site to site configuration. Local prefix is sourced from loopback interface.
set vpn ipsec site-to-site peer @remote_cpe authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer @remote_cpe authentication pre-shared-secret 'xxx' set vpn ipsec site-to-site peer @remote_cpe authentication remote-id 'remote_cpe' set vpn ipsec site-to-site peer @remote_cpe connection-type 'respond' set vpn ipsec site-to-site peer @remote_cpe default-esp-group 'remote_esp' set vpn ipsec site-to-site peer @remote_cpe ike-group 'home_IKE' set vpn ipsec site-to-site peer @remote_cpe ikev2-reauth 'inherit' set vpn ipsec site-to-site peer @remote_cpe local-address '111.11.111.47' set vpn ipsec site-to-site peer @remote_cpe tunnel 1 local prefix '172.18.255.26/32' set vpn ipsec site-to-site peer @remote_cpe tunnel 1 remote prefix '172.24.32.54/32'
vyos@vyos# run show int Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 - u/u eth0.42 111.11.111.47/27 u/u eth1 172.16.179.1/24 u/u eth2 192.168.122.69/24 u/u lo 127.0.0.1/8 u/u 172.18.255.26/32 ::1/128 ... vyos@vyos# set vpn ipsec site-to-site peer @remote_cpe tunnel 1 local prefix '172.18.255.26/32' ... vyos@vyos# commit [ vpn ] Warning: local prefix 172.18.255.26/32 specified for peer "@remote_cpe" is not configured on any interfaces
If I source prefix from eth1 172.16.179.0/24 I do not get any warnings.
It seems like this line is the problem:
https://github.com/vyos/vyatta-cfg-vpn/blob/ce56258f8dd52c5a14482a1055e4f23b89e462f6/scripts/vpn-config.pl#L673
from this commit
https://github.com/vyos/vyatta-cfg-vpn/commit/600e35bbae36ed5482c0816d077c86ab1a84c2ec#diff-5fb21a764744171f7a59a73133e0b844
It checks for routes in ip route show table 254 which doesn't show loopback routes.
To see loopback routes, one must check in ip route show table local