Route individual host traffic over IPSEC VTI for internet access from main site

NWTOR · December 16, 2021, 6:18pm

I have two VYOS routers 1.4.x (same build) and have set up VTI IPSEC tunnels. I can access clients on both sides. Ping and traceroute don’t work for some reason router to router but do from the clients. It did with a GRE tunnel. I’m trying to route some hosts from site B over the VTI for internet access but can’t get it working.

Does anyone have any configuration examples or docs they could share? I’ve been through the forums, google and youtube but haven’t found anything on this specific topic.

keneshhagard · December 17, 2021, 4:48am

Can you post your config? did you also remember to add a rule in NAT to exclude local networks?

NWTOR · December 17, 2021, 6:18pm

Thanks for the quick response. I have set a static route for one host on site B to route the traffic over the VTI interface.

vyos@vyos# show protocols static route 192.168.34.9/32
interface vti4 {
}

I can see the traffic on the remote VTI interface.

nick@vyos:~$ monitor traffic interface any |grep 192.168.34.9
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
18:06:47.607578 vti4 In IP 192.168.34.1.domain > 192.168.34.9.61851: 50731 1/0/0 A 23.76.133.142 (60)
18:06:47.607641 vti4 Out IP 192.168.34.1.domain > 192.168.34.9.61851: 50731 1/0/0 A 23.76.133.142 (60)
18:06:47.998575 vti4 In IP 192.168.34.1.domain > 192.168.34.9.61851: 50731 1/0/0 A 23.76.133.142 (60)
18:06:47.998640 vti4 Out IP 192.168.34.1.domain > 192.168.34.9.61851: 50731 1/0/0 A 23.76.133.142 (60)
18:06:50.067440 vti4 In IP 192.168.34.1.domain > 192.168.34.9.61851: 50731 1/0/0 A 23.76.133.142 (60)
18:06:50.067491 vti4 Out IP 192.168.34.1.domain > 192.168.34.9.61851: 50731 1/0/0 A 23.76.133.142 (60)
18:06:54.143264 vti4 In IP 192.168.34.1.domain > 192.168.34.9.61851: 50731 1/0/0 A 23.76.133.142 (60)
18:06:54.143316 vti4 Out IP 192.168.34.1.domain > 192.168.34.9.61851: 50731 1/0/0 A 23.76.133.142 (60)
18:06:55.496652 vti4 In IP 192.168.34.1.domain > 192.168.34.9.52695: 30574 0/1/0 (109)
18:06:55.496711 vti4 Out IP 192.168.34.1.domain > 192.168.34.9.52695: 30574 0/1/0 (109)

However, I’m not sure how to route or translate that traffic from the VTI interface to the WAN ETH0/PPPOE interface of the remote site.

I’ve tried source nat rules and policy routes but can’t get anything working. Any guidance would be appreciated.

ngoehring · December 17, 2021, 6:55pm

Do you have a NAT rule on the other side that allows your local IP range to exit through WAN. Or, if you NAT your local IPs across the VTI do you have a NAT rule on the other side that allows your VTI subnet to exit through WAN? I’d recommend the former setup over the latter.

NWTOR · December 19, 2021, 5:44pm

Thanks for the suggestions! I found the problem. The static route needed to be a policy route. I had tried that before but I didn’t have it assigned to an interface and wondered why it wasn’t working I also needed to do some TCP MSS-Clamping to get traffic to flow as well.

I’ll post my configs later for reference.