After VPN is UP routes are missing

Hi,
I’m setting up a VPN ipsec, on vyos 1.2.x build by me from crux repository, and after when ipsec are up vyos does not install kernel route to my remote site. I found a option to disable auto-installation of that routes, but I suppose it’s should be enabled by default. What can I check to find a problem with that auto-installation? At previous version of VyOS 1.1.7 and 1.1.8 auto-installation of that type of routes works fine with almost the same configuration.


Regards
TomekC.

Hi @tcharewicz, can you check table 220?
sudo ip route show table 220
Which mode type are you using tunnel or transport?
Can you confirm that you exactly build 1.2.x? Run command show version and check commit id.
Read more about disable-route-autoinstall https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july

1 Like

Hello @Dmitry thank you for your answer.

Table 220 does not exist and is empty

mycha@svpn-x-1:~$ show ip route table 220 
mycha@svpn-x-1:~$ sudo ip route show table 220

mycha@svpn-x-1:~$ cat /etc/iproute2/rt_tables
#
# reserved values
#
255	local
254	main
253	default
0	unspec
#
# local
#
#1	inr.ruhep

This VPN work at transport mode, without of any VTI interface.

mycha@svpn-x-1:~$ show interfaces  | strip-private
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0             xxx.xxx.0.124/22                   u/u  internal
                 xxx.xxx.0.126/22
eth1             xxx.xxx.149.28/26                 u/u  public
                 xxx.xxx.149.30/26
lo               xxx.xxx.0.1/8                       u/u
                 ::1/128

Before I build VyOS I checked double if I used correct branch at github. Please check after me.

mycha@svpn-x-1:~$ show version | strip-private
Version:          VyOS 1.2.5
Built by:         txxxxxx chxxxxxxx [at]ringieraxelspringer.pl
Built on:         Wed 05 Feb 2020 12:32 UTC
Build UUID:       082c6062-0f3c-463f-947e-e4d45c0de29f
Build Commit ID:  66f9a2880dc57f

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-xx xx xx xx ..
Hardware UUID:    <UUID cuted>

Copyright:        VyOS maintainers and contributors

What can I do more?


Regards
TomekC.

Openswan had a similar bug two years ago, but I don’t know is it related.

Hi @tcharewicz, you build VyOS from master branch instead of crux (1.2.X) https://github.com/vyos/vyos-build/commit/66f9a2880dc57ff566d8d918006562d3d980da0c, this is commit id.
Provide please you configuration for reproducing this issue.
show configuration commands | strip-private | grep vpn

Hello @Dmitry,
Yes, I found the place where I made the mistake of choosing the wrong branch when working with the repository before compilation. Sorry for bothering with this stupid mistake.

IPsec configuration look like this:
set vpn ipsec site-to-site peer xxxxx.tld authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer xxxxx.tld connection-type ‘initiate’
set vpn ipsec site-to-site peer xxxxx.tld default-esp-group ‘xxxxx_ESP’
set vpn ipsec site-to-site peer xxxxx.tld description ‘xxxxx-secondary’
set vpn ipsec site-to-site peer xxxxx.tld ike-group ‘xxxxx_IKE’
set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth ‘no’
set vpn ipsec site-to-site peer xxxxx.tld local-address ‘xxx.xxx.149.30’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 esp-group ‘xxxxx_ESP’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 local prefix ‘xxx.xxx.147.136/32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 remote prefix ‘xxx.xxx.250.112/32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 esp-group ‘xxxxx_ESP’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 local prefix ‘xxx.xxx.147.137/32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 remote prefix ‘xxx.xxx.250.112/32’
set vpn ipsec site-to-site peer xxxxx.tld authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxxxx.tld authentication pre-shared-secret xxxxxx
set vpn ipsec site-to-site peer xxxxx.tld connection-type ‘initiate’
set vpn ipsec site-to-site peer xxxxx.tld default-esp-group ‘xxxxx_ESP’
set vpn ipsec site-to-site peer xxxxx.tld description ‘xxxxx-primary’
set vpn ipsec site-to-site peer xxxxx.tld ike-group ‘xxxxx_IKE’
set vpn ipsec site-to-site peer xxxxx.tld ikev2-reauth ‘no’
set vpn ipsec site-to-site peer xxxxx.tld local-address ‘xxx.xxx.149.30’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 esp-group ‘xxxxx_ESP’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 local prefix ‘xxx.xxx.147.136/32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 1 remote prefix ‘xxx.xxx.249.112/32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 esp-group ‘xxxxx_ESP’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 local prefix ‘xxx.xxx.147.137/32’
set vpn ipsec site-to-site peer xxxxx.tld tunnel 2 remote prefix ‘xxx.xxx.249.112/32’


Regards
TomekC.