External traffic stops routing when IPSEC tunnel comes up

Nikolay · September 13, 2021, 3:44am

@crazycen , first I see two default routes:
set protocols static route 0.0.0.0/0 next-hop A.B.C.D
set protocols static route 0.0.0.0/0 interface eth0 # - this one is bad practice.

I think they should be replaced with:
set protocols static route 0.0.0.0/0 next-hop A.B.C.D interface eth0

crazycen · September 13, 2021, 3:50am

thks ,i know that ! this is test route !
When the direct network segment can not connected, I manually add!

16again · September 13, 2021, 5:38am

All screen shots focus on main route table. Which should be used, and doesn’t have incorrect routes.
To check if other route table is being used:

sudo ip rule show

Should reveal what packets will use different route table

sudo ip route show xxx

will show table numbered xxx
A VTI VPN shouldn’t use extra route table though
From VyOS , run traceroute to a local connected network. This might reveal path chosen.

crazycen · September 13, 2021, 6:13am

@Nikolay @16again
sudo ip rule show

traceroute to a local connected network 10.10.100.1
route to vti port (172.16.250.2 is remote vti port)!

16again · September 13, 2021, 10:27am

Seems like packet gets routed out on vti interface
Rule 220: matches all packets, and tells: use route table 220
What does route table 220 look like? (command in my previous post lacked “table”
sudo ip route show table 220

This rule/table 220 should be in place for policy based ipsec , afaik not for route based (VTI) ipsec

crazycen · September 13, 2021, 12:04pm

Viacheslav · September 13, 2021, 1:01pm

It is strange that there a no routes in table 220 but with this behavior should be.
Try to delete this rule:

sudo ip rule del from all lookup 220

and check connectivity.

crazycen · September 13, 2021, 4:24pm

Viacheslav · September 13, 2021, 5:03pm

Does it work without bgp configuration?

crazycen · September 14, 2021, 1:01am

disable bgp ,same issue ,use vyos-1.4-rolling-202108250117-amd64.iso now !

i will try vyos-1.3-beta-202109130342-amd64.iso !

crazycen · September 14, 2021, 3:22am

@Nikolay @Viacheslav @16again

hi all ,i install new two Router vyos-1.3-beta-202109130342-amd64.iso

R1&R2

ipsec work well and can ping local connected network 。

*** Does this mean vyos 1.4 ipsec has a bug?**

Nikolay · September 14, 2021, 3:30am

Hi @crazycen,
Good news
I tried the IPsec lab in 1.4. It works as it should.
It might make sense to try configuring the same thing with a clean 1.4 installation.

Version: VyOS 1.4-rolling-202109040217
Release Train: sagitta

crazycen · September 14, 2021, 3:38am

@Nikolay Thanks i will upgrade to lasted 1.4 version and set again !

crazycen · September 15, 2021, 1:28am

@Nikolay
New installed router, new configuration, once ipsec starts, the network will be lost!

vyos 1.4 vyos-1.4-rolling-202109130217-amd64.iso has this problem

vyos 1.3 normal

As shown, once I enable ipsec configuration, the network connection will be lost!

crazycen · September 15, 2021, 2:38am

i use offical doc to config ,issue again
https://docs.vyos.io/en/latest/configuration/vpn/site2site_ipsec.html

R1.txt (1.6 KB)
R2.txt (1.6 KB)

Nikolay · September 15, 2021, 5:00am

Hi @crazycen,

I made exactly the same Lab as your network. With the same interfaces.
And I caught the problem.

Good news!
The problem is easily solved
You need to replace the interface vti0 with vti10 (10): (*edited typo)

Regards,
Nikolay

16again · September 15, 2021, 6:23am

Seems like a workaround, not a solution
vty10 is a typo though , should be vti10

Nikolay · September 15, 2021, 6:28am

Thanks @16again,
Should be vti10, typo

crazycen · September 15, 2021, 7:23am

Thank you very much! @Nikolay
when i change vti0 to vti10 ,issue resolved .
Thank you for your advice! @16again @Viacheslav @mistersock

I updaye my lab , change to vti0 to vti10 resolve this issue !

vti &local connected network work well !

Viacheslav · September 16, 2021, 1:44pm

Task for it T3831