[Vyatta-users] Impressions on Glendale
I have been following the the development of Vyatta over the course of about the past year and have been really excited to see it progress. As a Network Engineer for that last 7 years I have been brought up on IOS and over the past 2 years or so I have been learning JunOS. Initially with previous Vyatta releases I was very excited to see the JunOS like XORP engine being used along with it's powerful policies, elegant configurations solutions, and overall ease of use. After reading the release notes for Glendale (VC4 Alpha 2) I was very excited about the new features and loaded it up in a VMWare as soon as I could. Lets just say I was more than disappointed once it loaded up. 1) The new vbash interface. I love the fact that there is a UNIX interface to my routers (even newer versions of IOS can do this and JunOS has it out of the box). Being able to do some lower level troubleshooting via a csh/bash/sh/etc CLI is invaluable. That being said there is no reason I need to combine my Unix CLI with my Router/Configuation CLI. I see this as a very very poor design decision and it will only attract to Unix admins turned Network admins. Vyatta will have a hard time being a serious competitor to Juniper, Cisco and the others. Going forward I would like to see vbash and a traditional both interface be supported, although as stated in my next point this may no longer be possible with the move to Quagga and away from xorpsh 2) Quagga?!? What happened to my elegant OSPF configuration? What happened to my wonderful and simplistic BGP configuration. Now i have a rehash of IOS (via Quagga) for configuring my routing protocols. JunOS/XORP routing policy was so elegant and now I am stuck with 1980's route-maps, community-lists and access-lists. Cisco still uses these for one reason: It's legacy code. Vyatta is a brand new router from the ground up. There is no need to go backwards. Also from a architectural stand point XORP has a great design base. I am very sad to see it go. I would like to know if there was any other reason from going away from a XORP base to Quagga besides quick turn around on features (and loose some great, features in the process) I also don't know if completely switching gears at this point in the game is wise. If you want a IOS like router you should of started there. There are some great things I have to say about Glendale as well: The RBAC is a great for a team supporting the routers. The other OSS projects you are able to incorperate into the systems (Remote VPN, wanpipe, etc) Although I know you will take this email seriously, I know you have already gone down a path I don't 100% approve of. So now I am going back to my proprietary Juniper and Cisco routers and wait for the day for another FOSS router to come out again. ~Brandon ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Impressions on Glendale
Hi there, Thank you for your email. I am currently away on reservist and will only be back on the 3rd March 2008. My access to email during this period will be limited. If there is any urgent matter that require attention, please contact Choon Kiat ([EMAIL PROTECTED]) during this period and cc me in the email. Warmest regards, Daren Tay Senior MIS Hardware Zone Pte Ltd ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Vyatta Wan capacities
Hi Venkat, In my experience the handoff depends largely on your carrier, the facilities in your building, and where you are in the world. I would start out by finding out what the facilities look like at your site and that will go a long way towards answering what your options are. A quick walk through the building's telco closet can tell you a lot. Some carriers do provide an onsite device that will terminate serial/optical lines and handoff as ethernet so that may be an option for you. If not, Vyatta only supports a T3 wan interface right now. We don't have support for an OC3 card yet. But I think I just rephrased what you originally said. Did that answer the question? Cheers, Robert. Venketesan wrote: Hi, We are trying to determine what sized deployment can we use a Vyatta router. Our concern is that Vyatta can support a max of T3 WAN lines and not beyond like oc-12 etc. We had a few questions if someone could answer: 1. The link from the ISP to a enterprise site, is it usual for the ISP to drop a T3\OC-12 line at the site ina layer 1 transmission equipment and the enterprise is expected to take up the T3\OC-12 line into the router? If this is the case we can use Vyatta only upto T3 speeds? OR 2. Is it common network deployment method for an ISP to drop an Etherenet line at the enterprise site via a layer 2 switch capable of receive T3 and OC12 lines? The enterprise then takes the the 802.3 ethernet out of the switch into the router. If this is the case we are good in using Vyatta routers upto Gb speeds. Thanks, Venkat ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Vyatta Wan capacities
