Multiple remote prefix

Hi,

I’m a bit new in VyOS and I was able to create a ipsec vpn tunnel site-to-site between exoscale and my Palo alto firewall (remote side).

I’d like to specify different remote subnets like:

tunnel 0
local prefix 10.5.0.0/24
remote prefix 10.11.0.0/16

tunnel 1
local prefix 10.5.0.0/24
remote prefix 10.1.0.0/16

tunnel 2
localprefix 10.5.0.0/24
remoteprefix 10.2.0.0/16

But in my case, only the traffic through tunnel 2 works.

I found in the web that for using multiple remote prefix with one SA I need to use VTI instead of ETH.

I need help for this setup please. I.e. I ignore which IP I have to set in my VTI. Is an IP inside my local prefix subnet or different?

Thank you for your help guys,

Hi all,

Problem seems resolved with the interface VTI
Thanks anyway

Also VyOS 1.4 allows you to set multiple local/remote prefixes per tunnel

Hi Viacheslav,

I’m using VyOS 1.4 and I was not able to use multiple local/remote prefixes per tunnel. Could you input a configuration example for information please?

Thanks

set vpn ipsec site-to-site peer 203.0.113.24 tunnel 0 local prefix ‘100.64.0.0/24’
set vpn ipsec site-to-site peer 203.0.113.24 tunnel 0 remote prefix ‘192.0.2.0/24’
set vpn ipsec site-to-site peer 203.0.113.24 tunnel 0 remote prefix ‘10.0.0.0/22’

Yes you are right, I can do like that. By the way, I have now a new issue: I can’t ping the remote networks. How must I set the static routes please?
I have 2 interfaces:
eth0 OUTSIDE
eth1 INSIDE
When I traceroute my remote local network, traffic go through ISP normal outside route and not through my tunnel route.
Thanks

OK I found the problem: when I run
set vpn ipsec site-to-site peer 1… tunnel 0 remote prefix ‘22…/xx’
set vpn ipsec site-to-site peer 1… tunnel 0 remote prefix ‘33…/xx’
In result, VyOS only keep the last command:
set vpn ipsec site-to-site peer 1… tunnel 0 remote prefix ‘33…/xx’

I cannot have multiple remote prefix in same tunnel.

It seems your rolling release is too old
show version
Or just update it to the latest rolling VyOS Community

Hello,

my version is: VyOS 1.4-rolling-202104061143

I will try to update.

Kind regards,

Hi,
OK I was able to update to the latest rolling and effectively I can add multiple remote prefixes.
Nevertheless, I can’t reach my remote subnets.
I tried with and without routes, same results.

My tunnel conf is:

tunnel 0 {
local {
prefix 10.5.0.0/24
}
remote {
prefix 10.11.0.0/16
prefix 10.1.0.0/16
prefix 10.2.0.0/16

Any idea?

Did you try not from router, but from host in network 10.5.0.0/24 to/from host in remote networks?. Can you check routes?

show ip route
show ip route table 220

On a single tunnel (tunnel 0) , you can only have a single remote prefix.
Add a 2nd tunnel under the same peer (tunnel1)

@16again in 1.4 you can have multiple prefixes (traffic selectors) per tunnel

Hi,

I can’t reach clients for test, VPN is UP but traffic is down from my remote LAN so I can’t reach VM’s through ssh.

vyos@vpn-endpoint:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure

S>* 0.0.0.0/0 [210/0] via 85.217.160.1, eth0, weight 1, 19:58:55
C>* 10.5.0.0/24 is directly connected, eth1, 19:58:56
C>* 85.217.160.0/23 is directly connected, eth0, 19:58:55
vyos@vpn-endpoint:~$ show ip route table 220
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure

VRF default table 220:
K>* 10.11.0.0/16 [0/0] via 85.217.160.1, eth0, src 10.5.0.1, 00:25:15

The traffic through 10.11.0.0/16 works.
So it takes only the first remote prefix, the 2 others (10.1.0.0/16 and 10.2.0.0/16) doesn’t work.

