Policy route for IPSEC VPN


#1

Hi All,

My vyos router have 2 interfaces:

eth0: 2.2.2.2
eth1: 192.168.10.1

The router acts a vpn gateway for site to site.

This is my route table:

vyos@VC-VYOS-01:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

S>* 0.0.0.0/0 [1/0] via 2.2.2.2, eth0
C>* 10.18.1.0/24 is directly connected, dum0
C>* 127.0.0.0/8 is directly connected, lo
C>* 172.16.10.0/24 is directly connected, vtun0
K>* 172.18.1.0/24 is directly connected, eth0
C>* 192.168.10.0/24 is directly connected, eth1
K>* 192.168.15.0/24 is directly connected, eth0
C>* 2.2.2.0/24 is directly connected, eth0

The remote ends may have overlapping remote network so I created a source nat.

SOURCE NAT
===========
set nat source rule 10 log 'enable'
set nat source rule 10 outbound-interface 'eth1'
set nat source rule 10 source address '172.18.1.0/24'
set nat source rule 10 translation address '10.18.1.0/24'

#STATIC ROuTE USING TABLE
=========================
set protocols static table 2 route 0.0.0.0/0 next-hop '192.168.10.1'

#POLICY ROUTE
=============
set policy route SRC-ROUTE rule 20 destination address '0.0.0.0/0'
set policy route SRC-ROUTE rule 20 set table '2'
set policy route SRC-ROUTE rule 20 source address '10.18.1.0/24'

I need to route all ipsec traffic to eth1. So I read that policy based route is viable. But PBR can only be applied in the ingress interface and since i am not using vti interfaces, I cannot apply pbr.

I created a dummy interface thinking I can use PBR.

vyos@VC-VYOS-01# show interfaces dummy dum0 
 address 10.18.1.1/24

Do you have any suggestion on how to send 0.0.0.0/0 ipsec traffic to eth1


#2

Is it not a possibility for you to use VTI as you have mentioned and set it’s address to 10.18.1.1?


#3

No, the end device does not support vti.