<feed xmlns='http://www.w3.org/2005/Atom'>
<title>vyos-1x.git/src/conf_mode/vpn_ipsec.py, branch feature/T9082-codeql-cpp</title>
<subtitle>VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git)
</subtitle>
<id>https://git.amelek.net/vyos/vyos-1x.git/atom?h=feature%2FT9082-codeql-cpp</id>
<link rel='self' href='https://git.amelek.net/vyos/vyos-1x.git/atom?h=feature%2FT9082-codeql-cpp'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/'/>
<updated>2026-06-24T04:49:41+00:00</updated>
<entry>
<title>ipsec: T8975: lock vti-up-down state DB to prevent lost updates under concurrent rekey</title>
<updated>2026-06-24T04:49:41+00:00</updated>
<author>
<name>Robert Navarro</name>
<email>crshman@gmail.com</email>
</author>
<published>2026-06-19T02:13:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=368b0468bf4f1eaac8e0b61d0790206048eeb79a'/>
<id>urn:sha1:368b0468bf4f1eaac8e0b61d0790206048eeb79a</id>
<content type='text'>
The vti-up-down hook and vpn_ipsec.py modify a flat-file DB
(/tmp/ipsec_vti_interfaces) through three context managers that do an
unlocked read-modify-write. During a coordinated rekey, strongSwan fires
the hook for many VTIs concurrently, so the writers lost-update each
other: an interface whose up-client add is overwritten is left admin-down
while its CHILD_SA stays installed.

Serialise all DB access by reusing vyos.utils.locking.Lock. A new
_vti_updown_db_lock() context manager wraps the three public context
managers, and remove_vti_updown_db() holds the lock across both the DB
processing and the os.unlink() to close the create/delete race.

Make the helpers absence-safe under the lock so callers no longer compose
a separate existence check with a locked operation:
open_vti_updown_db_readonly() yields None when the DB does not exist and
remove_vti_updown_db() is a no-op when it is absent. Drop the
now-redundant unlocked vti_updown_db_exists() pre-checks in vti.py and
vpn_ipsec.py and handle the None yield.
</content>
</entry>
<entry>
<title>T8923: normalize "can not" to "cannot"</title>
<updated>2026-06-16T18:24:44+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2026-06-16T18:24:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=fa853ed8f25b5b9bf396d6e819b2c6259e7f5f42'/>
<id>urn:sha1:fa853ed8f25b5b9bf396d6e819b2c6259e7f5f42</id>
<content type='text'>
Replace two-word "can not" / "Can not" with "cannot" across comments,
ConfigError messages, CLI help text, and op-mode output.

Standard SNMP MIB files under mibs/ are left unchanged.
</content>
</entry>
<entry>
<title>ipsec: T8912: Fix log level not respected in system journal</title>
<updated>2026-05-27T14:04:17+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-05-27T13:31:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=3b22850f4fe4163fea73f907ba8fe72777ba8d80'/>
<id>urn:sha1:3b22850f4fe4163fea73f907ba8fe72777ba8d80</id>
<content type='text'>
When setting 'vpn ipsec logging log-level 0', DPD informational
messages (log level 1) were still appearing in the system journal.

The root cause is that charon-systemd reads both `charon-systemd.conf`
and `charon-logging.conf` and applies the higher of the two log levels
to the journal. The VyOS only managed `charon-systemd.conf`, leaving
`charon-logging.conf` at its default level of 1, which silently overrode
the user-configured level.

Fix this by rendering `charon-logging.conf` on every commit with
syslog backend set to -1 (silent), making `charon-systemd.conf`
the sole authoritative source for journal log verbosity.

This also eliminates duplicate log entries in the journal that occurred
when both backends were active and writing to the same destination.
</content>
</entry>
<entry>
<title>ipsec: T7555: Implement `ikev2-reauth` for site-to-site peers</title>
<updated>2026-05-20T09:22:21+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2026-05-14T09:42:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=b6d24956bd4c7a5e4cb89c0b4331264a96667184'/>
<id>urn:sha1:b6d24956bd4c7a5e4cb89c0b4331264a96667184</id>
<content type='text'>
IKEv2 reauthentication was configurable via CLI but never translated
into `swanctl.conf`. Add `reauth_time` to the peer connection template,
driven by the `ikev2-reauth` flag on the ike-group and the per-peer
override (yes/no/inherit).
</content>
</entry>
<entry>
<title>T8410: Fix typos and mistakes for operational and configuration commands</title>
<updated>2026-03-24T17:02:56+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2026-03-20T16:41:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=bb2aee1e58c1cd30087b935798060e6bf3c698c8'/>
<id>urn:sha1:bb2aee1e58c1cd30087b935798060e6bf3c698c8</id>
<content type='text'>
Fix typos and mistakes in the commands and comments
No functional changes
</content>
</entry>
<entry>
<title>T8136: IPSEC PPK Support</title>
<updated>2026-03-04T04:48:18+00:00</updated>
<author>
<name>Giga Murphy</name>
<email>giga1699@gmail.com</email>
</author>
<published>2026-01-02T01:04:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=673ec335b885ae1de8391dd8c48a5fe16b282db5'/>
<id>urn:sha1:673ec335b885ae1de8391dd8c48a5fe16b282db5</id>
<content type='text'>
</content>
</entry>
<entry>
<title>ipsec: T8022: Fix invalid automatic `dynamic` prefix assignment for transport mode tunnels</title>
<updated>2026-01-05T13:01:38+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-12-04T12:32:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=875cdbe042aa3c178f033b5699763ebcaf5261cd'/>
<id>urn:sha1:875cdbe042aa3c178f033b5699763ebcaf5261cd</id>
<content type='text'>
When ESP was configured in transport mode for GRE-based site-to-site tunnels,
the default value `dynamic` was automatically injected into the configuration,
even though prefixes must not be set in transport mode. This led to error
"Local/remote prefix cannot be used with ESP transport mode" and commit failures.