That depends on your provider. You will have to contact your provider to see how they can deliver and what they can deliver. But basically you get a demarc and you are required to extend or have them extend it to the network interface. I personally would not look at a legacy T3 or OC12 as far as that goes. You can get more with a FE or GIGE access. I would suggest you look around for a provider that provides or resell MetroE deliveries or provides native Ethernet handoffs. Here in BellSouth for example, I can get either copper access 100baseT or optical ( upto 1GIGE). I would also suspect in the near future once they receive the demands for 10GIGE, 10GIGE optical will be common. To give you come comparison; A 100meg FE is like 2.1 times more than a DS3 A 1000baseT is nearly 1.6 times more a OC12. Also keep in mind, why Ethernet is more advantageous; you don't need any expensive WAN cards and way easier to troubleshoot. Hopes this helps. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Impressions on Glendale
Thank you for the very detailed response and you have made some of my first impressions fears fade away. Great to hear that you are planning on providing customization to vbash. It is not a bad shell, it just seems odd to combine bash with my router configuration. I was afraid of tab-completion issues and accedental commands being ran (or overlapping) I can understand about XORP, but my understanding was that vyatta was going to help groom XORP and submit patched back up stream like many commercial to OSS projects do. I too am looking for a router to handle large BGP configs so this is a good step in the right direciton. I am just going to miss the JunOS type polices and am not looking forward route-maps, OSPF/BGP network statements, etc. I thought XORP had done that part right. It seems like a ugly pig (IOS/Quagga) with lipstick on (JunOS type stanzas). Again I really appreciate the quick and detailed response and will be following the development closely. Thanks again, Brandon On Wed, Feb 27, 2008 at 12:50 PM, Robert Bays [EMAIL PROTECTED] wrote: Hi Brandon, Sorry to hear your first impression of Glendale was not up to expectations. Could you help us to understand your reactions a little better so we can improve on the next milestone? Specifically, which parts of the vbash shell didn't you care for? Was it a look and feel issue or was it more of an issue with the configuration syntax or something else entirely? The goal of vbash was to have the user interface be configurable to have either a bash look and feel or a Juniper like look and feel based on user preference. We accomplish this by allowing the user to set an environment variable in the shell that changes the help and auto completion to limit their output and set a user level that limits execution privileges to router commands only. There are a few areas we need to work on, such as space auto completion, but we hope to get it to the point where there is no visual difference between a Juniper like shell and the vbash shell if you choose to setup your user that way. Could you let us know, in your opinion, what else we need to do to reach that goal? As related to the routing protocol stack, the decision was made to change after extensive analysis of the potential to scale XORP in large routing topologies. Many of our users are running big, complicated BGP networks and we ran into some fundamental limits with the existing code base. We did spend a significant amount of time optimizing that code with some success before hitting a fundamental performance limit. It was at that time that we had to weigh options. The decision to switch was not taken lightly and was based on testing results looking into a combination of factors; primarily stability and scale and only secondarily feature differences. It would help us if you give a configuration example of what you liked in the previous release that the current release falls short on or a feature comparison where there are deficiencies. Maybe we can craft the next release more in line with those expectations. IMHO, in the end it shouldn't matter what routing protocol stack is being used as the underlying technology as long as it is fast, scalable, stable, easy to use, and has the features that satisfy the topology requirements of the installation. We made the switch after extensive analysis of the fast, scalable, stable, features requirements. Maybe we can change the presentation to better help with the easy to use requirement. Cheers, Robert. Brandon Bennett wrote: I have been following the the development of Vyatta over the course of about the past year and have been really excited to see it progress. As a Network Engineer for that last 7 years I have been brought up on IOS and over the past 2 years or so I have been learning JunOS. Initially with previous Vyatta releases I was very excited to see the JunOS like XORP