Page MenuHomePhabricator

IPSEC vti issue
Closed, ResolvedPublicBUG

Description

We have an VPN infrastructure with one central Vyos and several VyOS by site.
First sites are connected to Central with MAN network (Private address).
Last sites are connected to Central with WAN network (Public address).

Central VyOS have only one network interface with two IP address :

  • 1 on LAN with /24
  • 1 public address /32

Since we have added wan site and conf WAN on Central Vyos we have some issue with IPsec VTI tunnel.
When we restart vpn service on one site, vpn service on central VyOS fall down and we have to restart it to resolve the issue.
If we don't restart it, site can't ping Cenytral VyOS public address , but after vpn service is restarted on it, ping is OK.

We have applied upgrade 1.2.2 on all of our sites and on VyOS central.
We have tried to downgrade VyOS central to 1.2.0, to know if issue came from update, but it's the same behavior.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.2
Why the issue appeared?
Will be filled on close

Event Timeline

MarcSim created this task.Jul 26 2019, 1:40 PM
This comment was removed by MarcSim.

All of VyOS is VMs hosted on ESXI

pasik added a subscriber: pasik.Jul 30 2019, 9:40 AM

We have change vyos configuration.
Now, our vyos still have 1 interface but haven't two ip adresses.
It have only one private IP.
VPN coming from wan connecte to it by public IP manage by compgany firewall and VPN coming from Local network connect to it by private ip adresses.

It works fine.

But if we restart a vpn from client side, all VPN stop to work even if we can see Up on our Vyos.
We need to restart vpn service on our side to resolve issue.
During this issue, client from local network can't ping our Vyos.

syncer assigned this task to Dmitry.Aug 30 2019, 11:50 PM
syncer triaged this task as Normal priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
Dmitry added a comment.EditedSep 11 2019, 4:09 PM

Helo, @MarcSim. I want reproduce your issue in lab, can you provide your ipsec configuration from Central VyOS and one of site

show configuration commands | match ipsec | strip-private
MarcSim closed this task as Resolved.Sep 12 2019, 5:37 AM

Hello @Dmitry,

We have openned a ticket on VyOS support, and they have find the solution.
We had to add this configuration :

set vpn ipsec options disable-route-autoinstall

We have done several test and it works.

c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Sun, Oct 13, 3:05 PM