Hello.
Currently, the production environment is using a failover cluster on VyOS 1.2.x with the configuration presented here: https://forum.vyos.io/t/after-changing-the-active-node-of-the-cluster-the-vpn-connection-is-not-established/4695
In preparation for migrating to VyOS v1.3, I tested the deployment of similar functionality in a lab environment.
- When migrating the current configuration from 1.2 to 1.3, the cluster module was removed, and minor changes were made to the VPN settings. This is to be expected as the failover cluster module is deprecated and needs to be replaced with VRRP and the various VPN modules have been replaced with a single Accel-PPP.
- Made a clean installation of VyOS 1.3-rc, loaded the configuration similar to the working one, taking into account the changes made:
high-availability {
vrrp {
group LAN {
advertise-interval 1
authentication {
password ****************
type plaintext-password
}
interface eth1
priority 120
virtual-address 10.0.0.200/24
vrid 10
}
group WAN {
advertise-interval 1
authentication {
password ****************
type plaintext-password
}
interface eth0
priority 120
virtual-address 192.168.31.200/24
vrid 20
}
sync-group MAIN {
member WAN
member LAN
}
}
}
vpn {
ipsec {
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username vpnuser {
password ****************
}
}
mode local
}
client-ip-pool {
start 10.0.1.50
stop 10.0.1.149
}
gateway-address 10.0.0.201
idle 1800
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
ike-lifetime 3600
lifetime 3600
}
name-server 10.0.0.210
outside-address 192.168.31.200
}
}
pptp {
remote-access {
authentication {
local-users {
username vpnuser {
password ****************
}
}
mode local
}
client-ip-pool {
start 10.0.1.150
stop 10.0.1.249
}
gateway-address 10.0.0.201
name-server 10.0.0.210
outside-address 192.168.31.200
}
}
}
Found that on bootup the VPN does not work with the VIP and in order to restore it, you need to reapply the VPN configuration (remove a minor part, commit and then put back the deleted part and commit again). A similar problem will arise when changing the master.
At the moment, I solved the problem using scripts:
vi /config/scripts/reload-vpnconf.sh
#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
delete vpn l2tp remote-access name-server '10.0.0.210'
delete vpn pptp remote-access name-server '10.0.0.210'
commit
set vpn l2tp remote-access name-server '10.0.0.210'
set vpn pptp remote-access name-server '10.0.0.210'
commit
exit
vi /config/scripts/vrrp-master.sh
#!/bin/vbash
sg vyattacfg -c /config/scripts/reload-vpnconf.sh
exit
chmod +x /config/scripts/vrrp-master.sh
chmod +x /config/scripts/reload-vpnconf.sh
sudo vi /config/scripts/vyos-postconfig-bootup.script
#!/bin/sh
# This script is executed at boot time after VyOS configuration is fully applied
# Any modifications required to work around unfixed bugs
# or use services not available through the VyOS CLI system can be placed here.
sg vyattacfg -c /config/scripts/reload-vpnconf.sh
exit
set high-availability vrrp group WAN transition-script master '/config/scripts/vrrp-master.sh'
Question: is it possible to get VPN to work with VRRP VIP out of the box without using scripts, or is it fundamentally impossible?