9 files changed, 48 insertions, 16 deletions
diff --git a/.gitmodules b/.gitmodules
index 4e9a691c0..05eaf619f 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,4 +1,4 @@
 [submodule "libvyosconfig"]
 	path = libvyosconfig
-	url = ../libvyosconfig.git
+	url = ../../vyos/libvyosconfig
 	branch = current
diff --git a/Makefile b/Makefile
index aa113d9ce..763f44952 100644
--- a/Makefile
+++ b/Makefile
@@ -25,7 +25,7 @@ op_xml_obj = $(op_xml_src:.xml.in=.xml)
 .ONESHELL:
 libvyosconfig:
 	if test ! -f $(LIBVYOSCONFIG_BUILD_PATH); then
-		if ! echo $(firstword $(LIBVYOSCONFIG_STATUS))|grep -Eq '^[0-9]'; then
+		if ! echo $(firstword $(LIBVYOSCONFIG_STATUS))|grep -Eq '^[a-z0-9]'; then
 			git submodule sync; git submodule update --init --remote
 		fi
 		rm -rf /tmp/libvyosconfig && mkdir /tmp/libvyosconfig
diff --git a/data/templates/ipsec/charon_systemd.conf.j2 b/data/templates/ipsec/charon_systemd.conf.j2
new file mode 100644
index 000000000..368aa1ae3
--- /dev/null
+++ b/data/templates/ipsec/charon_systemd.conf.j2
@@ -0,0 +1,18 @@
+# Generated by ${vyos_conf_scripts_dir}/vpn_ipsec.py
+
+charon-systemd {
+
+    # Section to configure native systemd journal logger, very similar to the
+    # syslog logger as described in LOGGER CONFIGURATION in strongswan.conf(5).
+    journal {
+
+        # Loglevel for a specific subsystem.
+        # <subsystem> = <default>
+
+{% if log.level is vyos_defined %}
+        # Default loglevel.
+        default = {{ log.level }}
+{% endif %}
+    }
+
+}
diff --git a/interface-definitions/interfaces_virtual-ethernet.xml.in b/interface-definitions/interfaces_virtual-ethernet.xml.in
index c4610feec..2dfbd50b8 100644
--- a/interface-definitions/interfaces_virtual-ethernet.xml.in
+++ b/interface-definitions/interfaces_virtual-ethernet.xml.in
@@ -21,6 +21,10 @@
           #include <include/interface/dhcp-options.xml.i>
           #include <include/interface/dhcpv6-options.xml.i>
           #include <include/interface/disable.xml.i>
+          #include <include/interface/mtu-68-16000.xml.i>
+          <leafNode name="mtu">
+            <defaultValue>1500</defaultValue>
+          </leafNode>
           #include <include/interface/netns.xml.i>
           #include <include/interface/vif-s.xml.i>
           #include <include/interface/vif.xml.i>
diff --git a/libvyosconfig b/libvyosconfig
-Subproject 27e4b0a5eaf77d9a1f5e1f6dcaa109e5d73c51d
+Subproject 74d884d7f383aa570fa00b7f3b222ea8b18bb45
diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py
index 80d200e97..a9b758802 100644
--- a/smoketest/scripts/cli/base_interfaces_test.py
+++ b/smoketest/scripts/cli/base_interfaces_test.py
@@ -613,7 +613,7 @@ class BasicInterfaceTest:
         def test_mtu_1200_no_ipv6_interface(self):
             # Testcase if MTU can be changed to 1200 on non IPv6
             # enabled interfaces
-            if not self._test_mtu:
+            if not self._test_mtu or not self._test_ipv6:
                 self.skipTest('not supported')
 
             old_mtu = self._mtu
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py
index acea2c9be..724f97555 100755
--- a/src/conf_mode/pki.py
+++ b/src/conf_mode/pki.py
@@ -440,13 +440,21 @@ def generate(pki):
         for name, cert_conf in pki['certificate'].items():
             if 'acme' in cert_conf:
                 certbot_list.append(name)
-                # generate certificate if not found on disk
+                # There is no ACME/certbot managed certificate presend on the
+                # system, generate it
                 if name not in certbot_list_on_disk:
                     certbot_request(name, cert_conf['acme'], dry_run=False)
+                    # Now that the certificate was properly generated we have
+                    # the PEM files on disk. We need to add the certificate to
+                    # certbot_list_on_disk to automatically import the CA chain
+                    certbot_list_on_disk.append(name)
+                # We alredy had an ACME managed certificate on the system, but
+                # something changed in the configuration
                 elif changed_certificates != None and name in changed_certificates:
-                    # when something for the certificate changed, we should delete it
+                    # Delete old ACME certificate first
                     if name in certbot_list_on_disk:
                         certbot_delete(name)
+                    # Request new certificate via certbot
                     certbot_request(name, cert_conf['acme'], dry_run=False)
 