engine being used along with it's powerful policies, elegant configurations solutions, and overall ease of use. After reading the release notes for Glendale (VC4 Alpha 2) I was very excited about the new features and loaded it up in a VMWare as soon as I could. Lets just say I was more than disappointed once it loaded up. 1) The new vbash interface. I love the fact that there is a UNIX interface to my routers (even newer versions of IOS can do this and JunOS has it out of the box). Being able to do some lower level troubleshooting via a csh/bash/sh/etc CLI is invaluable. That being said there is no reason I need to combine my Unix CLI with my Router/Configuation CLI. I see this as a very very poor design decision and it will only attract to Unix admins turned Network admins. Vyatta will have a hard time being a serious competitor to Juniper, Cisco and the others. Going forward I would like to
[Vyatta-users] Move to Vyatta.org
Reminder: Vyatta is closing this community mailing list and moving it to a forum and mailing list that is available through the Vyatta community website at http://www.vyatta.org. Please move all active discussions over there as soon as possible. Note: For those of you who prefer the mailing list style, we have maintained that exact same functionality. You will have to first register at http://www.vyatta.org, then subscribe to the forums http://www.vyatta.org/forum/m2f_usercp.php and you will be able to post and reply to threaded e-mail discussions from your e-mail client the same way you do today. Instead of [EMAIL PROTECTED] the new e-mail address will be [EMAIL PROTECTED] You must register before posting. if you have any questions let me know, -Tom Tom McCafferty Director of Marketing Vyatta Inc. http://www.vyatta.com [EMAIL PROTECTED] ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] VC4 Alpha 2 Bug Hunt
Okay, with VC4 Alpha 2 just out the door earlier this week, it's time to turn up the heat on testing. From the feedback we have been receiving, it's clear that some people are actively working with VC4 Alpha 1, and hopefully now Alpha 2. To thank you for the help you're providing by exposing VC4 Alpha 2 to a more diverse set of environments than we can recreate in the lab, we're going to provide a little bounty on filed bugs, a Vyatta Deluxe Schwag Kit(tm): * Exclusive Vyatta blue logo polo shirt * High capacity Vyatta logo bistro coffee mug * Sporty Vyatta logo baseball cap Here are the T's and C's: 1. Anybody who is able to find a crash or hang of a subsystem in Vyatta will be awarded a Vyatta Deluxe Schwag Kit(tm). A crash is defined as an abnormal exit of a process. A hang is defined as a subsystem that becomes unresponsive to normal activity. Ultimately, the Vyatta engineering team will judge whether your bug qualifies as a crash or hang. 2. The top 10 filers by quantity of other bugs of substance will be awarded a Vyatta Deluxe Schwag Kit(tm). A bug of substance is something that honestly doesn't work. We'd love to hear about misspellings and such in the help strings, but that doesn't count toward your total. We're looking for things that don't work here. A good example would be a valid configuration that would fail upon commit, or might pass commit but then fail to do what it was configured to do. Validity of bugs counting toward your total is at the complete discretion of the engineering team. 3. One lucky winner will receive the Engineer's Choice award for filing the most obtuse, interesting, or otherwise strange bug, and will receive a Vyatta Deluxe Schwag Kit(tm). This one will be voted on by the engineering crew here at Vyatta, so make friends with them now. 4. All bugs must be *reproducible* and previously unknown to Vyatta (not in the Vyatta Bugzilla or the bug database of another subproject). In other words, if you see something unreproducible, please file it, but it's hard to award you a prize if we can't verify that the problem is real. In terms of being unknown, you need to come up with something that isn't already in the Vyatta database. You also need to come up with something that isn't a known bug in one of the subprojects we use. Put another way, while they may not be in the Vyatta Bugzilla, suffice it to say that we already know about the known bugs in OpenSwan, Quagga, ISC dhcpd, etc. That said, if you find a bug that was previously unknown in a subsystem, we'd love to hear about that and it will definitely count. 5. In the case of multiple people filing the same bug or questions of whether the bug is new, priority will be given based on the timestamp of the bug filing at http://bugzilla.vyatta.com/. 6. We'll use the email address in your Bugzilla account to contact you, so please make sure it's correct. Unique email addresses will be used to compute the quantity totals, so don't file your bugs across multiple Bugzilla accounts. 7. The contest starts at 2:30 PM USA Pacific Standard Time on Feb 27 and runs through 11:59 PM USA Pacific Standard Time on March 22. 8. Contestants from all over the world are welcome to play, but unfortunately, we can only award schwag prizes to those in the USA. We would love our international community members, but the economics of shipping schwag outside the USA just don't add up. (Honestly, I tried sending a European Vyatta community member a t-shirt a couple years ago and it cost me upwards of $200 to ship a $20 shirt.) If you're content with recognition/honor/fame but not schwag, we'd be happy to give you all that. ;-) If you have any questions, just let me know. -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] VC4 Alpha 2 Bug Hunt
