Version: VyOS 999.201706062137
Built by: autobuild@vyos.net
Built on: Tue 06 Jun 2017 21:37 UTC
Build ID: 06e22192-ecfe-49d0-82a9-83b17e6af6ca
The moment I bring up an IPSec VPN (using VTIs in my case) I lose all access to my router except on the interface that has the default route.
If I check the rules I see StrongSwan adds it’s own table:
# ip rule ls
0: from all lookup local
220: from all lookup 220 <-- StrongSwan
32766: from all lookup main
32767: from all lookup default
If I query that specific table I see:
# ip route list table special
default via 1.2.3.4 dev eth0 proto static
Because that’s a default rule- and because the priority is higher than the main table- it matches all traffic and sends it out the external interface instead of to the correct internal interface.
If I edit /etc/strongswan.conf and add “install_routes = no” to the config- everything works as it does with version 1.1.7.
charon {
load_modular = yes
install_routes = no
plugins {
include strongswan.d/charon/*.conf
}
}
This specific issue is a part of the larger issue documented here: ⚓ T137 IPSec s2s issue in daily build - VPN traffic works, but all other traffic is broken ...
That task is listed as resolved- but it looks like the only change was to fix the ikey/okey issue and not the StrongsSwan configuration problem.
Is there some VyOS configuration option I should be setting to stop StrongSwan from doing this? (or is there possibly something wrong with my existing configuration that might be causing this?)