How to force source address over IPsec site-to-site VPN?
Event Timeline
I personally observed mixed reports regarding VTI in general, so just guessing that this should be polished still.
Expecting to see this on 1.2.x releases
Anyway, you can try GRE or even OVPN if it's possible
@EwaldvanGeffen @afics maybe you guys can give some advice on this matter
Thanks but I can't use GRE or OVPN since the other side is AWS virtual gateway (more specifically, I use it as a Virtual CloudHub connecting offices and multiple VPC's).
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPN_CloudHub.html
I was curious about this so I added the 169.254 addresses of my vyos bgp link to my vpc route tables and security groups but I still could not get the traffic to pass. I'm guessing AWS is not allowing traffic from the BGP interface to route. Ideally you would want a way to source all traffic from a dummy interface. IMO
I'm not an expert but my understanding of the definition of 169.254/16 is that it's a "link local" address and shouldn't be used for "real traffic", e.g. AWS uses it to pass EC2 metadata through 169.254.169.254, or see https://tools.ietf.org/html/rfc3927 for how this network is defined.
So I think that the solution should more in the direction of somehow telling VyOS to prefer the local interface address over the 169.254 address.
Linux is going to source traffic for an arbitrary service to the outgoing interface of the selected route. I don't know what facilities might be available to plumb into vyos the notion of binding specific services to a specific interface, (I'd suggest a loopback/dummy interface) and route internally. But the problem is that you wouldn't want this for every service, ie vpn etc. and this is where it gets hairy.
I'm guessing that this will fall into the "Don't run network services on your router" mantra, since it will be so hairy.
Perhaps you can launch the service in /config/scripts/vyatta-postconfig-bootup.script where you have the control to bind it to your desired interface?
@jeffbearer how about policy routing and telling Linux that traffic should only use local 169.254/16 source address if its destination is also on 169.254?
Here is a quick StackExchange answer which might be relevant: http://unix.stackexchange.com/a/188590/12394