How to enable/disable an IPSec tunnel without removing the config?


#1

Hello,

After the initial problems, I got my IPSec tunnel to AWS VPC configured and running.

AWS charges for an active VPN connection to a VPC. How can I switch the vpn connection on or off without removing the configuration?

I tried by disabling the virtual interfaces, but this didn’t seem to switch the connection off.

Ringo


#2

what about set vpn ipsec site-to-site peer x.x.x.x tunnel 1 disable


#3

Doesn’t seem to work.

vyos@vyos# set vpn ipsec site-to-site peer 52.18.245.190 tunnel 1 disable
[edit]
vyos@vyos# set vpn ipsec site-to-site peer 52.30.105.23 tunnel 1 disable
[edit]
vyos@vyos# commit
[ vpn ipsec site-to-site peer 52.18.245.190 vti ]
VPN configuration error: Both Vti and tunnel(s) configured for peer "52.18.245.190



[[vpn]] failed
Commit failed

#4

the “tunnel 1” refers to an actual tunnel that’s configured not in vti mode. it appears that it’s not able to be disabled in that area of the config when using vti, but I think that it should be allowed.

in /opt/vyatta/sbin/vpn-config.pl line 479 implies that it should allow for disabling vti using “set ipsec site-to-site peer vti disable”


#5

@jl3128,

There doesn’t seem to be a ‘disable’ option:

vyos@vyos# set vpn ipsec site-to-site peer 52.18.245.190 vti
Possible completions:
   bind         VTI tunnel interface associated with this configuration [REQUIRED]
   esp-group    ESP group name [REQUIRED]


[edit]
vyos@vyos#

Running vyos 1.1.6.


#6

If you using vti interface with IPSEC, just disable vti interface :slight_smile:

It’s work, ipsec “see” still vti interface, but vti is administrative disable (status A/D)


#7

Yep, this worked! As I use BGP, I have to disable both interfaces offcourse. :slight_smile:

R.


#8

For future generations - the command to re-enable a vti which was disabled with

is: