I don't know why I have to send ping to VTI interface first

erick0209 · May 7, 2021, 5:22pm

Hello,

I have 3 vyos router.
vyos version : 1.2.7

VYOS1 <-> VYOS3 : I must send ping to VTI first for network communication.
172.16.10.0/23 <-> 10.31.254.0/24
There is no network communication between the two ip rage

However, if I VYSO sends ping to vti91 interface, from then on,
Communication between the above CIDR bands will be possible.

This issue will also cause all networks to fail if a session with lifetime 28800 is lost.
If I send ping back to VTI, I can communicate.
I don’t know why I have to send ping to VTI first.

VYOS1<->VYOS2 does not have this problem at all.
Occurs only in vyos1<->vyos3.

Here is my configuration.

YVOS1 : 9.9.9.9
VYOS2 : 1.1.1.1
VYOS3 : 2.2.2.2

[VYOS1 - configuration]
set interfaces vti vti91 address ‘169.254.255.14/30’
set interfaces vti vti91 mtu ‘1436’
set interfaces vti vti99 address ‘169.254.255.10/30’’
set interfaces vti vti99 mtu ‘1436’

set protocols static route 10.41.0.0/16 next-hop 169.254.255.9
set protocols static route 172.16.10.0/23 next-hop 169.254.255.13

set vpn ipsec esp-group ESP-ovhCA compression ‘disable’
set vpn ipsec esp-group ESP-ovhCA lifetime ‘3600’
set vpn ipsec esp-group ESP-ovhCA mode ‘tunnel’
set vpn ipsec esp-group ESP-ovhCA pfs ‘dh-group2’
set vpn ipsec esp-group ESP-ovhCA proposal 10 encryption ‘aes128’
set vpn ipsec esp-group ESP-ovhCA proposal 10 hash ‘sha256’
set vpn ipsec ike-group IKE-ovhCA close-action ‘none’
set vpn ipsec ike-group IKE-ovhCA dead-peer-detection action ‘restart’
set vpn ipsec ike-group IKE-ovhCA dead-peer-detection interval ‘15’
set vpn ipsec ike-group IKE-ovhCA dead-peer-detection timeout ‘45’
set vpn ipsec ike-group IKE-ovhCA ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-ovhCA key-exchange ‘ikev2’
set vpn ipsec ike-group IKE-ovhCA lifetime ‘28800’
set vpn ipsec ike-group IKE-ovhCA mobike ‘disable’
set vpn ipsec ike-group IKE-ovhCA proposal 10 dh-group ‘2’
set vpn ipsec ike-group IKE-ovhCA proposal 10 encryption ‘aes128’
set vpn ipsec ike-group IKE-ovhCA proposal 10 hash ‘sha256’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec logging log-level ‘1’
set vpn ipsec logging log-modes ‘any’
set vpn ipsec site-to-site peer 1.1.1.1 authentication id ‘9.9.9.9’
set vpn ipsec site-to-site peer 1.1.1.1 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 1.1.1.1 authentication pre-shared-secret ‘’
set vpn ipsec site-to-site peer 1.1.1.1 authentication remote-id ‘1.1.1.1’
set vpn ipsec site-to-site peer 1.1.1.1 connection-type ‘initiate’
set vpn ipsec site-to-site peer 1.1.1.1 ike-group ‘IKE-ovhCA’
set vpn ipsec site-to-site peer 1.1.1.1 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 1.1.1.1 local-address ‘9.9.9.9’
set vpn ipsec site-to-site peer 1.1.1.1 vti bind ‘vti99’
set vpn ipsec site-to-site peer 1.1.1.1 vti esp-group ‘ESP-ovhCA’
set vpn ipsec site-to-site peer 2.2.2.2 authentication id ‘9.9.9.9’
set vpn ipsec site-to-site peer 2.2.2.2 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret ‘’
set vpn ipsec site-to-site peer 2.2.2.2 authentication remote-id ‘2.2.2.2’
set vpn ipsec site-to-site peer 2.2.2.2 connection-type ‘initiate’
set vpn ipsec site-to-site peer 2.2.2.2 ike-group ‘IKE-ovhCA’
set vpn ipsec site-to-site peer 2.2.2.2 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 2.2.2.2 local-address ‘9.9.9.9’
set vpn ipsec site-to-site peer 2.2.2.2 vti bind ‘vti91’
set vpn ipsec site-to-site peer 2.2.2.2 vti esp-group ‘ESP-ovhCA’

