Details
Hello,
I use VyOS 1.1.7 to connect the office to AWS and a data centre.
We noticed that the VyOS uses its local address of the vti tunnel when it tries to access the data centre:
$ ip -o -4 a 1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever 2: eth0 inet 192.168.2.254/24 brd 192.168.2.255 scope global eth0\ valid_lft forever preferred_lft forever ... 10: vti1 inet 169.254.33.118/30 scope global vti1\ valid_lft forever preferred_lft forever 11: vti2 inet 169.254.32.106/30 scope global vti2\ valid_lft forever preferred_lft forever $ ip route get 172.17.70.50 172.17.70.50 via 169.254.32.105 dev vti2 src 169.254.32.106 cache
I can't reach any server on network 172.17.70.0 from the VyOS server itself unless I force bind the address (e.g. with ssh -b...).
Other hosts behind the VyOS do manage to connect to network 172.17.70.0/24.
The problem with this is that the VyOS also doubles as a local DNS cache, so it has to be able to talk over the IPsec tunnel.
My question - is there a way for me to make the VyOS know that it shouldn't use the vti local address to try to connect anywhere?
Answers
Hi Amos
I seem to recall this when I did the same thing on VyOS to a VPC,
Have you got a BGP session running on that vyos, it seems that there are two ways to setup a local -to-remote gateway to the vpc, because the AWS end is exdpecting to negotiate a BGP session - your diag seems to imply not..
Have you seen this page ? http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html
When I setup IPSec between a DC with vyos and the AWS VPC/VPG i had to use BGP.
VTi config is really only used between two hosts where you don't want to automatically bind any routing mechanism, and enable BGP/OSPF to do the dynamic routing instead..
Have you tried doing a tcpdump on vti[n] to see if you're seeing any BGP negotiation data on ipsec startup ?
If you have got BPG setup, I would check the VPC/VPG end to see if it can see your local office/vyOS side lan IP
In linux you would type :
ip route change 172.17.70.0/24 via 169.254.32.105 dev vti2 src 1.2.3.4
(replace 1.2.3.4 with whatever IP you want it to use as source ...)
Unfortuately there doesn't seem to be a way to get VyOS to do that. The route configs are done by quagga, and I can't find any way to get quagga to set the "src" parameter. There is a patch from 2006 that adds that function to quagga :
https://lists.quagga.net/pipermail/quagga-dev/attachments/20060629/9fac0e19/sVIPAZ3-0001.obj
But it doesn't seem to have been merged :(
The simple answer is to make your VPN tunnel a routable address.
Make the AWS tunnel address -
192.168.254.1
Make the VYoS tunnel address -
192.168.254.2
Then in AWS, route your 192.168.254.0/30 subnet to your VYoS box.
Thus, VYoS will default source the vti interface which is routable back to the VYoS box.
Alternatively, you could add routes for the 169.254.32 subnet. But that's not necessarily good practice, could be confusing down the line.