If we use vti interface and IPSec, it auto add a default route to table 220
In that case after this tunnel will be established we lose access to the VyOS instance.
Interfaces
vyos@r4-epa2:~$ show int Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down Interface IP Address S/L Description --------- ---------- --- ----------- eth0 192.168.122.14/24 u/u Wan eth1 100.64.0.2/30 u/u Lan 192.0.2.1/30 eth2 - u/u lo 127.0.0.1/8 u/u ::1/128 vti1 10.0.102.2/30 A/D Tunnel to 100.64.0.1
The default route should be via 192.168.122.1 eth0:
And we see this entry
vyos@r4-epa2:~$ show ip route 0.0.0.0 Routing entry for 0.0.0.0/0 Known via "static", distance 1, metric 0, best Last update 00:11:43 ago * 192.168.122.1, via eth0, weight 1 vyos@r4-epa2:~$
But IPSec adds more priority route via table 220 on listening VPN interface eth1:
vyos@r4-epa2:~$ sudo ip route get 192.168.122.1 192.168.122.1 via 100.64.0.1 dev eth1 table 220 src 100.64.0.2 uid 0 cache vyos@r4-epa2:~$
To prevent it we must set this command and reset VPN peer or reboot the router:
set vpn ipsec options disable-route-autoinstall
The routes will be correct:
vyos@r4-epa2# sudo ip route get 192.168.122.1 192.168.122.1 dev eth0 src 192.168.122.14 uid 0 cache [edit] vyos@r4-epa2#
Adding this option by default seems like a smart decision.
It located in /etc/strongswan.d/charon.conf
# Install routes into a separate routing table for established IPsec # tunnels. install_routes = no
Also it was some discussion in T628