VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Stream 2026.03 is available for download

Daniil Baturin
Posted 20 Mar, 2026

Hello, Community!

VyOS Stream 2026.03 is available for download now. It features multiple backports from the rolling release, including restored ability to directly upgrade from VyOS 1.3.x, a big rework of the VPP CLI, post-quantum pre-shared key support for IPsec, and multiple bug fixes.

Configuration syntax changes (automatically migrated)

VPP CLI rework

This VyOS Stream image incorporates the improvements to VPP CLI that we already mentioned in the development update for March earlier.

In particular:

  • The multitude of TCP flag commands in ACLs is now consolidated under two multi-value nodes: set vpp acl ip tag-name <txt> rule <u32> tcp-flags is-set <flag> (T8250).
  • set vpp acl macip is now set vpp acl mac (T8252).
  • The commands from nat44 and settings nat44 are now all under set vpp nat nat44 (T8254).
  • Manual tweaking of settings under set vpp settings ipsec netlink is now replaced with a new set vpp settings ipsec-acceleration command that automatically enables settings that should be optimal in most cases (T8262).
  • set vpp settings unix poll-sleep-usec is now simply set vpp settings poll-sleep-usec (T8258).
  • Options from set vpp settings cpu are now consolidated under set vpp settings resource-allocation cpu-cores <N>, core allocation is automatic (T8268).
  • Per-interface commands for RX mode are replaced with a single command for all interfaces: set vpp settings interface-rx-mode <polling|interrupt|adaptive> (T8266).
  • Multiple configuration options are now consolidated under set vpp settings resource-allocation (T8261).

Full list

  • VPP: Rewrite the CLI for ACL tcp-flags (T8250).
  • VPP: Change ACL node 'macip' to 'mac' (T8252).
  • VPP: Move 'nat44' and 'settings nat44' sections to 'nat nat44' (T8254).
  • VPP: Rename "logging default-log-level" to "logging default-level" (T8255).
  • VPP: Migrate 'poll-sleep-usec' setting path (T8258).
  • VPP: Refactor resource settings into 'resource-allocation' section (T8261).
  • VPP: Refactor IPsec settings to use only 'ipsec-acceleration' flag (T8262).
  • VPP: Implement global 'interface-rx-mode' setting (T8266).
  • VPP: Unify CPU settings into a single 'cpu-cores' node under 'resource-allocation' (T8268).
  • VPP: Get rid of 'dpdk-options' section for 'num-*' parameters (T8274).
  • VPP: Move bonding interface from 'vpp' to 'interfaces vpp bonding' (T8283).
  • VPP: Move vxlan interface from 'vpp' to 'interfaces vpp vxlan' (T8296).
  • VPP: Migrate ipip interface to 'interfaces vpp ipip' (T8314).
  • VPP: Migrate loopback interface to 'interfaces vpp loopback' (T8324).
  • VPP: Migrate gre interface to 'interfaces vpp gre' (T8325).
  • VPP: Migrate bridge interface to 'interfaces vpp bridge' (T8327).
  • VPP: Migrate xconnect interface to 'interfaces vpp xconnect' (T8328).
  • VPP: Move 'ignore-kernel-routes' option out of resource-allocation section (T8354).
  • VPP: Remove xconnect interfaces with bonding member interface (T8393).

New features and improvements

  • Add VRF support for "update geoip" (T5405).
  • Service dns forwarding add the ability to configure ZonetoCache (T6294).
  • Add a warning when the user tries to set a password too simple (T6353).
  • Raise an error when trying to get information about network interfaces that don't exist (T6587).
  • Return a dict when querying information about a single interface (T6589).
  • Add SRv6 encapsulation source address option (T6977).
  • Add SRv6 configuration support to IS-IS (T6978).
  • bgp: Implement neighbor X remote-as auto (T7984).
  • IPSec support for post-quantum pre-shared keys (T8136).
  • Improve LCD support (T8213).
  • Update tech-support archive and output content (T8215).
  • VPP: Add support for PPPoE on bonding interfaces (T8230).
  • Add IPv4 SRv6 route commands (T8238).
  • VPP: Rewrite the CLI for ACL tcp-flags (T8250).
  • VPP: Change ACL node 'macip' to 'mac' (T8252).
  • VPP: Move 'nat44' and 'settings nat44' sections to 'nat nat44' (T8254).
  • VPP: Rename "logging default-log-level" to "logging default-level" (T8255).
  • VPP: Refactor resource settings into 'resource-allocation' section (T8261).
  • VPP: Refactor IPsec settings to use only 'ipsec-acceleration' flag (T8262).
  • VPP: Unify CPU settings into a single 'cpu-cores' node under 'resource-allocation' (T8268).
  • VPP: Move bonding interface from 'vpp' to 'interfaces vpp bonding' (T8283).
  • VPP: Move vxlan interface from 'vpp' to 'interfaces vpp vxlan' (T8296).
  • Add Router Advertisement (RA) base-interface support for IPv6 wildcard prefix derivation and includes validation and smoketests. (T8302).
  • Re-enable service monitoring telegraf for ARM64 builds (T8310).
  • VPP: Migrate ipip interface to 'interfaces vpp ipip' (T8314).
  • VPP: limit VPP to validated NICs unless allow-unsupported-nics is set (T8315).
  • VPP: Migrate loopback interface to 'interfaces vpp loopback' (T8324).
  • VPP: Migrate gre interface to 'interfaces vpp gre' (T8325).
  • VPP: Migrate bridge interface to 'interfaces vpp bridge' (T8327).
  • VPP: Migrate xconnect interface to 'interfaces vpp xconnect' (T8328).
  • Move VPP operational mode 'show vpp interfaces' to 'show interfaces vpp' (T8350).
  • VPP add the ability to set key for GRE tunnels (T8351).
  • VPP: Move 'ignore-kernel-routes' option out of resource-allocation section (T8354).
  • VPP: Move op mode command 'show vpp lacp/bridge' to 'show interfaces vpp' (T8394).

