Hello Folks
I setup BGP among Vyos 1.4 (VyOS 1.4-rolling-202205161133) and a Juniper Vsrx.
This is done via GRE over IPSec, here the relevant Vyos configuration
set vpn ipsec esp-group vsrx-aon-esp compression ‘disable’
set vpn ipsec esp-group vsrx-aon-esp lifetime ‘3600’
set vpn ipsec esp-group vsrx-aon-esp mode ‘tunnel’
set vpn ipsec esp-group vsrx-aon-esp pfs ‘enable’
set vpn ipsec esp-group vsrx-aon-esp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group vsrx-aon-esp proposal 1 hash ‘sha256’
set vpn ipsec ike-group vsrx-aon-ike close-action ‘none’
set vpn ipsec ike-group vsrx-aon-ike ikev2-reauth ‘no’
set vpn ipsec ike-group vsrx-aon-ike key-exchange ‘ikev2’
set vpn ipsec ike-group vsrx-aon-ike lifetime ‘7200’
set vpn ipsec ike-group vsrx-aon-ike proposal 1 dh-group ‘14’
set vpn ipsec ike-group vsrx-aon-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group vsrx-aon-ike proposal 1 hash ‘sha256’
set vpn ipsec interface ‘eth0’
set vpn ipsec site-to-site peer xxx.yyy.111.37 authentication id ‘vyos’
set vpn ipsec site-to-site peer xxx.yyy.111.37 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxx.yyy.111.37 authentication pre-shared-secret ‘shhhh’
set vpn ipsec site-to-site peer xxx.yyy.111.37 authentication remote-id ‘juniper-vsrx’
set vpn ipsec site-to-site peer xxx.yyy.111.37 connection-type ‘initiate’
set vpn ipsec site-to-site peer xxx.yyy.111.37 ike-group ‘vsrx-aon-ike’
set vpn ipsec site-to-site peer xxx.yyy.111.37 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxx.yyy.111.37 local-address ‘172.16.252.224’
set vpn ipsec site-to-site peer xxx.yyy.111.37 tunnel 0 esp-group ‘vsrx-aon-esp’
set vpn ipsec site-to-site peer xxx.yyy.111.37 tunnel 0 local prefix ‘192.168.41.10/32’
set vpn ipsec site-to-site peer xxx.yyy.111.37 tunnel 0 remote prefix ‘192.168.41.9/32’
set interfaces dummy dum0 address ‘192.168.41.10/32’
set interfaces tunnel tun0 address ‘192.168.42.10/30’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 multicast ‘enable’
set interfaces tunnel tun0 remote ‘192.168.41.9’
set interfaces tunnel tun0 source-address ‘192.168.41.10’
set protocols bgp address-family ipv4-unicast network 10.102.103.0/24
set protocols bgp local-as ‘64888’
set protocols bgp neighbor 192.168.41.9 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 192.168.41.9 ebgp-multihop ‘2’
set protocols bgp neighbor 192.168.41.9 remote-as ‘external’
set protocols bgp neighbor 192.168.41.9 update-source ‘192.168.41.10’
set protocols bgp parameters router-id ‘192.168.41.10’
set protocols static route 0.0.0.0/0 next-hop 172.16.255.250
here it is the advertised BGP routes :
vyos@vyos:~$ show ip bgp
BGP table version is 5, local router ID is 192.168.41.10, vrf id 0
Default local pref 100, local AS 64888
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop"s vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
10.75.181.64/26 192.168.41.9 0 64880 i
10.75.200.192/26 192.168.41.9 0 64880 i
*> 10.102.103.0/24 0.0.0.0 0 32768 i
Displayed 3 routes and 3 total paths
however the advertised routes are not inserted into the route table :
vyos@vyos:~$ show ip route table all
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure
VRF default table 220:
K>* 192.168.41.9/32 [0/0] via 172.16.255.250, eth0, src 192.168.41.10, 04:22:01
VRF default table 254:
S 0.0.0.0/0 [210/0] via 172.16.255.250, eth0, weight 1, 03:51:38
S>* 0.0.0.0/0 [1/0] via 172.16.255.250, eth0, weight 1, 04:22:09
C>* 10.101.103.0/24 is directly connected, vtun10, 04:22:09
C>* 10.102.103.0/24 is directly connected, eth1, 04:22:14
C>* 172.16.0.0/16 is directly connected, eth0, 04:22:12
C>* 192.168.41.10/32 is directly connected, dum0, 04:22:15
C>* 192.168.42.8/30 is directly connected, tun0, 04:22:13
I suspect the problem is the next hop 192.168.41.9 , this one is the other site ( vsrx ) of the ipsec tunnel… but I’m struggling how to fix this problem…
On the VSRX side the route that has been advertised by the Vyos is correctly added into the Vsrx route table:
admin@gateway-fra-04-vsrx-vSRX> show route receive-protocol bgp 192.168.41.10
inet.0: 31 destinations, 35 routes (26 active, 0 holddown, 8 hidden)
Prefix Nexthop MED Lclpref AS path
* 10.102.103.0/24 192.168.41.10 0 64888 I
inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
admin@gateway-fra-04-vsrx-vSRX> show route table inet.0
inet.0: 31 destinations, 35 routes (26 active, 0 holddown, 8 hidden)
+ = Active Route, - = Last Active, * = Both
....
....
10.102.103.0/24 *[BGP/170] 04:41:40, MED 0, localpref 100
AS path: 64888 I, validation-state: unverified
> to 192.168.41.10 via st0.3
....
thx