BGP advertised route not added in routing table

GiG · June 1, 2022, 3:35pm

Hello Folks

I setup BGP among Vyos 1.4 (VyOS 1.4-rolling-202205161133) and a Juniper Vsrx.
This is done via GRE over IPSec, here the relevant Vyos configuration

set vpn ipsec esp-group vsrx-aon-esp compression ‘disable’
set vpn ipsec esp-group vsrx-aon-esp lifetime ‘3600’
set vpn ipsec esp-group vsrx-aon-esp mode ‘tunnel’
set vpn ipsec esp-group vsrx-aon-esp pfs ‘enable’
set vpn ipsec esp-group vsrx-aon-esp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group vsrx-aon-esp proposal 1 hash ‘sha256’
set vpn ipsec ike-group vsrx-aon-ike close-action ‘none’
set vpn ipsec ike-group vsrx-aon-ike ikev2-reauth ‘no’
set vpn ipsec ike-group vsrx-aon-ike key-exchange ‘ikev2’
set vpn ipsec ike-group vsrx-aon-ike lifetime ‘7200’
set vpn ipsec ike-group vsrx-aon-ike proposal 1 dh-group ‘14’
set vpn ipsec ike-group vsrx-aon-ike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group vsrx-aon-ike proposal 1 hash ‘sha256’
set vpn ipsec interface ‘eth0’
set vpn ipsec site-to-site peer xxx.yyy.111.37 authentication id ‘vyos’
set vpn ipsec site-to-site peer xxx.yyy.111.37 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxx.yyy.111.37 authentication pre-shared-secret ‘shhhh’
set vpn ipsec site-to-site peer xxx.yyy.111.37 authentication remote-id ‘juniper-vsrx’
set vpn ipsec site-to-site peer xxx.yyy.111.37 connection-type ‘initiate’
set vpn ipsec site-to-site peer xxx.yyy.111.37 ike-group ‘vsrx-aon-ike’
set vpn ipsec site-to-site peer xxx.yyy.111.37 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxx.yyy.111.37 local-address ‘172.16.252.224’
set vpn ipsec site-to-site peer xxx.yyy.111.37 tunnel 0 esp-group ‘vsrx-aon-esp’
set vpn ipsec site-to-site peer xxx.yyy.111.37 tunnel 0 local prefix ‘192.168.41.10/32’
set vpn ipsec site-to-site peer xxx.yyy.111.37 tunnel 0 remote prefix ‘192.168.41.9/32’

set interfaces dummy dum0 address ‘192.168.41.10/32’

set interfaces tunnel tun0 address ‘192.168.42.10/30’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 multicast ‘enable’
set interfaces tunnel tun0 remote ‘192.168.41.9’
set interfaces tunnel tun0 source-address ‘192.168.41.10’

set protocols bgp address-family ipv4-unicast network 10.102.103.0/24
set protocols bgp local-as ‘64888’
set protocols bgp neighbor 192.168.41.9 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 192.168.41.9 ebgp-multihop ‘2’
set protocols bgp neighbor 192.168.41.9 remote-as ‘external’
set protocols bgp neighbor 192.168.41.9 update-source ‘192.168.41.10’
set protocols bgp parameters router-id ‘192.168.41.10’
set protocols static route 0.0.0.0/0 next-hop 172.16.255.250

here it is the advertised BGP routes :

vyos@vyos:~$ show ip bgp
BGP table version is 5, local router ID is 192.168.41.10, vrf id 0
Default local pref 100, local AS 64888
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop"s vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

   Network          Next Hop            Metric LocPrf Weight Path
   10.75.181.64/26  192.168.41.9                           0 64880 i
   10.75.200.192/26 192.168.41.9                           0 64880 i
*> 10.102.103.0/24  0.0.0.0                  0         32768 i

Displayed  3 routes and 3 total paths

however the advertised routes are not inserted into the route table :

vyos@vyos:~$ show ip route table all
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
       f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
       t - trapped, o - offload failure

VRF default table 220:
K>* 192.168.41.9/32 [0/0] via 172.16.255.250, eth0, src 192.168.41.10, 04:22:01

VRF default table 254:
S   0.0.0.0/0 [210/0] via 172.16.255.250, eth0, weight 1, 03:51:38
S>* 0.0.0.0/0 [1/0] via 172.16.255.250, eth0, weight 1, 04:22:09
C>* 10.101.103.0/24 is directly connected, vtun10, 04:22:09
C>* 10.102.103.0/24 is directly connected, eth1, 04:22:14
C>* 172.16.0.0/16 is directly connected, eth0, 04:22:12
C>* 192.168.41.10/32 is directly connected, dum0, 04:22:15
C>* 192.168.42.8/30 is directly connected, tun0, 04:22:13

I suspect the problem is the next hop 192.168.41.9 , this one is the other site ( vsrx ) of the ipsec tunnel… but I’m struggling how to fix this problem…

On the VSRX side the route that has been advertised by the Vyos is correctly added into the Vsrx route table:

admin@gateway-fra-04-vsrx-vSRX> show route receive-protocol bgp 192.168.41.10 

inet.0: 31 destinations, 35 routes (26 active, 0 holddown, 8 hidden)
  Prefix		  Nexthop	       MED     Lclpref    AS path
* 10.102.103.0/24         192.168.41.10        0                  64888 I

inet6.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)

admin@gateway-fra-04-vsrx-vSRX> show route table inet.0  

inet.0: 31 destinations, 35 routes (26 active, 0 holddown, 8 hidden)
+ = Active Route, - = Last Active, * = Both
....
....
10.102.103.0/24    *[BGP/170] 04:41:40, MED 0, localpref 100
                      AS path: 64888 I, validation-state: unverified
                    >  to 192.168.41.10 via st0.3
....

thx

Viacheslav · June 2, 2022, 5:46am

Show ip bgp 10.75.181.64/26

16again · June 3, 2022, 6:29pm

I’d start changing bgp config. Wherever you see 168.41 , change into 168.42. And remote similar.
Then BGP uses the GRE tunnel, now it doesn’t

gtackitt · June 6, 2022, 12:14pm

This is correct. Currently you have your BGP setup using the IPsec iP addresses and not the GRE tunnel.

Switch your BGP config to use the 192.168.42.8/30 (local 192.168.42.10, remote 192.168.42.9) instead and it should come up, assuming you can ping both sides of the GRE tunnel already.

GiG · June 8, 2022, 8:00am

Hello folks

thank you so much for the suggestion that was the right way to go. I actually had already tried to use 42.8/30 without success but after your suggestion I’ve tried again and again and fixing few problems on the other side I had it working .
On Juniper side I used the J-WEB console VPN with Automatic Routing wizard that also setup a "strange configurations for BGP… no matter which tunnel ( IPSEC or GRE) I used I always had BGP never leaving the Connected Status.

Just for documentation for others the Juniper VPN with Automatic Routing Wizard added

set routing-options autonomous-system 64880

and
set protocols bgp group csplab-vyos-group neighbor 192.168.42.10

while once I changed this latest with :

set protocols bgp group csplab-vyos-group neighbor 192.168.42.10 local-as 64880

BGP finally went to established

My lesson learned is that the Juniper J-Web Console wizards is a false time saving option

Still solving some minor security policy issues and I’ll share the “lucky” combination from both sides so that others can take advantage.

Thx again

Gianluca