IPSec VPN with VTI breaks routing


#1

Version: VyOS 999.201706062137
Built by: autobuild@vyos.net
Built on: Tue 06 Jun 2017 21:37 UTC
Build ID: 06e22192-ecfe-49d0-82a9-83b17e6af6ca

The moment I bring up an IPSec VPN (using VTIs in my case) I lose all access to my router except on the interface that has the default route.

If I check the rules I see StrongSwan adds it’s own table:

# ip rule ls 0: from all lookup local 220: from all lookup 220 <-- StrongSwan 32766: from all lookup main 32767: from all lookup default

If I query that specific table I see:

# ip route list table special default via 1.2.3.4 dev eth0 proto static

Because that’s a default rule- and because the priority is higher than the main table- it matches all traffic and sends it out the external interface instead of to the correct internal interface.

If I edit /etc/strongswan.conf and add “install_routes = no” to the config- everything works as it does with version 1.1.7.

charon { load_modular = yes install_routes = no plugins { include strongswan.d/charon/*.conf } }

This specific issue is a part of the larger issue documented here: https://phabricator.vyos.net/T137

That task is listed as resolved- but it looks like the only change was to fix the ikey/okey issue and not the StrongsSwan configuration problem.

Is there some VyOS configuration option I should be setting to stop StrongSwan from doing this? (or is there possibly something wrong with my existing configuration that might be causing this?)


#2

To add to this-

“show ip route table” does not show the policy routing table created by StrongSwan:

$ show ip route table Possible completions: <1-200> Show IP routes in policy table

(and even if you do specify 220 the StrongSwan table does not show up).

Also- “show policy” does not show that table either.

If StrongSwan is supposed to be able to create a policy table- then there should be a way to view it from within the VyOS CLI instead of having to jump out to Linux itself.