IPSec Site to Site with wan loadbalancing not routing

masterit · July 16, 2017, 11:08pm

We have a site to site vpn which was working correctly before we applied a load balancing config to it.

from my understanding the pbr of the load balancing is bypassing the routes that the ipsec config added. (pinging the remote end from within vyos works)

we’ve tried adding an exclude rule to loadbalancing:

show load-balancing wan rule 130
 destination {
     address [REMOTE SUBNET]
 }
 inbound-interface eth1
 interface [wan1 - wan for vpn] {
     weight 1
 }
 protocol all



show load-balancing wan rule 500
 inbound-interface eth1
 interface [wan1] {
     weight 20
 }
 interface [wan2] {
     weight 10
 }
 protocol all

this didn’t work.

we’ve tried doing similar using normal policy routes but that did not work either.

any suggestions are appreciated.

Fervus · August 16, 2017, 7:31am

I managed to cope with this problem by using gre/ipsec.

I added gre interface to the load balancing with another rule for remote subnet:

rule 10 { destination { [remote network] } inbound-interface [LAN interface] interface [gre interface] { weight 1 } protocol all }

Load balancing uses NAT on all interfaces by default, so in order to exclude GRE traffic from NAT I used iptables:

system · July 5, 2018, 10:48pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.