7. The contest starts at 2:30 PM USA Pacific Standard Time on Feb 27 and runs through 11:59 PM USA Pacific Standard Time on March 22. I clarified this when I posted it to vyatta.org, but sent this out too quickly... All dates/times are in 2008. I figured that was obvious, but I'm sure somebody would have taken me to task if I had left a loophole. ;-) -- Dave ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Clustering causes Reboot
Robyn- It worked like a charm. Thanks a lot. I was unable, however, to get the rc.local to work correctly but I'll talk to my system admin about that. Ben ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Impressions on Glendale
Brandon Bennett wrote: Great to hear that you are planning on providing customization to vbash. It is not a bad shell, it just seems odd to combine bash with my router configuration. I was afraid of tab-completion issues and accedental commands being ran (or overlapping) Hi Brandon, If your concern is that the Unix commands will get in the way of the Vyatta commands when you are in the shell, you can try logging in as an admin-level non-root user (e.g., the default vyatta user). The auto-completion and help text for admin-level users are limited to the Vyatta command only, so you don't need to worry about accidentally tab-completing a Unix command. Of course, an admin-level user still has the flexibility to enter a Unix command directly on the command line and run it. On the other hand, if you log in as an operator-level user, you'll see that only the Vyatta commands are available, i.e., the user can only see and run Vyatta operational commands on the command line. Therefore, operator-level users don't need to worry about accidentally running Unix commands, either. Going forward, we plan to provide more flexibility. For example, it's probably useful to have another level that can run all Vyatta commands (like admin) but cannot see/run Unix commands on the command line (like operator). Eventually, we will probably want to allow customizable levels such that, for example, you can set up a user level that can configure all routing protocols but not the VPN features. An-Cheng ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Booting from Live-CD
Not hearing you to good or understanding the question. But vyatta upon save , writes the config down to the config directory and the file named config.boot. You can also save it to any mounted device with the save command followed by that full path as long as that user has write access/permissions. i.e [EMAIL PROTECTED] save /mnt/mynewfile ERROR: Save failed. Error creating temporary file: /mnt/mynewfile# Permission denied vrs [EMAIL PROTECTED] save /opt/vyatta/etc/config/mynewfile [edit] Save done. You can also transfer configs around and reload them via scp, mounted media ( cdrom/floppy/thumb drives ). ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] Problems with Glendale Alpha 2
Some problems when trying Alpha 2 1.- Error when trying install-system to install Alpha2 in a hard disk (I am using VMWare environment). 2.- I am looking for PPPoE commands are I cannot find them. Any help?? Regards. Paco. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Problems with Glendale Alpha 2
1. What error are you seeing? 2. Have you looked at the PPPoE documentation on Vyatta.org? http://www.vyatta.org/documentation/glendale-alpha2 -- Dave _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paco Alcantara Sent: Wednesday, February 27, 2008 4:15 PM To: [EMAIL PROTECTED] Subject: [Vyatta-users] Problems with Glendale Alpha 2 Some problems when trying Alpha 2 1.- Error when trying install-system to install Alpha2 in a hard disk (I am using VMWare environment). 2.- I am looking for PPPoE commands are I cannot find them. Any help?? Regards. Paco. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Problems with Glendale Alpha 2
What error did you get with install-system? We have seen some issues with vmware's scsi hard drive not being recognized, so if that's the issue then you might try editing the virtual machine to use an IDE hard drive instead. stig _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paco Alcantara Sent: Wednesday, February 27, 2008 4:15 PM To: [EMAIL PROTECTED] Subject: [Vyatta-users] Problems with Glendale Alpha 2 Some problems when trying Alpha 2 1.- Error when trying install-system to install Alpha2 in a hard disk (I am using VMWare environment). 2.- I am looking for PPPoE commands are I cannot find them. Any help?? Regards. Paco. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
