Page MenuHomeVyOS Platform

External traffic stops routing when IPSEC tunnel comes up with interface vti0
Closed, ResolvedPublicBUG

Description

If a site-to-site IPsec VPN tunnel is created using the vti0 interface, VyOS stops routing external traffic (even through interfaces not related to the tunnel).

There is a corresponding question in the forum with discussion, routing tables and config examples:
External traffic stops routing when IPSEC tunnel comes up
version VyOS 1.4-rolling-202109130217. Not detected in version 1.3

Workaround:
change VTI number from 0 to 10 (vti0->vti10)

Router1 config:

set system host-name 'Vy-1'
set interf ether eth0 addr 10.10.100.41/24
set interf ether eth1 addr 172.16.254.1/24
set interf ether eth2 addr 172.16.252.1/24

set interfaces vti vti0 address '172.16.250.1/24'

set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer 172.16.254.2 authentication id '172.16.254.1'
set vpn ipsec site-to-site peer 172.16.254.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.16.254.2 authentication pre-shared-secret 'secretkey'
set vpn ipsec site-to-site peer 172.16.254.2 authentication remote-id '172.16.254.2'
set vpn ipsec site-to-site peer 172.16.254.2 connection-type 'respond'
set vpn ipsec site-to-site peer 172.16.254.2 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer 172.16.254.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.16.254.2 local-address '172.16.254.1'
set vpn ipsec site-to-site peer 172.16.254.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 172.16.254.2 vti esp-group 'ESP_DEFAULT'

Router2 config:

set system host-name 'Vy-2'
set interf ether eth0 addr 10.10.200.41/24
set interf ether eth1 addr 172.16.254.2/24
set interf ether eth2 addr 172.16.253.1/24

set interfaces vti vti0 address '172.16.250.2/24'

set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 172.16.254.1 authentication id '172.16.254.2'
set vpn ipsec site-to-site peer 172.16.254.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.16.254.1 authentication pre-shared-secret 'secretkey'
set vpn ipsec site-to-site peer 172.16.254.1 authentication remote-id '172.16.254.1'
set vpn ipsec site-to-site peer 172.16.254.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 172.16.254.1 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer 172.16.254.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.16.254.1 local-address '172.16.254.2'
set vpn ipsec site-to-site peer 172.16.254.1 vti bind 'vti0'
set vpn ipsec site-to-site peer 172.16.254.1 vti esp-group 'ESP_DEFAULT'

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.4-rolling-202109130217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

NikolayP updated the task description. (Show Details)
Viacheslav changed the task status from Open to Confirmed.EditedThu, Sep 16, 1:17 PM
Viacheslav added a subscriber: Viacheslav.

xfrm if_id should not be 0

the key defaults to 0 and will match any policies which similarly do not have a lookup key configuration.
vyos@r1-roll:~$ sudo ip -d link show dev vti0
9: vti0@NONE: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none  promiscuity 0 minmtu 68 maxmtu 65535 
    xfrm if_id 0 addrgenmode none numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 
vyos@r1-roll:~$

https://github.com/vyos/vyos-1x/blob/3e85333ae7c53fc8b2ceae1d1788e795fd92c939/python/vyos/ifconfig/vti.py#L39-L40

In that case, it tried to encrypt all traffic.

c-po triaged this task as High priority.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

Tested in vyos-1.4-rolling-202109190558,
works