Multiple remote prefix

General questions
, , , , ,
#1

Hi,

I’m a bit new in VyOS and I was able to create a ipsec vpn tunnel site-to-site between exoscale and my Palo alto firewall (remote side).

I’d like to specify different remote subnets like:

tunnel 0
local prefix 10.5.0.0/24
remote prefix 10.11.0.0/16

tunnel 1
local prefix 10.5.0.0/24
remote prefix 10.1.0.0/16

tunnel 2
localprefix 10.5.0.0/24
remoteprefix 10.2.0.0/16

But in my case, only the traffic through tunnel 2 works.

I found in the web that for using multiple remote prefix with one SA I need to use VTI instead of ETH.

I need help for this setup please. I.e. I ignore which IP I have to set in my VTI. Is an IP inside my local prefix subnet or different?

Thank you for your help guys,

#2

Hi all,

Problem seems resolved with the interface VTI
Thanks anyway

#3

Also VyOS 1.4 allows you to set multiple local/remote prefixes per tunnel

#4

Hi Viacheslav,

I’m using VyOS 1.4 and I was not able to use multiple local/remote prefixes per tunnel. Could you input a configuration example for information please?

Thanks

#5

set vpn ipsec site-to-site peer 203.0.113.24 tunnel 0 local prefix ‘100.64.0.0/24’
set vpn ipsec site-to-site peer 203.0.113.24 tunnel 0 remote prefix ‘192.0.2.0/24’
set vpn ipsec site-to-site peer 203.0.113.24 tunnel 0 remote prefix ‘10.0.0.0/22’

#6

Yes you are right, I can do like that. By the way, I have now a new issue: I can’t ping the remote networks. How must I set the static routes please?
I have 2 interfaces:
eth0 OUTSIDE
eth1 INSIDE
When I traceroute my remote local network, traffic go through ISP normal outside route and not through my tunnel route.
Thanks

#7

OK I found the problem: when I run
set vpn ipsec site-to-site peer 1… tunnel 0 remote prefix ‘22…/xx’
set vpn ipsec site-to-site peer 1… tunnel 0 remote prefix ‘33…/xx’
In result, VyOS only keep the last command:
set vpn ipsec site-to-site peer 1… tunnel 0 remote prefix ‘33…/xx’

I cannot have multiple remote prefix in same tunnel.

#8

It seems your rolling release is too old
show version
Or just update it to the latest rolling VyOS Community

#9

Hello,

my version is: VyOS 1.4-rolling-202104061143

I will try to update.

Kind regards,

#10

Hi,
OK I was able to update to the latest rolling and effectively I can add multiple remote prefixes.
Nevertheless, I can’t reach my remote subnets.
I tried with and without routes, same results.

My tunnel conf is:

tunnel 0 {
local {
prefix 10.5.0.0/24
}
remote {
prefix 10.11.0.0/16
prefix 10.1.0.0/16
prefix 10.2.0.0/16

Any idea?

#11

Did you try not from router, but from host in network 10.5.0.0/24 to/from host in remote networks?. Can you check routes?

show ip route
show ip route table 220
#12

On a single tunnel (tunnel 0) , you can only have a single remote prefix.
Add a 2nd tunnel under the same peer (tunnel1)

#13

@16again in 1.4 you can have multiple prefixes (traffic selectors) per tunnel

#14

Hi,

I can’t reach clients for test, VPN is UP but traffic is down from my remote LAN so I can’t reach VM’s through ssh.

vyos@vpn-endpoint:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure

S>* 0.0.0.0/0 [210/0] via 85.217.160.1, eth0, weight 1, 19:58:55
C>* 10.5.0.0/24 is directly connected, eth1, 19:58:56
C>* 85.217.160.0/23 is directly connected, eth0, 19:58:55
vyos@vpn-endpoint:~$ show ip route table 220
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, F - PBR,
f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
t - trapped, o - offload failure

VRF default table 220:
K>* 10.11.0.0/16 [0/0] via 85.217.160.1, eth0, src 10.5.0.1, 00:25:15

The traffic through 10.11.0.0/16 works.
So it takes only the first remote prefix, the 2 others (10.1.0.0/16 and 10.2.0.0/16) doesn’t work.

#15

Please share output of:

show version
show config commands | match vpn
sudo swanctl -l
sudo swanctl -L
#16

Is it possible to get/attach configuration from a remote site?

