:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b'/>
<id>urn:sha1:090c4afe8dce25f772c24fc9bb6e3b96d23fcc2b</id>
<content type='text'>
This setting seems to be required for various Apple clients to
connect to the IKEv2 IPSec VPN.
</content>
</entry>
<entry>
<title>ipsec: T7562: Add support for `disable-uniqreqids` option in IPsec configs</title>
<updated>2025-08-12T09:11:05+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-07-31T10:41:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=c84c7cf16bf4a0222690f4ac2d93dafc88a7a0f7'/>
<id>urn:sha1:c84c7cf16bf4a0222690f4ac2d93dafc88a7a0f7</id>
<content type='text'>
This commit makes `set vpn ipsec disable-uniqreqids` work with the modern
StrongSwan backend by setting `unique=never` in swanctl.conf for connections.
This restores legacy behavior about multiple connections with the same identity.
</content>
</entry>
<entry>
<title>ipsec: T7581: Fix unsupported 'all' protocol in site-to-site tunnels after upgrade to 1.4.x</title>
<updated>2025-07-28T08:43:42+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-07-25T13:44:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=46a0e2cfc99a41a43fbcede2f02d8ad8f98daffb'/>
<id>urn:sha1:46a0e2cfc99a41a43fbcede2f02d8ad8f98daffb</id>
<content type='text'>
Upgrading from VyOS 1.3.8 (strongSwan 5.7.2) to 1.4.x (strongSwan 5.9.11) caused
the IPsec service to fail if the configuration contained:

```
  set vpn ipsec site-to-site peer &lt;peer&gt; tunnel &lt;id&gt; protocol 'all'
```

In 1.3.8, 'all' was supported in the CLI for protocol and converted internally to '%any'
in ipsec.conf traffic selectors, allowing the tunnel to match all protocols. However, in
1.4.x and strongSwan 5.9.11+, the '[all/]' syntax is no longer supported, and use of
'protocol all' produces an invalid traffic selector (e.g., 'x.x.x.0/24[all/]'), causing
the strongSwan service to fail on reload.

This fix ensures that 'protocol all' is converted to just the subnet notation (e.g.,
'x.x.x.0/24') in the generated traffic selector, restoring previous behavior and allowing
seamless service startup after upgrade.
</content>
</entry>
<entry>
<title>ipsec: T7504: Added IKEv2 retransmission options</title>
<updated>2025-07-18T10:08:10+00:00</updated>
<author>
<name>aapostoliuk</name>
<email>aapostoliuk@vyos.io</email>
</author>
<published>2025-07-09T15:06:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=f0ac13f3683d593e7700c46fc227cf223e0c79d5'/>
<id>urn:sha1:f0ac13f3683d593e7700c46fc227cf223e0c79d5</id>
<content type='text'>
Added IKEv2 retransmission options (base, tries, timeout).
</content>
</entry>
</feed>