[Vyatta-users] No password from the Vyatta.Org website
I have tried to register at the new web site, but the site seems to have a problem with a username of 'keith.steensma' (with a period in the username). And the site seems to refuse to send a password to the registered email address. I have tried (but the web site refuses) to re-register as 'keithsteensma' (without the period). The email address is a 'very valid' email but I don't get anything from the web site. Keith Steensma [EMAIL PROTECTED] ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] No password from the Vyatta.Org website
Try looking in your Spam filter folder. It was there for me. ~Brandon On Wed, Feb 27, 2008 at 6:58 PM, Keith Steensma [EMAIL PROTECTED] wrote: I have tried to register at the new web site, but the site seems to have a problem with a username of 'keith.steensma' (with a period in the username). And the site seems to refuse to send a password to the registered email address. I have tried (but the web site refuses) to re-register as 'keithsteensma' (without the period). The email address is a 'very valid' email but I don't get anything from the web site. Keith Steensma [EMAIL PROTECTED] ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Impressions on Glendale
Hi Brandon, Thanks again for the response. I just wanted to make one quick comment. We do try to submit all of our changes and patches back to the upstreams. It makes our lives much easier on the integration side. If we don't submit something it's through an oversight as opposed to anything else. Like all open source developers, sometimes our patches are accepted and sometimes they aren't. OSS is an amazing, wonderful, and often painful process... Cheers, Robert. Brandon Bennett wrote: Thank you for the very detailed response and you have made some of my first impressions fears fade away. Great to hear that you are planning on providing customization to vbash. It is not a bad shell, it just seems odd to combine bash with my router configuration. I was afraid of tab-completion issues and accedental commands being ran (or overlapping) I can understand about XORP, but my understanding was that vyatta was going to help groom XORP and submit patched back up stream like many commercial to OSS projects do. I too am looking for a router to handle large BGP configs so this is a good step in the right direciton. I am just going to miss the JunOS type polices and am not looking forward route-maps, OSPF/BGP network statements, etc. I thought XORP had done that part right. It seems like a ugly pig (IOS/Quagga) with lipstick on (JunOS type stanzas). Again I really appreciate the quick and detailed response and will be following the development closely. Thanks again, Brandon On Wed, Feb 27, 2008 at 12:50 PM, Robert Bays [EMAIL PROTECTED] wrote: Hi Brandon, Sorry to hear your first impression of Glendale was not up to expectations. Could you help us to understand your reactions a little better so we can improve on the next milestone? Specifically, which parts of the vbash shell didn't you care for? Was it a look and feel issue or was it more of an issue with the configuration syntax or something else entirely? The goal of vbash was to have the user interface be configurable to have either a bash look and feel or a Juniper like look and feel based on user preference. We accomplish this by allowing the user to set an environment variable in the shell that changes the help and auto completion to limit their output and set a user level that limits execution privileges to router commands only. There are a few areas we need to work on, such as space auto completion, but we hope to get it to the point where there is no visual difference between a Juniper like shell and the vbash shell if you choose to setup your user that way. Could you let us know, in your opinion, what else we need to do to reach that goal? As related to the routing protocol stack, the decision was made to change after extensive analysis of the potential to scale XORP in large routing topologies. Many of our users are running big, complicated BGP networks and we ran into some fundamental limits with the existing code base. We did spend a significant amount of time optimizing that code with some success before hitting a fundamental performance limit. It was at that time that we had to weigh options. The decision to switch was not taken lightly and was based on testing results looking into a combination of factors; primarily stability and scale and only secondarily feature differences. It would help us if you give a configuration example of what you