clustering and l2tp/ipsec vpn



i’m running vyos (current stable release) on two servers, for failover, i’m using cluster rather than vrrp.

i have one server with an external ip of
the other server as an external ip of
the service ip for these two is

the internal interfaces are using using vlans, there are several vif’s, all of these are in the same cluster group

the full cluster configuration is:

cluster {
    dead-interval 8000
    group cluster1 {
        auto-failback true
        primary fw1
        secondary fw2
    interface eth0
    interface eth1.11
    interface eth1.5
    interface eth1.40
    keepalive-interval 2000
    monitor-dead-interval 20000
    pre-shared-secret ****************

i have an l2tp/ipsec vpn working, using x509 certificates.
the configuration is:

ipsec {
     ipsec-interfaces {
         interface eth0
     nat-networks {
         allowed-network {
     nat-traversal enable
 l2tp {
     remote-access {
         authentication {
             local-users {
                 username lee {
                     password test
             mode local
         client-ip-pool {
         ipsec-settings {
             authentication {
                 mode x509
                 x509 {
                     ca-cert-file /config/auth/SCL_CA.crt
                     server-cert-file /config/auth/l2tp_vpn.crt
                     server-key-file /config/auth/l2tp_vpn.pem
             ike-lifetime 3600

the ip’s and passwords will be changed for production, it’s just on a private test network at the moment.

as i said, the vpn IS working, but only because the outside address is set to the physical ip of eth0 and the vpn connection is set to connect to the physical ip. which means i need to keep changing the vpn connection depending on which firewall is working. i want to connect to the vip but i can’t get it to connect if i set this as the outside address. how do i fix this?

also, there will only be a few vpn users, who will each get a static ip
(i want to restrict specific users to connections to different sets of servers, so i need to know which ip each one will use)
using the connection as it initially set ups in windows, it’s fine, everything goes through the tunnel, so routing is not a problem. but if the client connection is set as a split tunnel, the vpn connection gets no gateway or routing information, is there any way of automatically getting that?



ok, i’ve not solved this yet, but i have got a bit closer.

starting from the configuration as above, if i adjust the configuration by

set cluster group cluster1 service ipsec


set vpn l2tp remote-access outside-address (vip of cluster service on external interface)

then everything works, i can connect a vpn client using the vip as the connection address, disconnect, reconnect,
everything seems to be fine. this works only if i make both changes above, only making either one of the changes doesn’t work.

the problem now is that this all stops working on a router if it is rebooted for any reason, attempts to reconnect afterwards fail with an error 809.

if i make the changes to both routers as above, i can connect to the 1st router ok. if i disconnect and switch off the first router, i can reconnect ok to the 2nd router, if i bring the first router back online (it takes over the cluster) i can’t reconnect, if i shut down the first router again, i can reconnect to the second router ok still, (the 2nd router hasn’t been stopped at all by this point).
so i know that whatever is happening, it’s not the cluster failover causing any issues, it’s something being done on a restart. but i can’t work out why this would be happening. committed changes become active straightaway and are saved, so the running config after these changes are made should be identical to the configuration it reboots into.

any ideas?



another update, gradually getting closer…

after some experimentation, i’ve narrowed it down to being the vpn l2tp remote access outsite-address,
i can leave service ipsec configured for the cluster group, that needs no further changes.

if the vpn outside-address is set to the vip on boot it doesn’t work, i need to change it, then re-change it again to the vip.
if the vpn outside-address is set to the physical ip on boot, it still doesn’t work, i need to change it to the vip

i’ve not found anything to indicate it in the logs, but it seems to me to be it’s applying the vpn configuration before the vip is active so it doesn’t have an interface to apply the config to.

i’ve found a fudge by adding the following to /config/scripts/vyatta-postconfig-bootup.script

source /opt/vyatta/etc/functions/script-template
sleep 2s
set vpn l2tp remote-access outside-address

although that stops me making any other configuration changes, i just get ‘set failed’ for everything, until i run ‘/etc/init.d/vyatta-router restart’ as the root user.

surely there’s a more elegant solution, isn’t there any way to delay the application of the vpn configuration until all the clustering and vip’s are up and running?



you can set the l2tp failure with the command

set cluster group cluster1 service xl2tpd