Page MenuHomeVyOS Platform

How to force source address over IPsec site-to-site VPN?
Closed, ObsoletePublic

Asked by amos.shapira on Jul 20 2016, 8:13 AM.



I use VyOS 1.1.7 to connect the office to AWS and a data centre.
We noticed that the VyOS uses its local address of the vti tunnel when it tries to access the data centre:

$ ip -o -4 a
1: lo    inet scope host lo\       valid_lft forever preferred_lft forever
2: eth0    inet brd scope global eth0\       valid_lft forever preferred_lft forever
10: vti1    inet scope global vti1\       valid_lft forever preferred_lft forever
11: vti2    inet scope global vti2\       valid_lft forever preferred_lft forever
$ ip route get via dev vti2  src

I can't reach any server on network from the VyOS server itself unless I force bind the address (e.g. with ssh -b...).
Other hosts behind the VyOS do manage to connect to network

The problem with this is that the VyOS also doubles as a local DNS cache, so it has to be able to talk over the IPsec tunnel.

My question - is there a way for me to make the VyOS know that it shouldn't use the vti local address to try to connect anywhere?


Updated 2,294 Days Ago

Hi Amos

I seem to recall this when I did the same thing on VyOS to a VPC,

Have you got a BGP session running on that vyos, it seems that there are two ways to setup a local -to-remote gateway to the vpc, because the AWS end is exdpecting to negotiate a BGP session - your diag seems to imply not..

Have you seen this page ?

When I setup IPSec between a DC with vyos and the AWS VPC/VPG i had to use BGP.

VTi config is really only used between two hosts where you don't want to automatically bind any routing mechanism, and enable BGP/OSPF to do the dynamic routing instead..

Have you tried doing a tcpdump on vti[n] to see if you're seeing any BGP negotiation data on ipsec startup ?

If you have got BPG setup, I would check the VPC/VPG end to see if it can see your local office/vyOS side lan IP

Updated 2,293 Days Ago

In linux you would type :

ip route change via dev vti2 src

(replace with whatever IP you want it to use as source ...)

Unfortuately there doesn't seem to be a way to get VyOS to do that. The route configs are done by quagga, and I can't find any way to get quagga to set the "src" parameter. There is a patch from 2006 that adds that function to quagga :

But it doesn't seem to have been merged :(

Updated 2,272 Days Ago

The simple answer is to make your VPN tunnel a routable address.
Make the AWS tunnel address -
Make the VYoS tunnel address -

Then in AWS, route your subnet to your VYoS box.
Thus, VYoS will default source the vti interface which is routable back to the VYoS box.

Alternatively, you could add routes for the 169.254.32 subnet. But that's not necessarily good practice, could be confusing down the line.

New Answer


This question has been marked as closed, but you can still leave a new answer.