This fix updates configuration logic to skip default prefix assignment
for site-to-site peers using ESP transport mode tunnels.
</content>
</entry>
<entry>
<title>ipsec: T7593: Add dynamic prefix for local and remote traffic selectors</title>
<updated>2025-07-28T10:23:13+00:00</updated>
<author>
<name>Oleksandr Kuchmystyi</name>
<email>o.kuchmystyi@vyos.io</email>
</author>
<published>2025-07-15T09:31:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=cdb97173c8ba251c577e30bb324555a418c32828'/>
<id>urn:sha1:cdb97173c8ba251c577e30bb324555a418c32828</id>
<content type='text'>
In case when there is no local/remote prefix configured in a tunnel settings,
a protocol configured for such tunnel is ignored.

The correct way to generate the configuration is to set the prefix
to `dynamic` if it was not set. The correct config for the described case is:

```
local_ts = dynamic[gre/]
remote_ts = dynamic[gre/]
```
</content>
</entry>
<entry>
<title>T7591: remove copyright years from source files</title>
<updated>2025-06-28T21:16:52+00:00</updated>
<author>
<name>Christian Breunig</name>
<email>christian@breunig.cc</email>
</author>
<published>2025-06-28T18:51:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=1478516ae437f19ebeb7d6ff9b83dd74f8e76758'/>
<id>urn:sha1:1478516ae437f19ebeb7d6ff9b83dd74f8e76758</id>
<content type='text'>
The legal team says years are not necessary so we can go ahead with it, since
it will simplify backporting.

Automatically removed using: git ls-files | grep -v libvyosconfig | xargs sed -i -E \
's/^# Copyright (19|20)[0-9]{2}(-[0-9]{4})? VyOS maintainers.*/# Copyright VyOS maintainers and contributors &lt;maintainers@vyos.io&gt;/g'

In addition we will error-out during "make" if someone re-adds a legacy
copyright notice
</content>
</entry>
<entry>
<title>T7458: Fix VPN IPsec unexpected passthrough logic bug</title>
<updated>2025-05-16T09:02:12+00:00</updated>
<author>
<name>Viacheslav Hletenko</name>
<email>v.gletenko@vyos.io</email>
</author>
<published>2025-05-16T09:02:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/vyos-1x.git/commit/?id=2f8c013b537b6eed12b95c81e9098b240ce1eaa5'/>
<id>urn:sha1:2f8c013b537b6eed12b95c81e9098b240ce1eaa5</id>
<content type='text'>
VPN IPsec unexpected passthrough logic bug was introduced in this
commit https://github.com/vyos/vyos-1x/commit/f480346bb8e934b1ce2e0fc3be23f7168273bba1
The correct behaviour of the `cidr_fit` was replaced with the
incorrect `overlap`

This way, the passthrough option is used every time when networks overlap.

```
&gt;&gt;&gt; from ipaddress import ip_network
&gt;&gt;&gt;
&gt;&gt;&gt; a = ip_network('192.0.2.0/24')
&gt;&gt;&gt; b = ip_network('192.0.2.100/30')
&gt;&gt;&gt;
&gt;&gt;&gt; a.overlaps(b)
True
&gt;&gt;&gt;
&gt;&gt;&gt; b.overlaps(a)
True
&gt;&gt;&gt;
```

But there should be `subnet_of`:
```
&gt;&gt;&gt; a.subnet_of(b)
False
&gt;&gt;&gt;
&gt;&gt;&gt; b.subnet_of(a)
True
&gt;&gt;&gt;
```

In configuration it looks like
```
set vpn ipsec site-to-site peer RIGHT tunnel 0 local prefix '192.0.2.0/24'
set vpn ipsec site-to-site peer RIGHT tunnel 0 remote prefix '192.0.2.100/30'
```
The StrongSwan unexpected configuration:
```
            RIGHT-tunnel-0-passthrough {
                local_ts = 192.0.2.0/24
                remote_ts = 192.0.2.0/24
                start_action = trap
                mode = pass
            }
```

So all outcoming traffic to the 192.0.2.0/24 pass through the main routing
table instead of out SA

Use `subnet_of` to fix this
</content>
</entry>
</feed>
