Page MenuHomeVyOS Platform

In a load-balanced multi-wan configuration with DHCP assigned addresses, IPsec "dhcp-interface" does not work
Open, Requires assessmentPublicBUG

Description

Connections go out the interface specified by dhcp-interface but fail to connect. Likely the return packets are not matched.

load-balancing {
    wan {
        enable-local-traffic
        flush-connections
        interface-health eth0 {
            nexthop dhcp
            test 0 {
                resp-time 5
                target 8.8.8.8
                ttl-limit 1
                type ping
            }
            test 1 {
                resp-time 5
                target 8.8.4.4
                ttl-limit 1
                type ping
            }
        }
        interface-health eth1 {
            nexthop dhcp
            test 0 {
                resp-time 5
                target 1.1.1.1
                ttl-limit 1
                type ping
            }
            test 1 {
                resp-time 5
                target 1.0.0.1
                ttl-limit 1
            }
        }
        interface-health eth2 {
            nexthop dhcp
            test 0 {
                resp-time 5
                target 4.2.2.2
                ttl-limit 1
                type ping
            }
            test 1 {
                resp-time 5
                target 4.2.2.1
                ttl-limit 1
            }
        }
        rule 5 {
            destination {
                address 0.0.0.0/0
            }
            inbound-interface !eth7
            failover
            interface eth0 {
                weight 10
            }
            interface eth1 {
                weight 20
            }
            interface eth2 {
                weight 30
            }
            protocol all
        }
        rule 10 {
            destination {
                address 0.0.0.0/0
            }
            inbound-interface eth7
            interface eth0 {
                weight 10
            }
            interface eth1 {
                weight 10
            }
            interface eth2 {
                weight 10
            }
            protocol all
            source {
                address 10.0.0.0/16
            }
        }
        sticky-connections {
            inbound
        }
    }
}

Details

Difficulty level
Normal (likely a few hours)
Version
1.3-rolling-202008040823
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

ajgnet created this task.Aug 4 2020, 10:14 AM
pasik added a subscriber: pasik.Aug 5 2020, 1:12 PM
zsdc assigned this task to SrividyaA.Aug 6 2020, 9:00 PM

In addition to the workaround provided in the task T2747, the following configuration could also be added to the existing configuration:

Upon reception of an incoming packet, when a response is sent, it might be desired to ensure that it leaves from the same interface as the inbound one. This can be achieved by enabling sticky connections in the load balancing:

set load-balancing wan sticky-connections inbound

Ref document:
https://docs.vyos.io/en/latest/load-balancing.html

Enabling sticky connections had no effect in my testing. The only temporary solution was T2747. Unfortunately, this solution no longer works once the IP address changes on a DHCP-assigned interface.