Please share output of:

show version
show config commands | match vpn
sudo swanctl -l
sudo swanctl -L

Is it possible to get/attach configuration from a remote site?

vyos@vpn-endpoint:~$ show version

Version: VyOS 1.4-rolling-202204270217
Release train: sagitta

Built by: autobuild@vyos.net
Built on: Wed 27 Apr 2022 02:17 UTC
Build UUID: 6ae0b080-851a-4dff-9cc5-63246a99aa43
Build commit ID: cb4ce6caf048aa

Architecture: x86_64
Boot via: installed image
System type: KVM guest

Hardware vendor: Exoscale
Hardware model: Exoscale Compute Platform
Hardware S/N:
Hardware UUID: 10d676ff-5e97-4993-b9ba-fa45b287970a

Copyright: VyOS maintainers and contributors
vyos@vpn-endpoint:~$ show config commands | match vpn
set system host-name ‘vpn-endpoint’
set vpn ipsec esp-group esp-local-remote compression ‘disable’
set vpn ipsec esp-group esp-local-remote lifetime ‘3600’
set vpn ipsec esp-group esp-local-remote mode ‘tunnel’
set vpn ipsec esp-group esp-local-remote pfs ‘dh-group14’
set vpn ipsec esp-group esp-local-remote proposal 1 encryption ‘aes256gcm128’
set vpn ipsec esp-group esp-local-remote proposal 1 hash ‘sha1’
set vpn ipsec ike-group ike-local-remote close-action ‘none’
set vpn ipsec ike-group ike-local-remote dead-peer-detection action ‘clear’
set vpn ipsec ike-group ike-local-remote dead-peer-detection interval ‘30’
set vpn ipsec ike-group ike-local-remote dead-peer-detection timeout ‘90’
set vpn ipsec ike-group ike-local-remote ikev2-reauth ‘no’
set vpn ipsec ike-group ike-local-remote key-exchange ‘ikev2’
set vpn ipsec ike-group ike-local-remote lifetime ‘86400’
set vpn ipsec ike-group ike-local-remote proposal 1 dh-group ‘14’
set vpn ipsec ike-group ike-local-remote proposal 1 encryption ‘aes256’
set vpn ipsec ike-group ike-local-remote proposal 1 hash ‘sha256’
set vpn ipsec interface ‘eth0’
set vpn ipsec log level ‘1’
set vpn ipsec log subsystem ‘any’
set vpn ipsec options
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication id ‘xxx.xxx.xxx.xxx’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication pre-shared-secret ‘xxxxxx’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx connection-type ‘initiate’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx default-esp-group ‘esp-local-remote’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ike-group ‘ike-local-remote’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx local-address ‘xxx.xxx.xxx.xxx’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 local prefix ‘10.5.0.0/24’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 remote prefix ‘10.11.0.0/16’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 remote prefix ‘10.1.0.0/16’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 remote prefix ‘10.2.0.0/16’
vyos@vpn-endpoint:~$ sudo swanctl -l
peer_xxx-xxx-xxx-xxx: #1, ESTABLISHED, IKEv2, fc2a6bbef9fa1ed3_i* 7f81bb88f4684102_r
local ‘xxx.xxx.xxx.xxx’ @ xxx.xxx.xxx.xxx[500]
remote ‘xxx.xxx.xxx.xxx’ @ xxx.xxx.xxx.xxx[500]
AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 10s ago, rekeying in 85563s
peer_xxx-xxx-xxx-xxx_tunnel_0: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
installed 10s ago, rekeying in 3590s, expires in 3590s
in cdc2e37e, 1000 bytes, 13 packets, 1s ago
out 9e556364, 420 bytes, 7 packets, 1s ago
local 10.5.0.0/24
remote 10.11.0.0/16
vyos@vpn-endpoint:~$ sudo swanctl -L
peer_xxx-xxx-xxx-xxx: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 30s
local: xxx.xxx.xxx.xxx
remote: xxx.xxx.xxx.xxx
local pre-shared key authentication:
id: xxx.xxx.xxx.xxx
remote pre-shared key authentication:
id: xxx.xxx.xxx.xxx
peer_xxx-xxx-xxx-xxx_tunnel_0: TUNNEL, rekeying every 3600s, dpd action is clear
local: 10.5.0.0/24
remote: 10.11.0.0/16 10.1.0.0/16 10.2.0.0/16

Hi,
Please find here:

Configuration seems good, and you have shared config from your “local” router.
@Viacheslav is asking for your remote router configuration, so we can see if configuration on peer has defined same prefixes

Nice that 1.4 can have multiple prefixes per tunnel. But can Palo Alto do that? And can they co-operate?
For ages, I created multiple tunnels per peer, I’d just play safe and use this old method.