Page MenuHomeVyOS Platform
New Question
Ponder Q39 History

How to force source address over IPsec site-to-site VPN?

Event Timeline

amos.shapira updated the question from to How to force source address over IPsec site-to-site VPN?.Jul 20 2016, 8:13 AM
amos.shapira updated the question details. (Show Details)
syncer changed the visibility from "All Users" to "Public (No Login Required)".Jul 20 2016, 11:51 AM
syncer added a project: VyOS 1.1.x.
jhendryUK added a subscriber: jhendryUK.Aug 5 2016, 8:46 AM
syncer added subscribers: Unknown Object (User), EwaldvanGeffen, syncer.Aug 6 2016, 11:06 AM

I personally observed mixed reports regarding VTI in general, so just guessing that this should be polished still.
Expecting to see this on 1.2.x releases
Anyway, you can try GRE or even OVPN if it's possible

@EwaldvanGeffen @afics maybe you guys can give some advice on this matter

amos.shapira added a comment.EditedAug 6 2016, 11:18 AM

Thanks but I can't use GRE or OVPN since the other side is AWS virtual gateway (more specifically, I use it as a Virtual CloudHub connecting offices and multiple VPC's).

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPN_CloudHub.html

syncer added a comment.EditedAug 6 2016, 12:02 PM

Got it, I'm pretty sure that solution exist, Just need to spend more time on this.

jeffbearer added a subscriber: jeffbearer.Aug 12 2016, 8:53 PM

I was curious about this so I added the 169.254 addresses of my vyos bgp link to my vpc route tables and security groups but I still could not get the traffic to pass. I'm guessing AWS is not allowing traffic from the BGP interface to route. Ideally you would want a way to source all traffic from a dummy interface. IMO

amos.shapira added a comment.Aug 12 2016, 10:09 PM

I'm not an expert but my understanding of the definition of 169.254/16 is that it's a "link local" address and shouldn't be used for "real traffic", e.g. AWS uses it to pass EC2 metadata through 169.254.169.254, or see https://tools.ietf.org/html/rfc3927 for how this network is defined.
So I think that the solution should more in the direction of somehow telling VyOS to prefer the local interface address over the 169.254 address.

dan.cave added an answer.Aug 16 2016, 6:14 AM
jeffbearer added a comment.Aug 16 2016, 1:46 PM

Linux is going to source traffic for an arbitrary service to the outgoing interface of the selected route. I don't know what facilities might be available to plumb into vyos the notion of binding specific services to a specific interface, (I'd suggest a loopback/dummy interface) and route internally. But the problem is that you wouldn't want this for every service, ie vpn etc. and this is where it gets hairy.

I'm guessing that this will fall into the "Don't run network services on your router" mantra, since it will be so hairy.

Perhaps you can launch the service in /config/scripts/vyatta-postconfig-bootup.script where you have the control to bind it to your desired interface?

amos.shapira added a comment.Aug 16 2016, 10:01 PM

@jeffbearer how about policy routing and telling Linux that traffic should only use local 169.254/16 source address if its destination is also on 169.254?

Here is a quick StackExchange answer which might be relevant: http://unix.stackexchange.com/a/188590/12394

246tnt added an answer.Aug 17 2016, 1:04 PM
xrpixer added an answer.Sep 6 2016, 2:59 PM
syncer closed this question as obsolete.May 27 2018, 11:19 AM
Herald added subscribers: Active contributors, Maintainers, Sentrium. · View Herald TranscriptMay 27 2018, 11:19 AM