config validation failing when net.ipv4.ip_nonlocal_bind = 1

I have been pulling out my hair trying to figure this one out. Any bgp neighbor address I try to define is rejected with a message that it is a local address. None of these addresses are local to the machine.

[code]vyos@vyos# set protocols bgp 65001 neighbor 10.233.0.2

Can’t set neighbor address to local system IP.

Value validation failed
Set failed

[edit]
vyos@vyos# set protocols bgp 65001 neighbor 255.255.255.255

Can’t set neighbor address to local system IP.

Value validation failed
Set failed

[edit]
vyos@vyos# set protocols bgp 65001 neighbor 0.0.0.0

Can’t set neighbor address to local system IP.

Value validation failed
Set failed

[edit][/code]

I finally figured out that I have the following sysctl setting defined in sysctl.conf

net.ipv4.ip_nonlocal_bind = 1

It seems like the perl sub is_local_address() on line 209 in /opt/vyatta/share/perl5/Vyatta/Misc.pm does not work if the sysctl setting “net.ipv4.ip_nonlocal_bind = 1” is set. As soon as i remove the sysctl setting the set protocols bgp command starts working.

Any ideas on how to make this work other than hacking Misc.pm?

What’s the proper ‘VyOS’ way of handling sysctl settings?

Any thoughts welcome!

Looks like the test for “is the IP address local” just tries to bind it, which by default only allows local addresses to be bound, but in this case since I need the net.ipv4.ip_nonlocal_bind = 1 set is succeeds for every address tested. I had to hack Misc.pm here’s the work around:

What is the use case for allowing binds to non local addresses?

I knew I would pique someone’s curiosity This setup is for redundant openvpn servers. I have 2 routers both running openvpn. They use vrrp to listen on a virtual address. In order to respond to openvpn clients the --local setting must be given in openvpn-option, to tell openvpn what IP to use to respond to clients. (otherwise it will use it’s physical primary IP not the vrrp virtual address, which confuses clients and doesn’t work)

When one router fails, the virtual address is moved to the backup router, the clients reconnect and reauth, and continue operating. Failover takes about 16 seconds. In this case the primary/master router already has the virtual address assigned, so openvpn can start up without the kernel setting, but the backup router doesn’t have the IP on it, so it fails to start openvpn unless I set ip_nonlocal_bind. Once everything is up and operating any vrrp events are handled and openvpn daemon is ready and waiting to take whatever client connections.

I would probably try leaving the Vyos/vrrp config, and put a cluster (pair) of strongswan 5.x vpn terminators behind them running ikev2/ipsec.

I used to use vyatta/vyos as vpn terminators, running l2tp/ipsec. However, the stock Windows 7 vpn client has problems with that when the road warrior client is behind a nat device (which is essentially always). I have now transitioned to a pure strongswan 5.3 vpn solution which works with Windows 7 & 8, Macs, and Linux, but have NOT tried their cluster solution.

Should be fixed in ⚓ T4992 Incorrect check is_local_address for bgp neighbor with option ip_nonlocal_bind set