ipsec: T8001: Commit fails removing VTI interface in IPsec config #4878

alexandr-san4ez · 2025-11-28T12:36:57Z

Change summary

Fix cases where commit or IPsec up/down hooks fail if the VTI interface has already been deleted or the /tmp/ipsec_vti_interfaces file does not exist.

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Code style update (formatting, renaming)
Refactoring (no functional changes)
Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
Other (please describe):

Related Task(s)

https://vyos.dev/T8001

How to test / Smoketest result

Step 1. To reproduce and verify the issues necessary configure Peer B:

conf
set vpn ipsec authentication psk psk1 id 'A'
set vpn ipsec authentication psk psk1 id 'B'
set vpn ipsec authentication psk psk1 secret 'AB'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 10 encryption 'aes256'
set vpn ipsec esp-group esp1 proposal 10 hash 'sha256'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'clear'
set vpn ipsec ike-group ike1 proposal 10 encryption 'camellia256ccm96'
set vpn ipsec ike-group ike1 proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer A authentication local-id 'B'
set vpn ipsec site-to-site peer A authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer A authentication remote-id 'A'
set vpn ipsec site-to-site peer A connection-type 'respond'
set vpn ipsec site-to-site peer A default-esp-group 'esp1'
set vpn ipsec site-to-site peer A ike-group 'ike1'
set vpn ipsec site-to-site peer A local-address '172.168.99.3'
set vpn ipsec site-to-site peer A remote-address '172.168.99.2'
set vpn ipsec site-to-site peer A vti bind 'vti1'
set interfaces vti vti1
set protocols static route 172.168.102.0/24 interface vti1
commit

Step 2. Reproduce Issue 1: Commit failure when deleting VTI (Peer A)

conf
set interfaces vti vti1
set protocols static route 172.168.202.0/24 interface vti1
set vpn ipsec site-to-site peer B vti bind 'vti1'
set vpn ipsec authentication psk psk1 id 'A'
set vpn ipsec authentication psk psk1 id 'B'
set vpn ipsec authentication psk psk1 secret 'AB'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 10 encryption 'aes256'
set vpn ipsec esp-group esp1 proposal 10 hash 'sha256'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'clear'
set vpn ipsec ike-group ike1 proposal 10 encryption 'camellia256ccm96'
set vpn ipsec ike-group ike1 proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer B authentication local-id 'A'
set vpn ipsec site-to-site peer B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer B authentication remote-id 'B'
set vpn ipsec site-to-site peer B connection-type 'initiate'
set vpn ipsec site-to-site peer B default-esp-group 'esp1'
set vpn ipsec site-to-site peer B ike-group 'ike1'
set vpn ipsec site-to-site peer B local-address '172.168.99.2'
set vpn ipsec site-to-site peer B remote-address '172.168.99.3'
set vpn ipsec site-to-site peer B vti bind 'vti1'
commit

del interfaces vti vti1
del protocols static route 172.168.202.0/24
del vpn ipsec site-to-site peer B vti
set vpn ipsec site-to-site peer B tunnel 0 local prefix '172.168.102.0/24'
set vpn ipsec site-to-site peer B tunnel 0 remote prefix '172.168.202.0/24'
commit

Step 3. Reproduce Issue 2: Missing `/tmp/ipsec_vti_interfaces` file (Peer A)

conf
set interfaces vti vti1
set protocols static route 172.168.202.0/24 interface vti1
set vpn ipsec site-to-site peer B vti bind 'vti1'
set vpn ipsec authentication psk psk1 id 'A'
set vpn ipsec authentication psk psk1 id 'B'
set vpn ipsec authentication psk psk1 secret 'AB'
set vpn ipsec esp-group esp1 mode 'tunnel'
set vpn ipsec esp-group esp1 pfs 'disable'
set vpn ipsec esp-group esp1 proposal 10 encryption 'aes256'
set vpn ipsec esp-group esp1 proposal 10 hash 'sha256'
set vpn ipsec ike-group ike1 close-action 'none'
set vpn ipsec ike-group ike1 dead-peer-detection action 'clear'
set vpn ipsec ike-group ike1 proposal 10 encryption 'camellia256ccm96'
set vpn ipsec ike-group ike1 proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec site-to-site peer B authentication local-id 'A'
set vpn ipsec site-to-site peer B authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer B authentication remote-id 'B'
set vpn ipsec site-to-site peer B connection-type 'initiate'
set vpn ipsec site-to-site peer B default-esp-group 'esp1'
set vpn ipsec site-to-site peer B ike-group 'ike1'
set vpn ipsec site-to-site peer B local-address '172.168.99.2'
set vpn ipsec site-to-site peer B remote-address '172.168.99.3'
set vpn ipsec site-to-site peer B vti bind 'vti1'
commit