[VYOS1 - route]
S>* 10.41.0.0/16 [1/0] via 169.254.255.9, vti99, 00:18:52
C>* 169.254.255.8/30 is directly connected, vti99, 00:18:52
C>* 169.254.255.12/30 is directly connected, vti91, 00:18:52
S>* 172.16.10.0/23 [1/0] via 169.254.255.13, vti91, 00:18:52

sh vpn ike sa
Peer ID / IP Local ID / IP

1.1.1.1 9.9.9.9

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
up     IKEv2   aes128   sha256_128 2(MODP_1024)   no     3600    28800

Peer ID / IP Local ID / IP

2.2.2.2 9.9.9.9

State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
-----  ------  -------  ----    ---------      -----  ------  ------
up     IKEv2   aes128   sha256_128 2(MODP_1024)   no     3600    28800

[VYOS3 - config]
set interfaces vti vti91 address ‘169.254.255.13/30’
set interfaces vti vti91 mtu ‘1436’

set protocols static route 10.31.254.0/24 next-hop 169.254.255.14

set vpn ipsec disable-uniqreqids
set vpn ipsec esp-group ESP-ConstantCA compression ‘disable’
set vpn ipsec esp-group ESP-ConstantCA lifetime ‘3600’
set vpn ipsec esp-group ESP-ConstantCA mode ‘tunnel’
set vpn ipsec esp-group ESP-ConstantCA pfs ‘dh-group2’
set vpn ipsec esp-group ESP-ConstantCA proposal 10 encryption ‘aes128’
set vpn ipsec esp-group ESP-ConstantCA proposal 10 hash ‘sha256’
set vpn ipsec ike-group IKE-ConstantCA close-action ‘none’
set vpn ipsec ike-group IKE-ConstantCA dead-peer-detection action ‘restart’
set vpn ipsec ike-group IKE-ConstantCA dead-peer-detection interval ‘15’
set vpn ipsec ike-group IKE-ConstantCA dead-peer-detection timeout ‘45’
set vpn ipsec ike-group IKE-ConstantCA ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-ConstantCA key-exchange ‘ikev2’
set vpn ipsec ike-group IKE-ConstantCA lifetime ‘28800’
set vpn ipsec ike-group IKE-ConstantCA mobike ‘disable’
set vpn ipsec ike-group IKE-ConstantCA proposal 10 dh-group ‘2’
set vpn ipsec ike-group IKE-ConstantCA proposal 10 encryption ‘aes128’
set vpn ipsec ike-group IKE-ConstantCA proposal 10 hash ‘sha256’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec logging log-level ‘1’
set vpn ipsec logging log-modes ‘any’
set vpn ipsec site-to-site peer 9.9.9.9 authentication id ‘2.2.2.2’
set vpn ipsec site-to-site peer 9.9.9.9 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 9.9.9.9 authentication pre-shared-secret ‘**********’
set vpn ipsec site-to-site peer 9.9.9.9 authentication remote-id ‘9.9.9.9’
set vpn ipsec site-to-site peer 9.9.9.9 connection-type ‘initiate’
set vpn ipsec site-to-site peer 9.9.9.9 ike-group ‘IKE-ConstantCA’
set vpn ipsec site-to-site peer 9.9.9.9 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 9.9.9.9 local-address ‘2.2.2.2’
set vpn ipsec site-to-site peer 9.9.9.9 vti bind ‘vti91’
set vpn ipsec site-to-site peer 9.9.9.9 vti esp-group ‘ESP-ConstantCA’

sh ip route
S>* 10.31.254.0/24 [1/0] via 169.254.255.14, vti91, 01:06:06
C>* 169.254.255.12/30 is directly connected, vti91, 01:06:06

RyVolodya · May 26, 2021, 5:17pm

Hello.
I apologize for the long answer.
There may be a problem with using the link local address for the vti interface. In the rfc3927 documentation:

1.4. Application Layer Protocol Considerations

Use of IPv4 Link-Local addresses in off-link communication is likely
to cause application failures. This can occur within any application
that includes embedded addresses, if an IPv4 Link-Local address is
embedded when communicating with a host that is not on the link.
Examples of applications that embed addresses include IPsec, Kerberos
4/5, FTP, RSVP, SMTP, SIP, X-Windows/Xterm/Telnet, Real Audio, H.323,
and SNMP [RFC3027].

Try to use private ranges of ip addresses for the vti interface.

Best regards, Volodymyr Rybak

noraburton · June 10, 2021, 1:57am

Nice. That’s what I was thinking too… but I’m not very experienced lol.