liked in the previous release that the current release falls short on or a feature comparison where there are deficiencies. Maybe we can craft the next release more in line with those expectations. IMHO, in the end it shouldn't matter what routing protocol stack is being used as the underlying technology as long as it is fast, scalable, stable, easy to use, and has the features that satisfy the topology requirements of the installation. We made the switch after extensive analysis of the fast, scalable, stable, features requirements. Maybe we can change the presentation to better help with the easy to use requirement. Cheers, Robert. Brandon Bennett wrote: I have been following the the development of Vyatta over the course of about the past year and have been really excited to see it progress. As a Network Engineer for that last 7 years I have been brought up on IOS and over the past 2 years or so I have been learning JunOS. Initially with previous Vyatta releases I was very excited to see the JunOS like XORP engine being used along with it's powerful policies, elegant configurations solutions, and overall ease of use. After reading the release notes for Glendale (VC4 Alpha 2) I was very excited about the new features and loaded it up in a VMWare as soon as I could. Lets just say I was more than disappointed once it loaded up. 1) The new vbash interface. I love the fact that there is a UNIX interface to my
[Vyatta-users] newbie query - issue in site-to-site VPN
Hi All ,
i am newbie to vyatta iPSEC VPN has setup an site - to -site VPN as per
config document of vyatta between 2 vyatta routers . Not able to
establish the VPN and /var/log/messages says
site 1
Feb 28 02:39:44 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #691:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP to replace #690
{using isakmp#687}
Feb 28 02:39:44 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
Feb 28 02:39:44 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
received and ignored informational message
Feb 28 02:39:54 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
ignoring informational payload, type INVALID_MESSAGE_ID
Feb 28 02:39:54 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
received and ignored informational message
Feb 28 02:40:14 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
ignoring informational payload, type INVALID_MESSAGE_ID
Feb 28 02:40:14 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
received and ignored informational message
Site 2
IPsec Transform [ESP_AES (256), AUTH_ALGORITHM_HMAC_SHA1] refused due to
strict flag
Feb 28 02:31:33 localhost pluto[3983]: peer-X.X.X.X-tunnel-1 #751: no
acceptable Proposal in IPsec SA
Feb 28 02:31:33 localhost pluto[3983]: peer-X.X.X.X-tunnel-1 #751:
sending encrypted notification NO_PROPOSAL_CHOSEN to 202.91.74.130:500
Feb 28 02:31:40 localhost pluto[3983]: peer-X.X.X.X-tunnel-1 #746:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x211f93c1 (perhaps this is a duplicated packet)
Feb 28 02:31:40 localhost pluto[3983]: peer-X.X.X.X-tunnel-1 #746:
sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:500
Site 1 config
vpn {
ipsec {
ipsec-interfaces {
interface eth0
}
ike-group IKE-1W {
proposal 1 {
encryption: aes256
}
proposal 2 {
}
lifetime: 3600
}
esp-group ESP-1W {
proposal 1 {
encryption: aes256
}
proposal 2 {
encryption: 3des
hash: md5
}
lifetime: 1800
}
site-to-site {
peer X.X.X.X {
authentication {
mode: rsa
pre-shared-secret: test_key_1
rsa-key-name: CO-key
}
ike-group: IKE-1W
local-ip: Y.Y.Y.Y
tunnel 1 {
local-subnet: 192.168.1.0/24
remote-subnet: 192.168.0.0/24
esp-group: ESP-1W
}
}
}
}
rsa-keys {
rsa-key-name CO-key {
rsa-key:
0sAQOBguI8jQvYGCKf3KFP3sQHTTwP3AVokIXnoEyaNOEgqxPtITCEV4SJYkBk7//ZnBovZJJ8s0/qDGOPkjK4rAjTNEXCoGZBoHR3W6Sus40RU+33Cc/qwBzl5xHgU2iDdlESMWV8PVa1keVqU19KELpc3zLS0GdFaJKoJIeDSyyWoicAp9AQ8GG2OaaYDI+GvLKpf5V1DK6Rqfz5dLab+UIXcqLsqQ2a+VrL9Bbul/p8Z5vc7RgqS8GRjwzoPqUr+5HDw2HUxTXAhUek3HBu96lJ+H1LO63d28OV+B2cc0kWMuiEke1MGJtcWbyYtr6vKCQbGjOJjZqB+sq8ma9Zg8kAOIrPLIpQsXe/TjS4Cp0xbMgX
}
}
}
Site 2 config is
vpn {
ipsec {
ipsec-interfaces {
interface eth0
}
ike-group IKE-1E {
proposal 1 {
encryption: aes256
}
}
esp-group ESP-1E {
proposal 2 {
encryption: 3des
hash: md5
}
lifetime: 1800
}
site-to-site {
peer 202.91.74.130 {
authentication {
mode: rsa
pre-shared-secret: test_key_1
rsa-key-name: NLD-key
}
ike-group: IKE-1E
local-ip: 202.91.67.162
tunnel 1 {
local-subnet: 192.168.0.0/24
remote-subnet: 192.168.1.0/24
esp-group: ESP-1E
}
}
}
}
rsa-keys {
rsa-key-name NLD-key {
rsa-key:
0sAQOOVx2lEQNsCqFU9M4bhovvC28mf7e1sYNaBC1FAaG5qyO2PnGic+anlVJYvjvHBj3wBYV+L6pMRsTv28Qn9wFGCXUR/aSM4+RdnHSTBy8sgWKpw9vCVMJ/J60x6/B7uc6a0e8+2jJ8PnfFDoPG7C9UHDUM1r+d2vSno8bb5MlzQ81ib1Gczfp/nnvvMqUi99DWnUqGcPOcPrS7hctCP0Za6YIvDd3/l9xRPC+a1I1ouEW8+8HcrhFEOLHL/SUc2Qoq+BPO0vxLRkuZZhhCvmOk3BvTRGh43E39ttyO2YHE3LqxbBTZvmYYZcWE9899iZkne0ffhSW6M4BzKL1WIhw8tupImP1+QTekmwglodAW72Bv
}
}
}
Please help..