del vpn ipsec site-to-site peer B vti
set vpn ipsec site-to-site peer B tunnel 0 local prefix '172.168.102.0/24'
set vpn ipsec site-to-site peer B tunnel 0 remote prefix '172.168.202.0/24'
commit

Checklist:

I have read the CONTRIBUTING document
I have linked this PR to one or more Phabricator Task(s)
I have run the components SMOKETESTS if applicable
My commit headlines contain a valid Task id
My change requires a change to the documentation
I have updated the documentation accordingly

Fix cases where commit or IPsec up/down hooks fail if the VTI interface has already been deleted or the `/tmp/ipsec_vti_interfaces` file does not exist. Changes: - Return empty dict from `get_interface_config()` if it returns None to avoid TypeError when accessing 'operstate' (vti_updown_db.py). - Use `open_vti_updown_db_for_create_or_update()` in `vti‑up‑down` script so the temporary interface tracking file is created automatically when missing.

github-actions · 2025-11-28T12:37:09Z

👍
No issues in PR Title / Commit Title

github-actions · 2025-11-28T14:13:18Z

CI integration 👍 passed!

Details

CI logs

CLI Smoketests (no interfaces) 👍 passed
CLI Smoketests VPP 👍 passed
CLI Smoketests (interfaces only) 👍 passed
Config tests 👍 passed
Config tests VPP 👍 passed
RAID1 tests 👍 passed
TPM tests 👍 passed

alexk37 · 2025-11-29T17:32:13Z

Fix verified, both the issues don't reproduce anymore.

sarthurdev

Fixes commit error on VTI change. Tested locally and by QA.

github-actions bot added the current label Nov 28, 2025

github-actions bot assigned alexandr-san4ez Nov 28, 2025

sever-sever requested review from sarthurdev, sever-sever and zdc November 28, 2025 12:46

sever-sever requested a review from dmbaturin November 28, 2025 14:24

sarthurdev approved these changes Dec 2, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ipsec: T8001: Commit fails removing VTI interface in IPsec config #4878

ipsec: T8001: Commit fails removing VTI interface in IPsec config #4878

alexandr-san4ez commented Nov 28, 2025

Uh oh!

github-actions bot commented Nov 28, 2025

Uh oh!

github-actions bot commented Nov 28, 2025

Uh oh!

alexk37 commented Nov 29, 2025

Uh oh!

sarthurdev left a comment

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

ipsec: T8001: Commit fails removing VTI interface in IPsec config #4878

Are you sure you want to change the base?

ipsec: T8001: Commit fails removing VTI interface in IPsec config #4878

Conversation

alexandr-san4ez commented Nov 28, 2025

Change summary

Types of changes

Related Task(s)

How to test / Smoketest result

Step 1. To reproduce and verify the issues necessary configure Peer B:

Step 2. Reproduce Issue 1: Commit failure when deleting VTI (Peer A)

Step 3. Reproduce Issue 2: Missing /tmp/ipsec_vti_interfaces file (Peer A)

Checklist:

Uh oh!

github-actions bot commented Nov 28, 2025

Uh oh!

github-actions bot commented Nov 28, 2025

Details

Uh oh!

alexk37 commented Nov 29, 2025

Uh oh!

sarthurdev left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

Step 2. Reproduce Issue 1: Commit failure when deleting VTI (Peer A)

Step 3. Reproduce Issue 2: Missing `/tmp/ipsec_vti_interfaces` file (Peer A)