Change Details

If a site-to-site IPsec VPN tunnel is created using the vti0 interface, VyOS stops routing external traffic (even through interfaces not related to the tunnel). There is a corresponding question in the forum with discussion, routing tables and config examples: [[ https://forum.vyos.io/t/external-traffic-stops-routing-when-ipsec-tunnel-comes-up/7673/39 | External traffic stops routing when IPSEC tunnel comes up ]] version VyOS 1.4-rolling-202109130217. Not detected in version 1.3 Workaround: change VTI number from 0 to 10 (vti0->vti10) R1 config: ``` set system host-name 'Vy-1' set interf ether eth0 addr 10.10.100.41/24 set interf ether eth1 addr 172.16.254.1/24 set interf ether eth2 addr 172.16.252.1/24 set interfaces vti vti0 address '172.16.250.1/24' set vpn ipsec esp-group ESP_DEFAULT compression 'disable' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer 172.16.254.2 authentication id '172.16.254.1' set vpn ipsec site-to-site peer 172.16.254.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.16.254.2 authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer 172.16.254.2 authentication remote-id '172.16.254.2' set vpn ipsec site-to-site peer 172.16.254.2 connection-type 'respond' set vpn ipsec site-to-site peer 172.16.254.2 ike-group 'IKEv2_DEFAULT' set vpn ipsec site-to-site peer 172.16.254.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 172.16.254.2 local-address '172.16.254.1' set vpn ipsec site-to-site peer 172.16.254.2 vti bind 'vti0' set vpn ipsec site-to-site peer 172.16.254.2 vti esp-group 'ESP_DEFAULT' ``` R2 config: ``` set system host-name 'Vy-2' set interf ether eth0 addr 10.10.200.41/24 set interf ether eth1 addr 172.16.254.2/24 set interf ether eth2 addr 172.16.253.1/24 set interfaces vti vti0 address '172.16.250.2/24' set vpn ipsec esp-group ESP_DEFAULT compression 'disable' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer 172.16.254.1 authentication id '172.16.254.2' set vpn ipsec site-to-site peer 172.16.254.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.16.254.1 authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer 172.16.254.1 authentication remote-id '172.16.254.1' set vpn ipsec site-to-site peer 172.16.254.1 connection-type 'initiate' set vpn ipsec site-to-site peer 172.16.254.1 ike-group 'IKEv2_DEFAULT' set vpn ipsec site-to-site peer 172.16.254.1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 172.16.254.1 local-address '172.16.254.2' set vpn ipsec site-to-site peer 172.16.254.1 vti bind 'vti0' set vpn ipsec site-to-site peer 172.16.254.1 vti esp-group 'ESP_DEFAULT' ```

If a site-to-site IPsec VPN tunnel is created using the vti0 interface, VyOS stops routing external traffic (even through interfaces not related to the tunnel). There is a corresponding question in the forum with discussion, routing tables and config examples: [[ https://forum.vyos.io/t/external-traffic-stops-routing-when-ipsec-tunnel-comes-up/7673/39 | External traffic stops routing when IPSEC tunnel comes up ]] version VyOS 1.4-rolling-202109130217. Not detected in version 1.3 Workaround: change VTI number from 0 to 10 (vti0->vti10) Router1 config: ``` set system host-name 'Vy-1' set interf ether eth0 addr 10.10.100.41/24 set interf ether eth1 addr 172.16.254.1/24 set interf ether eth2 addr 172.16.252.1/24 set interfaces vti vti0 address '172.16.250.1/24' set vpn ipsec esp-group ESP_DEFAULT compression 'disable' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer 172.16.254.2 authentication id '172.16.254.1' set vpn ipsec site-to-site peer 172.16.254.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.16.254.2 authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer 172.16.254.2 authentication remote-id '172.16.254.2' set vpn ipsec site-to-site peer 172.16.254.2 connection-type 'respond' set vpn ipsec site-to-site peer 172.16.254.2 ike-group 'IKEv2_DEFAULT' set vpn ipsec site-to-site peer 172.16.254.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 172.16.254.2 local-address '172.16.254.1' set vpn ipsec site-to-site peer 172.16.254.2 vti bind 'vti0' set vpn ipsec site-to-site peer 172.16.254.2 vti esp-group 'ESP_DEFAULT' ``` Router2 config: ``` set system host-name 'Vy-2' set interf ether eth0 addr 10.10.200.41/24 set interf ether eth1 addr 172.16.254.2/24 set interf ether eth2 addr 172.16.253.1/24 set interfaces vti vti0 address '172.16.250.2/24' set vpn ipsec esp-group ESP_DEFAULT compression 'disable' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer 172.16.254.1 authentication id '172.16.254.2' set vpn ipsec site-to-site peer 172.16.254.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.16.254.1 authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer 172.16.254.1 authentication remote-id '172.16.254.1' set vpn ipsec site-to-site peer 172.16.254.1 connection-type 'initiate' set vpn ipsec site-to-site peer 172.16.254.1 ike-group 'IKEv2_DEFAULT' set vpn ipsec site-to-site peer 172.16.254.1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 172.16.254.1 local-address '172.16.254.2' set vpn ipsec site-to-site peer 172.16.254.1 vti bind 'vti0' set vpn ipsec site-to-site peer 172.16.254.1 vti esp-group 'ESP_DEFAULT' ```

