I’m trying to configure ipsec on VyOS 1.2.4 VRRP cluster.
My problem is the traffic trying to initiate IKE1 to AWS is going out over the local IP instead of the VRRP VIP. I am setting the local IP of the ipsec to be the VRRP VIP and not the local address, but when I tcpdump it the traffic is still initiating to AWS from the local IP.
VRRP looks like this:
set high-availability vrrp group VLAN_768 description ‘VLAN_768 Currently not VLAN tagging this main public side transit VLAN’
set high-availability vrrp group VLAN_768 hello-source-address ‘63.199.170.235’
set high-availability vrrp group VLAN_768 interface ‘bond1’
set high-availability vrrp group VLAN_768 no-preempt
set high-availability vrrp group VLAN_768 priority ‘254’
set high-availability vrrp group VLAN_768 virtual-address ‘63.199.170.237/29’
set high-availability vrrp group VLAN_768 vrid ‘1’
set high-availability vrrp sync-group MainSyncGroup member ‘VLAN_768’
ipsec looks like this:
set vpn ipsec site-to-site peer 99.88.77.66 connection-type ‘initiate’
set vpn ipsec site-to-site peer 99.88.77.66 description ‘SRS-32846_AWS_slt_main_1’
set vpn ipsec site-to-site peer 99.88.77.66 ike-group ‘aws-sr’
set vpn ipsec site-to-site peer 99.88.77.66 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 99.88.77.66 local-address ‘63.199.170.237’
set vpn ipsec site-to-site peer 99.88.77.66 vti bind ‘vti0’
set vpn ipsec site-to-site peer 99.88.77.66 vti esp-group ‘aws-sr’
tcpdump looks like this:
22:42:46.925570 IP 63.199.170.235.500 > 99.88.77.66.500: isakmp: phase 1 I ident
Would cluster be a better choice over VRRP or is there a way to make this work with VRRP?
Any help appreciated. Thanks.