Linking IPSEC tunnels


#1

Hi,

Ill start by saying im a sysadmin, not a network guy. So if there is something blatantly obvious, im sorry :slight_smile:

Im currently trying to setup a network.

On one side i have one network provider giving me 2 ipsec tunnels with BGP running between them, they are advertising 10.10.16.0/23. I then have my vyos machine. Then i have 2 IPSEC tunnels with BGP running between them to connect the vyos machine to my AWS environment, the AWS side is advertising 10.10.0.0/20.

Im not even sure if this is a valid configuration to be honest.

All 3 tunnels are up and the routing table looks good, but i cant ping from one network onto the other.

[code]vyos@vyos:~$ sh ip bgp
BGP table version is 0, local router ID is 178.32.xxx.xxx
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

  • 10.10.0.0/20 169.254.22.93 200 0 9059 i
    *> 169.254.23.125 100 0 9059 i
    *> 10.10.16.0/23 10.255.255.5 0 3209 3209 3209 3209 3211 64800 64800 64800 64800 64800 ?
  • 10.99.0.0/24 169.254.22.93 200 0 9059 i
    *> 169.254.23.125 100 0 9059 i
  • 10.100.0.0/24 169.254.22.93 200 0 9059 i
    *> 169.254.23.125 100 0 9059 i
  • 10.133.111.0/24 169.254.22.93 200 0 9059 i
    *> 169.254.23.125 100 0 9059 i[/code]

[code]vyos@vyos:~$ sh ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
I - ISIS, B - BGP, > - selected route, * - FIB route

K>* 0.0.0.0/0 via 176.31.xxx.xxx, eth0 (recursive is directly connected, eth0)
S 0.0.0.0/0 [1/0] via 176.31.117.254
B>* 10.10.0.0/20 [20/100] via 169.254.23.125, vti0, 02:51:02
B>* 10.10.16.0/23 [20/100] via 169.254.23.125, vti2, 00:30:33
B>* 10.99.0.0/24 [20/100] via 169.254.23.125, vti0, 02:51:02
B>* 10.100.0.0/24 [20/100] via 169.254.23.125, vti0, 02:51:02
B>* 10.133.111.0/24 [20/100] via 169.254.23.125, vti0, 02:51:02
C>* 10.255.255.4/30 is directly connected, vti2
C>* 127.0.0.0/8 is directly connected, lo
C>* 169.254.22.92/30 is directly connected, vti1
C>* 169.254.23.124/30 is directly connected, vti0
K>* 176.31.xx.xx/32 is directly connected, eth0
C>* 178.32.xx.xx/32 is directly connected, eth0
[/code]

Heres my BGP config:

protocols { bgp 65500 { neighbor 10.255.255.5 { password **************** remote-as 3209 soft-reconfiguration { inbound } timers { holdtime 30 keepalive 10 } weight 100 } neighbor 169.254.22.93 { remote-as 9059 soft-reconfiguration { inbound } timers { holdtime 30 keepalive 10 } } neighbor 169.254.23.125 { remote-as 9059 soft-reconfiguration { inbound } timers { holdtime 30 keepalive 10 } } network 10.10.0.0/20 { } network 10.10.16.0/23 { } } }

If i havnt provided enough info, please let me know.

Cheers!


#2

Well, since it AWS, it can be several reasons for that.
Can you provide traceroute from both sides?
Thanks!