Route individual host traffic over IPSEC VTI for internet access from main site

I have two VYOS routers 1.4.x (same build) and have set up VTI IPSEC tunnels. I can access clients on both sides. Ping and traceroute don’t work for some reason router to router but do from the clients. It did with a GRE tunnel. I’m trying to route some hosts from site B over the VTI for internet access but can’t get it working.

Does anyone have any configuration examples or docs they could share? I’ve been through the forums, google and youtube but haven’t found anything on this specific topic.

Can you post your config? did you also remember to add a rule in NAT to exclude local networks?

Thanks for the quick response. I have set a static route for one host on site B to route the traffic over the VTI interface.

vyos@vyos# show protocols static route
interface vti4 {

I can see the traffic on the remote VTI interface.

nick@vyos:~$ monitor traffic interface any |grep
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]… for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
18:06:47.607578 vti4 In IP > 50731 1/0/0 A (60)
18:06:47.607641 vti4 Out IP > 50731 1/0/0 A (60)
18:06:47.998575 vti4 In IP > 50731 1/0/0 A (60)
18:06:47.998640 vti4 Out IP > 50731 1/0/0 A (60)
18:06:50.067440 vti4 In IP > 50731 1/0/0 A (60)
18:06:50.067491 vti4 Out IP > 50731 1/0/0 A (60)
18:06:54.143264 vti4 In IP > 50731 1/0/0 A (60)
18:06:54.143316 vti4 Out IP > 50731 1/0/0 A (60)
18:06:55.496652 vti4 In IP > 30574 0/1/0 (109)
18:06:55.496711 vti4 Out IP > 30574 0/1/0 (109)

However, I’m not sure how to route or translate that traffic from the VTI interface to the WAN ETH0/PPPOE interface of the remote site.

I’ve tried source nat rules and policy routes but can’t get anything working. Any guidance would be appreciated.

Do you have a NAT rule on the other side that allows your local IP range to exit through WAN. Or, if you NAT your local IPs across the VTI do you have a NAT rule on the other side that allows your VTI subnet to exit through WAN? I’d recommend the former setup over the latter.

Thanks for the suggestions! I found the problem. The static route needed to be a policy route. I had tried that before but I didn’t have it assigned to an interface and wondered why it wasn’t working :slight_smile: I also needed to do some TCP MSS-Clamping to get traffic to flow as well.

I’ll post my configs later for reference.