Having this really strange issue where my VyOS install will stop routing external traffic once IPSEC tunnel comes up. When the tunnel isnt up, i can ping, ssh etc but when the tunnel comes up I can only access the install via the tunnel. Cannot ping or ssh externally. Traceroute from the install falls flat at first hop, so it seems like it isn’t really trying?
Have tried several different builds of the OS, including today’s latest.
Config is below, I have done a full reinstall and started adding only the required config line by line to see when it breaks and everything is fine until tunnel comes up.
Thanks for your reply, don’t know much about VRFs but here is the entire print out
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
VRF default table 254:
S>* 0.0.0.0/0 [1/0] via 172.20.201.1, eth0, weight 1, 00:02:51
C>* 172.19.1.4/30 is directly connected, vti0, 00:02:53
C>* 172.20.201.0/24 is directly connected, eth0, 00:02:54
default via 119.17.156.1 dev eth0 proto zebra
119.17.156.0/22 dev eth0 proto kernel scope link src 119.17.159.116
172.19.1.4/30 dev vti0 proto kernel scope link src 172.19.1.6
172.20.205.0/24 dev eth1 proto kernel scope link src 172.20.205.254
broadcast 119.17.156.0 dev eth0 table local proto kernel scope link src x.x.x.116
local 119.17.159.116 dev eth0 table local proto kernel scope host src 1x.x.x.116
broadcast 119.17.159.255 dev eth0 table local proto kernel scope link src x.x.x.116
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.19.1.4 dev vti0 table local proto kernel scope link src 172.19.1.6
local 172.19.1.6 dev vti0 table local proto kernel scope host src 172.19.1.6
broadcast 172.19.1.7 dev vti0 table local proto kernel scope link src 172.19.1.6
broadcast 172.20.205.0 dev eth1 table local proto kernel scope link src 172.20.205.254
local 172.20.205.254 dev eth1 table local proto kernel scope host src 172.20.205.254
broadcast 172.20.205.255 dev eth1 table local proto kernel scope link src 172.20.205.254
However the VyOS install becomes uncontactable from all external regardless of site or network
Thank you very much for your time you’re putting into this. I performed the config changes exactly how you have it written above only changing the IKE encryption method because aes256gcm128 is not supported for IKE on the Ubiquiti Edgerouter which is the remote party. I’ve changed it to
set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption aes256
As soon as the tunnel comes up all external connections drop again. super strange!
OK I just found an option to emulate an Intel E1000 NIC on my cloud hosting provider. It’s up and no drop to external connections. I’ll monitor overnight and report back with my findings
Yes, its strange
If changing the adapter type helps, it would be great.
In any case, your answer will help, waiting for the results.
Can you tell the adapter type you were having problems with?
Unfortunately it seems to be a fluke as network traffic has stopped again. Have tried setting the default route with the ip of the router plus the interface in case its going out the wrong interface but no change. Can still ping through the tunnel but can’t ping to and from externally, ssh etc. Connections drop as soon as tunnel comes up
I have also configured the machine to have the external IP on the interface just incase NAT was doing something strange, no change.
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
VRF default table 254:
S>* 0.0.0.0/0 [1/0] via 203.x.x.1, eth0, weight 1, 00:06:22
C>* 172.19.1.4/30 is directly connected, vti0, 00:03:48
C>* 203.x.x.0/24 is directly connected, eth0, 00:07:1
do extra troubleshooting:
use tcpdump, to see if packets arrive and are sent back. And if ARP works.
Add logging to firewall rule, so you’re sure packet hits intended rule
run trceroute from vyos itself to non-working destination. Responses might reveal path chosen