Upgrade 1.2 to 1.3 VRRP VIP and VPN

Hello.

Currently, the production environment is using a failover cluster on VyOS 1.2.x with the configuration presented here: https://forum.vyos.io/t/after-changing-the-active-node-of-the-cluster-the-vpn-connection-is-not-established/4695

In preparation for migrating to VyOS v1.3, I tested the deployment of similar functionality in a lab environment.

  1. When migrating the current configuration from 1.2 to 1.3, the cluster module was removed, and minor changes were made to the VPN settings. This is to be expected as the failover cluster module is deprecated and needs to be replaced with VRRP and the various VPN modules have been replaced with a single Accel-PPP.
  2. Made a clean installation of VyOS 1.3-rc, loaded the configuration similar to the working one, taking into account the changes made:
high-availability {
    vrrp {
        group LAN {
            advertise-interval 1
            authentication {
                password ****************
                type plaintext-password
            }
            interface eth1
            priority 120
            virtual-address 10.0.0.200/24
            vrid 10
        }
        group WAN {
            advertise-interval 1
            authentication {
                password ****************
                type plaintext-password
            }
            interface eth0
            priority 120
            virtual-address 192.168.31.200/24
            vrid 20
        }
        sync-group MAIN {
            member WAN
            member LAN
        }
    }
}
vpn {
    ipsec {
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username vpnuser {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.0.1.50
                stop 10.0.1.149
            }
            gateway-address 10.0.0.201
            idle 1800
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                ike-lifetime 3600
                lifetime 3600
            }
            name-server 10.0.0.210
            outside-address 192.168.31.200
        }
    }
    pptp {
        remote-access {
            authentication {
                local-users {
                    username vpnuser {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.0.1.150
                stop 10.0.1.249
            }
            gateway-address 10.0.0.201
            name-server 10.0.0.210
            outside-address 192.168.31.200
        }
    }
}

Found that on bootup the VPN does not work with the VIP and in order to restore it, you need to reapply the VPN configuration (remove a minor part, commit and then put back the deleted part and commit again). A similar problem will arise when changing the master.

At the moment, I solved the problem using scripts:

vi /config/scripts/reload-vpnconf.sh

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
delete vpn l2tp remote-access name-server '10.0.0.210'
delete vpn pptp remote-access name-server '10.0.0.210'
commit
set vpn l2tp remote-access name-server '10.0.0.210'
set vpn pptp remote-access name-server '10.0.0.210'
commit
exit
vi /config/scripts/vrrp-master.sh
#!/bin/vbash
sg vyattacfg -c /config/scripts/reload-vpnconf.sh
exit
chmod +x /config/scripts/vrrp-master.sh
chmod +x /config/scripts/reload-vpnconf.sh
sudo vi /config/scripts/vyos-postconfig-bootup.script
#!/bin/sh
# This script is executed at boot time after VyOS configuration is fully applied
# Any modifications required to work around unfixed bugs
# or use services not available through the VyOS CLI system can be placed here.
sg vyattacfg -c /config/scripts/reload-vpnconf.sh
exit
set high-availability vrrp group WAN transition-script master '/config/scripts/vrrp-master.sh'

Question: is it possible to get VPN to work with VRRP VIP out of the box without using scripts, or is it fundamentally impossible?

Hello @rodikov, try to define outside-address to 0.0.0.0 as a workaround

set vpn l2tp remote-access outside-address '0.0.0.0'
set vpn pptp remote-access outside-address '0.0.0.0'

Thank you, it works.
Am I correct in understanding that i can now set up multiple VIPs for multiple ISPs and the VPN connection will work no matter which VIP I connect to?

And one more question: i am planning to add another protocol for VPN - SSTP, but I have an http and https listener for web application proxy on my VIP, will this work or do I need an additional IP?

nat {
    destination {
        rule 100 {
            description "Web Application Proxy"
            destination {
                address 192.168.31.200
                port http,https
            }
            inbound-interface eth0
            protocol tcp
            translation {
                address 10.0.0.230
            }
        }
    }
}

It will be good to have one more additional IP for this. Technically it is possible to use a proxy for SSTP but CLI commands and configuration concept does not implement.

I think yes, you need to try

Dmitry, thanks, in the future I will definitely try, but now I do not have the resources for this.