IPSEC Tunnel more than one subnet


#1

Hi,

i just wanted to know, how solve the following scene?

Is it possible to route more than two subnet for example 10.10.1.0/24 and 10.10.2.0/24 over one ipsec tunnel.

Right know i solved this by just adding a second tunnel to the ipsec peer.
But as i know from other solution, you just have to establish a ipsec peer and when this one is established, than you can just work with static routes.

But with vyos the last option seems impossible.

best regards
Jean


#2

Hi,

[quote]But as i know from other solution, you just have to establish a ipsec peer and when this one is established, than you can just work with static routes.

But with vyos the last option seems impossible.[/quote]

This is very strange, beacouse i have one static tunnel to another site (classic site-to-site connections) and i have no problem to route multiple subnet (i’m using static and OSPF route), mayby you have wrong configuration of ipsec, or subnet ??

Example i route:

SITE A
Subnet: 192.168.6.0/24, 192.168.10.0/24
SITE B:
Subnet, 192.168.1.0/24, 192.168.16.0/22, 192.168.209.0/24 etc,

via one VTI (witch ipsec) tunnel.


#3

Hi Biedron,

i just tried it again. I have a established ipsec tunnel.
I added a static route

but i can’t ping the second subnet.

ping 10.10.200.1
PING 10.10.200.1 (10.10.200.1) 56(84) bytes of data.
From 13.195.155.114 icmp_seq=1 Destination Host Unreachable

By doing traceroute i can see, that vyos is trying to route the subnet to extern and not thru the tunnel.
Do i have to edit the nat rule or something else?

show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 0.0.0.0/0 [1/0] via 13.195.155.114, eth0
S>* 10.10.200.0/24 [1/0] via 192.168.10.254 (recursive is directly connected, eth0)
C>* 127.0.0.0/8 is directly connected, lo
K>* 192.168.10.0/24 is directly connected, eth0
C>* 192.168.30.0/24 is directly connected, eth1
C>* 13.195.155.114/27 is directly connected, eth0

which version of vyos are you using ?

best regards
jean


#4

Hi,

First, can you ping eth1 address vyos site and cisco site ?
Second (if they ping together), show me static config in vyos and cisco.

best regards,
jean


#5

Hi,

yes, i can ping both sides, from vyos to cisco and back.

show protocols static
route 10.10.200.0/24 {
next-hop 192.168.10.254 {
}
}

[edit]

the cisco setting is not available for me, because it´s on customers site. But the routing on the cisco site is 100% right.
And by debuging we could not see any packet when try to ping from vyos to 10.10.200.254.

ping 10.10.200.1
PING 10.10.200.1 (10.10.200.1) 56(84) bytes of data.
From 13.195.155.114 icmp_seq=1 Destination Host Unreachable

best regards
jean


#6

According to this:

S>* 10.10.200.0/24 [1/0] via 192.168.10.254 (recursive is directly connected, eth0)
K>* 192.168.10.0/24 is directly connected, eth0

10.10.200.0/24 is routed to 192.168.10.254 and
192.168.10.0/24 is directly connected on eth0.

So I see no reason why your VyOS should send 10.10.200.0/24 on your IPSec tunnel.
Perhaps you could post the remaining config details ?


#7

what do you think whats the problem, i can’t follow your question.
is there something missing?

could you post your route output and config ?

as i said, the tunnel is working perfect. I have the nat settings correct and firewall also.
i was forced to change the config back to the two tunnel mode so i can reach both subnet trough ipsec.

by set protocol static route, i get this results.

S>* 0.0.0.0/0 [1/0] via 13.195.155.114, eth0
S>* 10.10.200.0/24 [1/0] via 192.168.10.254 (recursive is directly connected, eth0)
C>* 127.0.0.0/8 is directly connected, lo
K>* 192.168.10.0/24 is directly connected, eth0
C>* 192.168.30.0/24 is directly connected, eth1
C>* 13.195.155.114/27 is directly connected, eth0

many thanks


#8

You don’t give enough info on your config. You should post the entire conf, and what works/does not work.