TIA
Regards
Ben
___
Vyatta-users mailing list
Vyatta-users@mailman.vyatta.com
Re: [Vyatta-users] newbie query - issue in site-to-site VPN
Have you tried adding a proposal 1 with aes256 under esp-group ESP-1E for
site 2 so that the proposals match up?
stig
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Biswajit
Banerjee
Sent: Wednesday, February 27, 2008 7:08 PM
To: vyatta-users
Subject: [Vyatta-users] newbie query - issue in site-to-site VPN
Hi All ,
i am newbie to vyatta iPSEC VPN has setup an site - to -site VPN as per
config document of vyatta between 2 vyatta routers . Not able to establish
the VPN and /var/log/messages says
site 1
Feb 28 02:39:44 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #691:
initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP to replace #690 {using
isakmp#687}
Feb 28 02:39:44 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
Feb 28 02:39:44 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
received and ignored informational message
Feb 28 02:39:54 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
ignoring informational payload, type INVALID_MESSAGE_ID
Feb 28 02:39:54 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
received and ignored informational message
Feb 28 02:40:14 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
ignoring informational payload, type INVALID_MESSAGE_ID
Feb 28 02:40:14 localhost pluto[3973]: peer-Y.Y.Y.Y-tunnel-1 #687:
received and ignored informational message
Site 2
IPsec Transform [ESP_AES (256), AUTH_ALGORITHM_HMAC_SHA1] refused due to
strict flag
Feb 28 02:31:33 localhost pluto[3983]: peer-X.X.X.X-tunnel-1 #751: no
acceptable Proposal in IPsec SA
Feb 28 02:31:33 localhost pluto[3983]: peer-X.X.X.X-tunnel-1 #751:
sending encrypted notification NO_PROPOSAL_CHOSEN to 202.91.74.130:500
Feb 28 02:31:40 localhost pluto[3983]: peer-X.X.X.X-tunnel-1 #746: Quick
Mode I1 message is unacceptable because it uses a previously used Message
ID 0x211f93c1 (perhaps this is a duplicated packet)
Feb 28 02:31:40 localhost pluto[3983]: peer-X.X.X.X-tunnel-1 #746:
sending encrypted notification INVALID_MESSAGE_ID to Y.Y.Y.Y:500
Site 1 config
vpn {
ipsec {
ipsec-interfaces {
interface eth0
}
ike-group IKE-1W {
proposal 1 {
encryption: aes256
}
proposal 2 {
}
lifetime: 3600
}
esp-group ESP-1W {
proposal 1 {
encryption: aes256
}
proposal 2 {
encryption: 3des
hash: md5
}
lifetime: 1800
}
site-to-site {
peer X.X.X.X {
authentication {
mode: rsa
pre-shared-secret: test_key_1
rsa-key-name: CO-key
}
ike-group: IKE-1W
local-ip: Y.Y.Y.Y
tunnel 1 {
local-subnet: 192.168.1.0/24
remote-subnet: 192.168.0.0/24
esp-group: ESP-1W
}
}
}
}
rsa-keys {
rsa-key-name CO-key {
rsa-key:
0sAQOBguI8jQvYGCKf3KFP3sQHTTwP3AVokIXnoEyaNOEgqxPtITCEV4SJYkBk7//ZnBovZJJ
8s0/qDGOPkjK4rAjTNEXCoGZBoHR3W6Sus40RU+33Cc/qwBzl5xHgU2iDdlESMWV8PVa1keVqU
19KELpc3zLS0GdFaJKoJIeDSyyWoicAp9AQ8GG2OaaYDI+GvLKpf5V1DK6Rqfz5dLab+UIXcqL
sqQ2a+VrL9Bbul/p8Z5vc7RgqS8GRjwzoPqUr+5HDw2HUxTXAhUek3HBu96lJ+H1LO63d28OV+
B2cc0kWMuiEke1MGJtcWbyYtr6vKCQbGjOJjZqB+sq8ma9Zg8kAOIrPLIpQsXe/TjS4Cp0xbMg
X
}
}
}
Site 2 config is
vpn {
ipsec {
ipsec-interfaces {
interface eth0
}
ike-group IKE-1E {
proposal 1 {
encryption: aes256
}
}
esp-group ESP-1E {
proposal 2 {
encryption: 3des
hash: md5
}
lifetime: 1800
}
site-to-site {
peer 202.91.74.130 {
authentication {
