Site-to-site routes not appearing in show ip route output

mattvd · October 31, 2019, 6:59am

Hi all
I just migrated from 1.1.8 to the latest 1.2 rolling release (30/10/2019 15:30).
I have 2 ipsec site-to-site connections with a total of 3 tunnels.
in 1.1.8, after the ipsec sa was active, I could see in the “show ip route” output the remote networks as Kernel routes, something like
K>* 172.16.0.0/24 is directly connected, eth0
where eth0 is the ipsec interface
in 1.2 VPN routes are completely missing in the command output and didn’t find a way to see the installed routes. Is there a way to see them?

Many thanks

Dmitry · October 31, 2019, 9:06am

Hello @mattvd,

You can see policies
show vpn ipsec policy

Can you provide your ipsec configuration?

mattvd · October 31, 2019, 10:54am

Thanks Dimitry
With the command you sent I can see some information, thanks… Does it mean that the VPN is policy based and not route based? Configuration is in the other thread about extra entry in the “show vpn ike sa”, if you want we can merge the two threads and follow only with the other.

vyos@vyos:~$ show vpn ipsec policy src 0.0.0.0/0 dst 0.0.0.0/0 dir out priority 399999 ptype main mark 0x900001/0xffffffff tmpl src x.x.1.32 dst 52.x.x.226 proto esp spi 0x79ab8d46 reqid 11 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 dir fwd priority 399999 ptype main mark 0x900001/0xffffffff tmpl src 52.x.x.226 dst x.x.1.32 proto esp reqid 11 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 dir in priority 399999 ptype main mark 0x900001/0xffffffff tmpl src 52.x.x.226 dst x.x.1.32 proto esp reqid 11 mode tunnel src 172.16.0.0/16 dst 10.6.0.0/24 dir out priority 379519 ptype main tmpl src 192.x.x.32 dst 40.x.x.120 proto esp spi 0x7dde2c10 reqid 9 mode tunnel src 10.6.0.0/24 dst 172.16.0.0/16 dir fwd priority 379519 ptype main tmpl src 40.x.x.120 dst x.x.1.32 proto esp reqid 9 mode tunnel src 10.6.0.0/24 dst 172.16.0.0/16 dir in priority 379519 ptype main tmpl src 40.x.x.120 dst x.x.1.32 proto esp reqid 9 mode tunnel src 172.16.0.0/16 dst 192.168.0.0/24 dir out priority 379519 ptype main tmpl src x.x.1.32 dst 40.x.x.120 proto esp spi 0xbd370028 reqid 10 mode tunnel src 192.168.0.0/24 dst 172.16.0.0/16 dir fwd priority 379519 ptype main tmpl src 40.x.x.120 dst x.x.1.32 proto esp reqid 10 mode tunnel src 192.168.0.0/24 dst 172.16.0.0/16 dir in priority 379519 ptype main tmpl src 40.x.x.120 dst x.x.1.32 proto esp reqid 10 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main vyos@vyos:~$

Dmitry · November 1, 2019, 10:23pm

Not sure about this. You can also check
ip route show table all

mattvd · November 2, 2019, 7:10am

ok, I can see them… May I ask why table 220?
vyos@vyos:~$ ip route show table 220
10.6.0.0/24 via 192.168.1.1 dev eth0 proto static src 172.16.1.254
192.168.0.0/24 via 192.168.1.1 dev eth0 proto static src 172.16.1.254

Dmitry · November 6, 2019, 8:01am

By default strongswan store routes on this table. I think this for protect other routing tables.