If a site-to-site IPsec VPN tunnel is created using the vti0 interface, VyOS stops routing external traffic (even through interfaces not related to the tunnel). There is a corresponding question in the forum with discussion, routing tables and config examples: [[ https://forum.vyos.io/t/external-traffic-stops-routing-when-ipsec-tunnel-comes-up/7673/39 | External traffic stops routing when IPSEC tunnel comes up ]] version VyOS 1.4-rolling-202109130217. Not detected in version 1.3 Workaround: change VTI number from 0 to 10 (vti0->vti10) Router1 config: ``` set system host-name 'Vy-1' set interf ether eth0 addr 10.10.100.41/24 set interf ether eth1 addr 172.16.254.1/24 set interf ether eth2 addr 172.16.252.1/24 set interfaces vti vti0 address '172.16.250.1/24' set vpn ipsec esp-group ESP_DEFAULT compression 'disable' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' set vpn ipsec interface 'eth1' set vpn ipsec site-to-site peer 172.16.254.2 authentication id '172.16.254.1' set vpn ipsec site-to-site peer 172.16.254.2 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.16.254.2 authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer 172.16.254.2 authentication remote-id '172.16.254.2' set vpn ipsec site-to-site peer 172.16.254.2 connection-type 'respond' set vpn ipsec site-to-site peer 172.16.254.2 ike-group 'IKEv2_DEFAULT' set vpn ipsec site-to-site peer 172.16.254.2 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 172.16.254.2 local-address '172.16.254.1' set vpn ipsec site-to-site peer 172.16.254.2 vti bind 'vti0' set vpn ipsec site-to-site peer 172.16.254.2 vti esp-group 'ESP_DEFAULT' ``` Router2 config: ``` set system host-name 'Vy-2' set interf ether eth0 addr 10.10.200.41/24 set interf ether eth1 addr 172.16.254.2/24 set interf ether eth2 addr 172.16.253.1/24 set interfaces vti vti0 address '172.16.250.2/24' set vpn ipsec esp-group ESP_DEFAULT compression 'disable' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no' set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' set vpn ipsec ipsec-interfaces interface 'eth1' set vpn ipsec site-to-site peer 172.16.254.1 authentication id '172.16.254.2' set vpn ipsec site-to-site peer 172.16.254.1 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 172.16.254.1 authentication pre-shared-secret 'secretkey' set vpn ipsec site-to-site peer 172.16.254.1 authentication remote-id '172.16.254.1' set vpn ipsec site-to-site peer 172.16.254.1 connection-type 'initiate' set vpn ipsec site-to-site peer 172.16.254.1 ike-group 'IKEv2_DEFAULT' set vpn ipsec site-to-site peer 172.16.254.1 ikev2-reauth 'inherit' set vpn ipsec site-to-site peer 172.16.254.1 local-address '172.16.254.2' set vpn ipsec site-to-site peer 172.16.254.1 vti bind 'vti0' set vpn ipsec site-to-site peer 172.16.254.1 vti esp-group 'ESP_DEFAULT' ```