Multiple remote prefix

josue.mouco · April 27, 2022, 9:00am

Hi,

I’m a bit new in VyOS and I was able to create a ipsec vpn tunnel site-to-site between exoscale and my Palo alto firewall (remote side).

I’d like to specify different remote subnets like:

tunnel 0
local prefix 10.5.0.0/24
remote prefix 10.11.0.0/16

tunnel 1
local prefix 10.5.0.0/24
remote prefix 10.1.0.0/16

tunnel 2
localprefix 10.5.0.0/24
remoteprefix 10.2.0.0/16

But in my case, only the traffic through tunnel 2 works.

I found in the web that for using multiple remote prefix with one SA I need to use VTI instead of ETH.

I need help for this setup please. I.e. I ignore which IP I have to set in my VTI. Is an IP inside my local prefix subnet or different?

Thank you for your help guys,

josue.mouco · April 27, 2022, 9:15am

Hi all,

Problem seems resolved with the interface VTI
Thanks anyway

Viacheslav · April 27, 2022, 11:11am

Also VyOS 1.4 allows you to set multiple local/remote prefixes per tunnel

josue.mouco · April 27, 2022, 11:24am

Hi Viacheslav,

I’m using VyOS 1.4 and I was not able to use multiple local/remote prefixes per tunnel. Could you input a configuration example for information please?

Thanks

Viacheslav · April 27, 2022, 11:31am

set vpn ipsec site-to-site peer 203.0.113.24 tunnel 0 local prefix ‘100.64.0.0/24’
set vpn ipsec site-to-site peer 203.0.113.24 tunnel 0 remote prefix ‘192.0.2.0/24’
set vpn ipsec site-to-site peer 203.0.113.24 tunnel 0 remote prefix ‘10.0.0.0/22’

josue.mouco · April 27, 2022, 11:58am

Yes you are right, I can do like that. By the way, I have now a new issue: I can’t ping the remote networks. How must I set the static routes please?
I have 2 interfaces:
eth0 OUTSIDE
eth1 INSIDE
When I traceroute my remote local network, traffic go through ISP normal outside route and not through my tunnel route.
Thanks

josue.mouco · April 27, 2022, 12:07pm

OK I found the problem: when I run
set vpn ipsec site-to-site peer 1… tunnel 0 remote prefix ‘22…/xx’
set vpn ipsec site-to-site peer 1… tunnel 0 remote prefix ‘33…/xx’
In result, VyOS only keep the last command:
set vpn ipsec site-to-site peer 1… tunnel 0 remote prefix ‘33…/xx’

I cannot have multiple remote prefix in same tunnel.

Viacheslav · April 27, 2022, 1:13pm

It seems your rolling release is too old
show version
Or just update it to the latest rolling VyOS Community

josue.mouco · April 28, 2022, 6:42am

Hello,

my version is: VyOS 1.4-rolling-202104061143

I will try to update.

Kind regards,

josue.mouco · April 28, 2022, 7:11am

Hi,
OK I was able to update to the latest rolling and effectively I can add multiple remote prefixes.
Nevertheless, I can’t reach my remote subnets.
I tried with and without routes, same results.

My tunnel conf is:

tunnel 0 {
local {
prefix 10.5.0.0/24
}
remote {
prefix 10.11.0.0/16
prefix 10.1.0.0/16
prefix 10.2.0.0/16

Any idea?

n.fort · April 28, 2022, 5:30pm

Did you try not from router, but from host in network 10.5.0.0/24 to/from host in remote networks?. Can you check routes?

show ip route
show ip route table 220

16again · April 28, 2022, 9:58pm

On a single tunnel (tunnel 0) , you can only have a single remote prefix.
Add a 2nd tunnel under the same peer (tunnel1)

Viacheslav · April 29, 2022, 6:37am

@16again in 1.4 you can have multiple prefixes (traffic selectors) per tunnel

n.fort · April 29, 2022, 9:48am

Please share output of:

show version
show config commands | match vpn
sudo swanctl -l
sudo swanctl -L

Viacheslav · April 29, 2022, 11:42am

Is it possible to get/attach configuration from a remote site?

n.fort · April 29, 2022, 12:20pm

Configuration seems good, and you have shared config from your “local” router.
@Viacheslav is asking for your remote router configuration, so we can see if configuration on peer has defined same prefixes

16again · April 30, 2022, 11:40am

Nice that 1.4 can have multiple prefixes per tunnel. But can Palo Alto do that? And can they co-operate?
For ages, I created multiple tunnels per peer, I’d just play safe and use this old method.

josue.mouco · May 2, 2022, 11:50am

Through VTI, multiple prefixes per tunnel works with Palo Alto but not through ETHx in my case.
You say you use multiple tunnels per peer. Can you show an example of that vpn conf please?

josue.mouco · May 2, 2022, 12:54pm

Is this we are looking for?

                <nexthop>
                  <ip-address>x.x.x.x</ip-address>
                </nexthop>
                <bfd>
                  <profile>None</profile>
                </bfd>
                <interface>tunnel.1</interface>
                <metric>10</metric>
                <destination>x.x.x.x/xx</destination>
                <route-table>
                  <unicast/>
                </route-table>
              </entry>

16again · May 3, 2022, 9:32pm

The multiple tunnel per peer config already is in your 1st post. Note this will also create 3 SAs.
(Actually, 6 , as send and receive are different SAs)
Afaik, VTI is bordercase of policy based tunnel, having local and remote subnet of 0.0.0.0/0.