mode: rsa
pre-shared-secret: test_key_1
rsa-key-name: NLD-key
}
ike-group: IKE-1E
local-ip: 202.91.67.162
tunnel 1 {
local-subnet: 192.168.0.0/24
remote-subnet: 192.168.1.0/24
esp-group: ESP-1E
}
}
}
}
rsa-keys {
rsa-key-name NLD-key {
rsa-key:
0sAQOOVx2lEQNsCqFU9M4bhovvC28mf7e1sYNaBC1FAaG5qyO2PnGic+anlVJYvjvHBj3wBYV
+L6pMRsTv28Qn9wFGCXUR/aSM4+RdnHSTBy8sgWKpw9vCVMJ/J60x6/B7uc6a0e8+2jJ8PnfFD
Re: [Vyatta-users] Path MTU discovery support
Thanks Steve. Saw this mail quite late. I had checked /proc/sys/net/ipv4/ip_no_pmtu_disc earlier, and the value is 0 in that but I am not sure if it works properly. I am using a commercial conformance test suite for IPv4 which have certain PMTU cases. Running it with a windows OS, I can see windows clearing the DF bit and sending a fragmented packet, but it doesn't seem to work with the Linux OSs. I tried Vyatta as well as Redhat FC4. Warm Regards, Piyush On Wed, Feb 13, 2008 at 11:44 PM, Steven Kath [EMAIL PROTECTED] wrote: Piyush, If I'm not mistaken, the Vyatta system supports Path MTU discovery and has it enabled by default. You should be able to check the current setting with this command at the bash prompt: # cat /proc/sys/net/ipv4/ip_no_pmtu_disc 0 When the output is 0, Path MTU discovery should be functioning. To disable it, # echo 1 /proc/sys/net/ipv4/ip_no_pmtu_disc And to enable it if it's disabled, # echo 0 /proc/sys/net/ipv4/ip_no_pmtu_disc - Steve piyush sharma wrote: Hi, Does Vyatta support Path MTU discovery. If yes, is there any configuration required for it and how can we reset the related parameters to default? Thanks, Piyush ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] Going to shell on Vyatta
Thanks Dave. That's a nice idea, it would give more flexibility in using Vyatta. -Piyush On Tue, Feb 12, 2008 at 1:14 AM, Dave Roberts [EMAIL PROTECTED] wrote: Piyush, The answer to this varies by the particular release. Assuming you're running something VC3 or earlier, then you login as 'root' with password 'vyatta' and you'll be at the bash prompt, as others have said. As Stig pointed out, in Glendale, the model is slightly different. In Glendale, you're always 'at the shell' but with both router and Linux commands available (something we call FusionCLI). Depending on who you login as (root, vyatta, etc.), you'll have a different set of commands that you'll be able to see/execute, but essentially both worlds are always available to you from the same prompt. This is nice because Vyatta commands are peers with any other Linux command and it eliminates the dual-mode model of previous releases. For instance, you can immediate type something like show version and then do cat /proc/stat or whatever else you want. -- Dave -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *piyush sharma *Sent:* Sunday, February 10, 2008 9:10 PM *To:* Stig Thormodsrud *Cc:* vyatta-users@mailman.vyatta.com *Subject:* [Vyatta-users] Going to shell on Vyatta Sorry Stig, my question was meant for Vyatta in general. I didn't edit the subject line earlier. I have to run an application on the linux on the Vyatta machine. For that I require to go to the shell prompt. I wanted to know how can I do that. I have logged in as user vyatta on the router. Please help me. Thanks, Piyush ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
