Static route to local connected address fails on 1.2.6

Hi all,

Version: 1.2.6
Installation: VM

  • We have an IPSEC connection mapped to a vti10 interface.
  • The very same configuration worked in 1.2.4
  • We route the remote networks over the vti10 interface

After upgrading from 1.2.4 to 1.2.6 the IPSEC tunnel stopped working. After troubleshooting we could see that our static routes that we configured to route over the vti10 interface were no longer there.

vyos@edge-fw-01:~$ show configuration commands | grep vti10
set interfaces vti vti10 address '10.0.0.2/31'
...
set vpn ipsec site-to-site peer 1.2.3.4 vti bind 'vti10'
...
set interfaces vti vti10 address '10.0.0.2/31'
set protocols static route 192.168.112.0/24 next-hop 10.0.0.2
set protocols static route 192.168.115.0/24 next-hop 10.0.0.2
set protocols static route 192.168.119.0/24 next-hop 10.0.0.2

After the upgrade, the routes were no longer present. When we try and set a new route, the configuration works, but it does not survive a commit. We can reproduce this behavior even without IPSE.

How to reproduce:

  • Set any route to a local address
set protocols static route 192.168.112.0/24 next-hop 192.168.1.1
vyos@edge-fw-01# commit
[ protocols static route 192.168.119.0/24 next-hop 10.0.0.2 ]
% Warning!! Local connected address is configured as Gateway IP(10.0.0.2)

netstat -nr | grep 192.168.119.0
#--- empty result

Our current workaround is to force set the routes manually in /config/scripts/vyos-postconfig-bootup.script

#!/bin/sh
# This script is executed at boot time after VyOS configuration is fully applied.
# Any modifications required to work around unfixed bugs
# or use services not available through the VyOS CLI system can be placed here.

sudo ip route add 192.168.115.0/24 via 10.0.0.2
sudo ip route add 192.168.112.0/24 via 10.0.0.2

You should/can to use “static interface route” or set a correct nexthop. Why you don’t set next hop as peer tunnel address?