#17

vyos@vpn-endpoint:~$ show version

Version: VyOS 1.4-rolling-202204270217
Release train: sagitta

Built by: autobuild@vyos.net
Built on: Wed 27 Apr 2022 02:17 UTC
Build UUID: 6ae0b080-851a-4dff-9cc5-63246a99aa43
Build commit ID: cb4ce6caf048aa

Architecture: x86_64
Boot via: installed image
System type: KVM guest

Hardware vendor: Exoscale
Hardware model: Exoscale Compute Platform
Hardware S/N:
Hardware UUID: 10d676ff-5e97-4993-b9ba-fa45b287970a

Copyright: VyOS maintainers and contributors
vyos@vpn-endpoint:~$ show config commands | match vpn
set system host-name ‘vpn-endpoint’
set vpn ipsec esp-group esp-local-remote compression ‘disable’
set vpn ipsec esp-group esp-local-remote lifetime ‘3600’
set vpn ipsec esp-group esp-local-remote mode ‘tunnel’
set vpn ipsec esp-group esp-local-remote pfs ‘dh-group14’
set vpn ipsec esp-group esp-local-remote proposal 1 encryption ‘aes256gcm128’
set vpn ipsec esp-group esp-local-remote proposal 1 hash ‘sha1’
set vpn ipsec ike-group ike-local-remote close-action ‘none’
set vpn ipsec ike-group ike-local-remote dead-peer-detection action ‘clear’
set vpn ipsec ike-group ike-local-remote dead-peer-detection interval ‘30’
set vpn ipsec ike-group ike-local-remote dead-peer-detection timeout ‘90’
set vpn ipsec ike-group ike-local-remote ikev2-reauth ‘no’
set vpn ipsec ike-group ike-local-remote key-exchange ‘ikev2’
set vpn ipsec ike-group ike-local-remote lifetime ‘86400’
set vpn ipsec ike-group ike-local-remote proposal 1 dh-group ‘14’
set vpn ipsec ike-group ike-local-remote proposal 1 encryption ‘aes256’
set vpn ipsec ike-group ike-local-remote proposal 1 hash ‘sha256’
set vpn ipsec interface ‘eth0’
set vpn ipsec log level ‘1’
set vpn ipsec log subsystem ‘any’
set vpn ipsec options
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication id ‘xxx.xxx.xxx.xxx’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx authentication pre-shared-secret ‘xxxxxx’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx connection-type ‘initiate’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx default-esp-group ‘esp-local-remote’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ike-group ‘ike-local-remote’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx local-address ‘xxx.xxx.xxx.xxx’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 local prefix ‘10.5.0.0/24’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 remote prefix ‘10.11.0.0/16’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 remote prefix ‘10.1.0.0/16’
set vpn ipsec site-to-site peer xxx.xxx.xxx.xxx tunnel 0 remote prefix ‘10.2.0.0/16’
vyos@vpn-endpoint:~$ sudo swanctl -l
peer_xxx-xxx-xxx-xxx: #1, ESTABLISHED, IKEv2, fc2a6bbef9fa1ed3_i* 7f81bb88f4684102_r
local ‘xxx.xxx.xxx.xxx’ @ xxx.xxx.xxx.xxx[500]
remote ‘xxx.xxx.xxx.xxx’ @ xxx.xxx.xxx.xxx[500]
AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 10s ago, rekeying in 85563s
peer_xxx-xxx-xxx-xxx_tunnel_0: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-256
installed 10s ago, rekeying in 3590s, expires in 3590s
in cdc2e37e, 1000 bytes, 13 packets, 1s ago
out 9e556364, 420 bytes, 7 packets, 1s ago
local 10.5.0.0/24
remote 10.11.0.0/16
vyos@vpn-endpoint:~$ sudo swanctl -L
peer_xxx-xxx-xxx-xxx: IKEv2, no reauthentication, rekeying every 86400s, dpd delay 30s
local: xxx.xxx.xxx.xxx
remote: xxx.xxx.xxx.xxx
local pre-shared key authentication:
id: xxx.xxx.xxx.xxx
remote pre-shared key authentication:
id: xxx.xxx.xxx.xxx
peer_xxx-xxx-xxx-xxx_tunnel_0: TUNNEL, rekeying every 3600s, dpd action is clear
local: 10.5.0.0/24
remote: 10.11.0.0/16 10.1.0.0/16 10.2.0.0/16

#18

Hi,
Please find here:

#19

Configuration seems good, and you have shared config from your “local” router.
@Viacheslav is asking for your remote router configuration, so we can see if configuration on peer has defined same prefixes

#20

Nice that 1.4 can have multiple prefixes per tunnel. But can Palo Alto do that? And can they co-operate?
For ages, I created multiple tunnels per peer, I’d just play safe and use this old method.