Bug fixes

  • GeoIP database update fails without a clear error when a system name server is not configured (T6768).
  • Loki authentication token length restriction of 128 characters is too short for many cloud providers (T6868).
  • Add a check for unsupported encryption algorithms to VPP IPsec (T7242).
  • Cracklib data is missing from the image which makes it impossible to run password complexity checks (T7278).
  • Custom conntrack timeouts not working (T7482).
  • VPP after configuring CGNAT the host does not respond on SSH and cannot initiate DNS request (T7513).
  • Unable to set OSPF plaintext authentication on specific interface in one area (T7679).
  • syslog freezes when file size reaches 512KB (T7756).
  • VPP: 'delete vpp' commit fails on GCP (T7811).
  • dns-dynamic 0-to-1 probably missing migration of rfc2136 -> nsupdate (T7924).
  • The motd for system update-check is removed after reboot (T7945).
  • Disallow configuration of IPoE server on VPP interface (T8182).
  • NetFlow commit fails due to ip6tables hook when version 5 is configured (T8186).
  • VyOS HTTPS API becomes unresponsive during concurrent config-file load operations (T8235).
  • Image installer copies wrong config from previous installations created with legacy config bind construction (T8257).
  • VPP: Implement global 'interface-rx-mode' setting (T8266).
  • Update from 1.3.8 to 1.5 results in missing configuration (T8279).
  • igmp-proxy: missing service restart possibility (T8295).
  • VPP: enabling VPP twice results in FileExistsError exception (T8297).
  • openvpn: service restart loop if no cipher specified (T8304).
  • ospf: virtual-link takes invalid input data (T8319).
  • Disallow non alpha-numeric characters in VRF names (T8320).
  • GeoIP database update is broken due to permissions issues (T8326).
  • VPP mistakenly allows interfaces to be members of more one than one bridge or bonding interface (T8342).
  • VPP: unexpected headers in the op mode output if LACP is not configured (T8353).
  • VPP add a bridge without members leads Traceback error (T8356).
  • SPAN port mirroring continues after configuration is removed (T8358).
  • compare: missing handler for KeyboardInterrupt (T8362).
  • VPP: nat44 and cgnat should not use the same interfaces (T8368).
  • VPP verify helper for buffers has mistake config path (T8370).
  • arm64: system packages are missing for TACACS+ auth (T8378).
  • firewall ipv6: nftables syntax error if 'recent' match option is set (T8383).
  • Accel-PPP: disabled users can still authenticate (T8385).
  • ipsec: remote-access commit fails when local port is configured (T8386).
  • firewall: add-address-to-group destination-address uses saddr instead of daddr (T8387).
  • bridge STP: port priority value is written to path cost instead (T8388).

Internal changes

  • Make node path completion read directly from the active config directory tree (T6580).
  • VPP: Migrate 'poll-sleep-usec' setting path (T8258).
  • policy-route: cleanup nested XML include structure (T8271).
  • VPP: Consolidate recent migrations into a single downgrade migration (target version 6) (T8318).
  • VPP: Cleanup vpp interfaces and kernel-interfaces after migration (T8339).
  • Move opmode.vpp._verify to common vyos.opmode._verify() helper (T8343).
  • Add all Python files under vyos-1x/python/* to the Pylint check (T8347).
  • Use vyos1x-config HEAD for vyos-1x 1.5 (T8402).

Download

 
The post categories: ipsec vpp 1.5 vyos-stream

Comments

Blog Categories

RSS Feed arrow
See All Categories