If a site-to-site IPsec VPN tunnel is created using the vti0 interface, VyOS stops routing external traffic (even through interfaces not related to the tunnel).
There is a corresponding question in the forum with discussion, routing tables and config examples:
[[ https://forum.vyos.io/t/external-traffic-stops-routing-when-ipsec-tunnel-comes-up/7673/39 | External traffic stops routing when IPSEC tunnel comes up ]]
version VyOS 1.4-rolling-202109130217. Not detected in version 1.3
Workaround:
change VTI number from 0 to 10 (vti0->vti10)
R1 config:
```
set system host-name 'Vy-1'
set interf ether eth0 addr 10.10.100.41/24
set interf ether eth1 addr 172.16.254.1/24
set interf ether eth2 addr 172.16.252.1/24
set interfaces vti vti0 address '172.16.250.1/24'
set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec interface 'eth1'
set vpn ipsec site-to-site peer 172.16.254.2 authentication id '172.16.254.1'
set vpn ipsec site-to-site peer 172.16.254.2 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.16.254.2 authentication pre-shared-secret 'secretkey'
set vpn ipsec site-to-site peer 172.16.254.2 authentication remote-id '172.16.254.2'
set vpn ipsec site-to-site peer 172.16.254.2 connection-type 'respond'
set vpn ipsec site-to-site peer 172.16.254.2 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer 172.16.254.2 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.16.254.2 local-address '172.16.254.1'
set vpn ipsec site-to-site peer 172.16.254.2 vti bind 'vti0'
set vpn ipsec site-to-site peer 172.16.254.2 vti esp-group 'ESP_DEFAULT'
```
R2 config:
```
set system host-name 'Vy-2'
set interf ether eth0 addr 10.10.200.41/24
set interf ether eth1 addr 172.16.254.2/24
set interf ether eth2 addr 172.16.253.1/24
set interfaces vti vti0 address '172.16.250.2/24'
set vpn ipsec esp-group ESP_DEFAULT compression 'disable'
set vpn ipsec esp-group ESP_DEFAULT lifetime '3600'
set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel'
set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30'
set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120'
set vpn ipsec ike-group IKEv2_DEFAULT ikev2-reauth 'no'
set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2'
set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800'
set vpn ipsec ike-group IKEv2_DEFAULT mobike 'disable'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128'
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec site-to-site peer 172.16.254.1 authentication id '172.16.254.2'
set vpn ipsec site-to-site peer 172.16.254.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 172.16.254.1 authentication pre-shared-secret 'secretkey'
set vpn ipsec site-to-site peer 172.16.254.1 authentication remote-id '172.16.254.1'
set vpn ipsec site-to-site peer 172.16.254.1 connection-type 'initiate'
set vpn ipsec site-to-site peer 172.16.254.1 ike-group 'IKEv2_DEFAULT'
set vpn ipsec site-to-site peer 172.16.254.1 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 172.16.254.1 local-address '172.16.254.2'
set vpn ipsec site-to-site peer 172.16.254.1 vti bind 'vti0'
set vpn ipsec site-to-site peer 172.16.254.1 vti esp-group 'ESP_DEFAULT'
```