     # Cleanup certbot configuration and certificates if no longer in use by CLI
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index 71a503e61..2754314f7 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -64,6 +64,7 @@ swanctl_dir        = '/etc/swanctl'
 charon_conf        = '/etc/strongswan.d/charon.conf'
 charon_dhcp_conf   = '/etc/strongswan.d/charon/dhcp.conf'
 charon_radius_conf = '/etc/strongswan.d/charon/eap-radius.conf'
+charon_systemd_conf = '/etc/strongswan.d/charon-systemd.conf'
 interface_conf     = '/etc/strongswan.d/interfaces_use.conf'
 swanctl_conf       = f'{swanctl_dir}/swanctl.conf'
 
@@ -745,6 +746,7 @@ def generate(ipsec):
     render(charon_conf, 'ipsec/charon.j2', ipsec)
     render(charon_dhcp_conf, 'ipsec/charon/dhcp.conf.j2', ipsec)
     render(charon_radius_conf, 'ipsec/charon/eap-radius.conf.j2', ipsec)
+    render(charon_systemd_conf, 'ipsec/charon_systemd.conf.j2', ipsec)
     render(interface_conf, 'ipsec/interfaces_use.conf.j2', ipsec)
     render(swanctl_conf, 'ipsec/swanctl.conf.j2', ipsec)
 
diff --git a/src/op_mode/image_installer.py b/src/op_mode/image_installer.py
index 3fe9737da..9c17d0229 100755
--- a/src/op_mode/image_installer.py
+++ b/src/op_mode/image_installer.py
@@ -58,6 +58,7 @@ MSG_ERR_FLAVOR_MISMATCH: str = 'The current image flavor is "{0}", the new image
 MSG_ERR_MISSING_ARCHITECTURE: str = 'The new image version data does not specify architecture, cannot check compatibility (is it a legacy release image?)'
 MSG_ERR_MISSING_FLAVOR: str = 'The new image version data does not specify flavor, cannot check compatibility (is it a legacy release image?)'
 MSG_ERR_CORRUPT_CURRENT_IMAGE: str = 'Version data in the current image is malformed: missing flavor and/or architecture fields. Upgrade compatibility cannot be checked.'
+MSG_ERR_UNSUPPORTED_SIGNATURE_TYPE: str = 'Unsupported signature type, signature cannot be verified.'
 MSG_INFO_INSTALL_WELCOME: str = 'Welcome to VyOS installation!\nThis command will install VyOS to your permanent storage.'
 MSG_INFO_INSTALL_EXIT: str = 'Exiting from VyOS installation'
 MSG_INFO_INSTALL_SUCCESS: str = 'The image installed successfully; please reboot now.'
@@ -514,7 +515,6 @@ def validate_signature(file_path: str, sign_type: str) -> None:
     """
     print('Validating signature')
     signature_valid: bool = False
-    # validate with minisig
     if sign_type == 'minisig':
         pub_key_list = glob('/usr/share/vyos/keys/*.minisign.pub')
         for pubkey in pub_key_list:
@@ -523,11 +523,8 @@ def validate_signature(file_path: str, sign_type: str) -> None:
                 signature_valid = True
                 break
         Path(f'{file_path}.minisig').unlink()
-    # validate with GPG
-    if sign_type == 'asc':
-        if run(f'gpg --verify ${file_path}.asc ${file_path}') == 0:
-            signature_valid = True
-        Path(f'{file_path}.asc').unlink()
+    else:
+        exit(MSG_ERR_UNSUPPORTED_SIGNATURE_TYPE)
 
     # warn or pass
     if not signature_valid:
@@ -581,15 +578,18 @@ def image_fetch(image_path: str, vrf: str = None,
     try:
         # check a type of path
         if urlparse(image_path).scheme:
-            # download an image
+            # Download the image file
             ISO_DOWNLOAD_PATH = os.path.join(os.path.expanduser("~"), '{0}.iso'.format(uuid4()))
             download_file(ISO_DOWNLOAD_PATH, image_path, vrf,
                           username, password,
                           progressbar=True, check_space=True)
 
-            # download a signature
+            # Download the image signature
+            # VyOS only supports minisign signatures at the moment,
+            # but we keep the logic for multiple signatures
+            # in case we add something new in the future
             sign_file = (False, '')
-            for sign_type in ['minisig', 'asc']:
+            for sign_type in ['minisig']:
                 try:
                     download_file(f'{ISO_DOWNLOAD_PATH}.{sign_type}',
                                   f'{image_path}.{sign_type}', vrf,
@@ -597,8 +597,8 @@ def image_fetch(image_path: str, vrf: str = None,
                     sign_file = (True, sign_type)
                     break
                 except Exception:
-                    print(f'{sign_type} signature is not available')
-            # validate a signature if it is available
+                    print(f'Could not download {sign_type} signature')
+            # Validate the signature if it is available
             if sign_file[0]:
                 validate_signature(ISO_DOWNLOAD_PATH, sign_file[1])
             else: