Page MenuHomeVyOS Platform

IPSec with vti interfaces by default add default route to table 220
Open, NormalPublicFEATURE REQUEST

Description

If we use vti interface and IPSec, it auto add a default route to table 220
In that case after this tunnel will be established we lose access to the VyOS instance.

Interfaces

vyos@r4-epa2:~$ show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             192.168.122.14/24                 u/u  Wan
eth1             100.64.0.2/30                     u/u  Lan
                 192.0.2.1/30                           
eth2             -                                 u/u  
lo               127.0.0.1/8                       u/u  
                 ::1/128                                
vti1             10.0.102.2/30                     A/D  Tunnel to 100.64.0.1

The default route should be via 192.168.122.1 eth0:
And we see this entry

vyos@r4-epa2:~$ show ip route 0.0.0.0
Routing entry for 0.0.0.0/0
  Known via "static", distance 1, metric 0, best
  Last update 00:11:43 ago
  * 192.168.122.1, via eth0, weight 1

vyos@r4-epa2:~$

But IPSec adds more priority route via table 220 on listening VPN interface eth1:

vyos@r4-epa2:~$ sudo ip route get 192.168.122.1
192.168.122.1 via 100.64.0.1 dev eth1 table 220 src 100.64.0.2 uid 0 
    cache 
vyos@r4-epa2:~$

To prevent it we must set this command and reset VPN peer or reboot the router:

set vpn ipsec options disable-route-autoinstall

The routes will be correct:

vyos@r4-epa2# sudo ip route get 192.168.122.1
192.168.122.1 dev eth0 src 192.168.122.14 uid 0 
    cache 
[edit]
vyos@r4-epa2#

Adding this option by default seems like a smart decision.
It located in /etc/strongswan.d/charon.conf

# Install routes into a separate routing table for established IPsec
# tunnels.
install_routes = no

Also it was some discussion in T628

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3-beta-202110290638
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Viacheslav changed the subtype of this task from "Bug" to "Feature Request".

Require migration scripts to check option set vpn ipsec options disable-route-autoinstall in the configuration

syncer triaged this task as Normal priority.