@crazycen , first I see two default routes:
set protocols static route 0.0.0.0/0 next-hop A.B.C.D
set protocols static route 0.0.0.0/0 interface eth0 # - this one is bad practice.
I think they should be replaced with:
set protocols static route 0.0.0.0/0 next-hop A.B.C.D interface eth0
thks ,i know that ! this is test route !
When the direct network segment can not connected, I manually add!
All screen shots focus on main route table. Which should be used, and doesn’t have incorrect routes.
To check if other route table is being used:
sudo ip rule show
Should reveal what packets will use different route table
sudo ip route show xxx
will show table numbered xxx
A VTI VPN shouldn’t use extra route table though
From VyOS , run traceroute to a local connected network. This might reveal path chosen.
@Nikolay @16again
sudo ip rule show
Seems like packet gets routed out on vti interface
Rule 220: matches all packets, and tells: use route table 220
What does route table 220 look like? (command in my previous post lacked “table”
sudo ip route show table 220
This rule/table 220 should be in place for policy based ipsec , afaik not for route based (VTI) ipsec
It is strange that there a no routes in table 220 but with this behavior should be.
Try to delete this rule:
sudo ip rule del from all lookup 220
and check connectivity.
Does it work without bgp configuration?
disable bgp ,same issue ,use vyos-1.4-rolling-202108250117-amd64.iso now !
i will try vyos-1.3-beta-202109130342-amd64.iso !
hi all ,i install new two Router vyos-1.3-beta-202109130342-amd64.iso
R1&R2
ipsec work well and can ping local connected network 。
*** Does this mean vyos 1.4 ipsec has a bug?**
Hi @crazycen,
Good news
I tried the IPsec lab in 1.4. It works as it should.
It might make sense to try configuring the same thing with a clean 1.4 installation.
Version: VyOS 1.4-rolling-202109040217
Release Train: sagitta
@Nikolay Thanks i will upgrade to lasted 1.4 version and set again !
@Nikolay
New installed router, new configuration, once ipsec starts, the network will be lost!
vyos 1.4 vyos-1.4-rolling-202109130217-amd64.iso has this problem
vyos 1.3 normal
As shown, once I enable ipsec configuration, the network connection will be lost!
i use offical doc to config ,issue again
https://docs.vyos.io/en/latest/configuration/vpn/site2site_ipsec.html
Hi @crazycen,
I made exactly the same Lab as your network. With the same interfaces.
And I caught the problem.
Good news!
The problem is easily solved
You need to replace the interface vti0 with vti10 (10): (*edited typo)
Regards,
Nikolay
Seems like a workaround, not a solution
vty10 is a typo though , should be vti10
Thanks @16again,
Should be vti10, typo
Thank you very much! @Nikolay
when i change vti0 to vti10 ,issue resolved . 
Thank you for your advice! @16again @Viacheslav @mistersock
I updaye my lab , change to vti0 to vti10 resolve this issue !
Task for it T3831
