Hello!
I have a redundant vpn-connection between
- my on-prem OPNSense, and
- my Datacenter-VyOS.
There are two tunnels between them:
- 1x IPSec (vti)
- 1x Wireguard
→ controlled by OSPF. The IPsec tunnel is intended to be the primary tunnel, with the WireGuard tunnel as backup.
Almost every two to three days, the IPsec tunnel encounters an issue. It’s not the tunnel itself that fails, but rather the connected route on the VTI interface that disappears!
Oct 15 04:57:56 zebra[1531]: [VYKYC-709DP] default(0:254):10.0.0.32/30: Route install failed
Oct 15 04:57:56 zebra[1531]: [X5XE1-RS0SW][EC 4043309074] Failed to install Nexthop (216[10.0.0.34 if 12 vrfid 0]) into the kernel
Since the tunnel itself remains active, IPsec’s DPD doesn’t engage. The VTI interface gets stuck in a down state, causing OSPF to switch over to the secondary tunnel.
manuel@mvr02# run sho int | match vti
vti0 - n/a default 1500 u/u ocloud-net2
vti1 10.0.0.33/30 n/a default 1400 A/D IPsec fw1int
I can easily resolve this by typing:
manuel@mvr02:~$ restart ipsec
…but I suspect the route will disappear again soon.
Running System-Image: 1.5-rolling-202409250007
Relevant config-parts:
set interfaces vti vti1 address '10.0.0.33/30'
set interfaces vti vti1 mtu '1400'
set interfaces wireguard wg2 address '10.0.0.25/30'
set interfaces wireguard wg2 mtu '1420'
<the usual working wireguard-stuff ...>
set protocols bfd peer 10.0.0.34 profile 'home-ipsec'
set protocols bfd profile home-ipsec
set protocols ospf area 0 network '10.0.0.24/30'
set protocols ospf area 0 network '10.0.0.32/30'
set protocols ospf interface vti1 bfd profile 'home-ipsec'
set protocols ospf interface vti1 cost '60'
set protocols ospf interface wg2 cost '1080'
set vpn ipsec ike-group generic-28800-v2 close-action 'trap'
set vpn ipsec ike-group generic-28800-v2 dead-peer-detection action 'trap'
set vpn ipsec ike-group generic-28800-v2 dead-peer-detection interval '30'
set vpn ipsec ike-group generic-28800-v2 dead-peer-detection timeout '120'
set vpn ipsec ike-group generic-28800-v2 disable-mobike
set vpn ipsec ike-group generic-28800-v2 key-exchange 'ikev2'
set vpn ipsec ike-group generic-28800-v2 lifetime '28800'
<some fitting ike-proposals and esp-groups>
set vpn ipsec site-to-site peer fw1int authentication local-id 'mvr02'
set vpn ipsec site-to-site peer fw1int authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer fw1int authentication remote-id 'fw1int'
set vpn ipsec site-to-site peer fw1int connection-type 'initiate'
set vpn ipsec site-to-site peer fw1int force-udp-encapsulation
set vpn ipsec site-to-site peer fw1int ike-group 'generic-28800-v2'
set vpn ipsec site-to-site peer fw1int ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer fw1int local-address '87.106.230.131'
set vpn ipsec site-to-site peer fw1int remote-address 'any'
set vpn ipsec site-to-site peer fw1int vti bind 'vti1'
set vpn ipsec site-to-site peer fw1int vti esp-group 'generic-3600-dh14'