Page MenuHomeVyOS Platform

How to force source address over IPsec site-to-site VPN?
Closed, ObsoletePublic

Asked by amos.shapira on Jul 20 2016, 8:13 AM.

Details

Hello,

I use VyOS 1.1.7 to connect the office to AWS and a data centre.
We noticed that the VyOS uses its local address of the vti tunnel when it tries to access the data centre:

$ ip -o -4 a
1: lo    inet 127.0.0.1/8 scope host lo\       valid_lft forever preferred_lft forever
2: eth0    inet 192.168.2.254/24 brd 192.168.2.255 scope global eth0\       valid_lft forever preferred_lft forever
...
10: vti1    inet 169.254.33.118/30 scope global vti1\       valid_lft forever preferred_lft forever
11: vti2    inet 169.254.32.106/30 scope global vti2\       valid_lft forever preferred_lft forever
$ ip route get 172.17.70.50
172.17.70.50 via 169.254.32.105 dev vti2  src 169.254.32.106
    cache

I can't reach any server on network 172.17.70.0 from the VyOS server itself unless I force bind the address (e.g. with ssh -b...).
Other hosts behind the VyOS do manage to connect to network 172.17.70.0/24.

The problem with this is that the VyOS also doubles as a local DNS cache, so it has to be able to talk over the IPsec tunnel.

My question - is there a way for me to make the VyOS know that it shouldn't use the vti local address to try to connect anywhere?

Answers

dan.cave
Updated 1,928 Days Ago

Hi Amos

I seem to recall this when I did the same thing on VyOS to a VPC,

Have you got a BGP session running on that vyos, it seems that there are two ways to setup a local -to-remote gateway to the vpc, because the AWS end is exdpecting to negotiate a BGP session - your diag seems to imply not..

Have you seen this page ? http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html

When I setup IPSec between a DC with vyos and the AWS VPC/VPG i had to use BGP.

VTi config is really only used between two hosts where you don't want to automatically bind any routing mechanism, and enable BGP/OSPF to do the dynamic routing instead..

Have you tried doing a tcpdump on vti[n] to see if you're seeing any BGP negotiation data on ipsec startup ?

If you have got BPG setup, I would check the VPC/VPG end to see if it can see your local office/vyOS side lan IP

246tnt
Updated 1,927 Days Ago

In linux you would type :

ip route change 172.17.70.0/24 via 169.254.32.105 dev vti2 src 1.2.3.4

(replace 1.2.3.4 with whatever IP you want it to use as source ...)

Unfortuately there doesn't seem to be a way to get VyOS to do that. The route configs are done by quagga, and I can't find any way to get quagga to set the "src" parameter. There is a patch from 2006 that adds that function to quagga :

https://lists.quagga.net/pipermail/quagga-dev/attachments/20060629/9fac0e19/sVIPAZ3-0001.obj

But it doesn't seem to have been merged :(

xrpixer
Updated 1,906 Days Ago

The simple answer is to make your VPN tunnel a routable address.
Make the AWS tunnel address -
192.168.254.1
Make the VYoS tunnel address -
192.168.254.2

Then in AWS, route your 192.168.254.0/30 subnet to your VYoS box.
Thus, VYoS will default source the vti interface which is routable back to the VYoS box.

Alternatively, you could add routes for the 169.254.32 subnet. But that's not necessarily good practice, could be confusing down the line.

New Answer

Answer

This question has been marked as closed, but you can still leave a new answer.