VPN IPSEC routing issue

zakwan · June 12, 2023, 4:19am

Hi,

I just upgraded my VyOS 1.1.8 to 1.3.2. On this router I previously have a VPN IPSEC Policy Based with one of my client. It works for several months.

After I upgrade the router, VPN is up but the remote prefix is not in routing table.
Strange things is I can ping peer prefix.

vRouter:~$ sh vpn ipsec sa 
Connection                      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ------------------------
peer-183.x.x.x-tunnel-1      up       7s        308B/0B         7/0               183.x.x.x      mrcc         AES_CBC_256/HMAC_SHA1_96

vRouter:~$ sh ip ro 10.35.110.9
Routing entry for 0.0.0.0/0
  Known via "static", distance 1, metric 0, best
  Last update 2d19h55m ago
  * 192.168.146.1, via eth0, weight 1

Routing table 220 did not shows anything

vRouter:~$ sh ip ro table 220
vRouter:~$

But can ping to remote prefix :

vRouter:~$ ping 10.35.110.9 source-address 172.20.13.215
PING 10.35.110.9 (10.35.110.9) from 172.20.13.215 : 56(84) bytes of data.
64 bytes from 10.35.110.9: icmp_seq=1 ttl=64 time=29.7 ms
64 bytes from 10.35.110.9: icmp_seq=2 ttl=64 time=271 ms
64 bytes from 10.35.110.9: icmp_seq=3 ttl=64 time=230 ms
^C
--- 10.35.110.9 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 6ms

Viacheslav · June 12, 2023, 6:40am

Policy routes are not always installed in the routing table.
It used routes to match “policy”. You can get them with

sudo ip x policy show

zakwan · June 12, 2023, 8:37am

Hi @Viacheslav

How to install it into routing table? So that my router can find the destination and also can be advertised through other dynamic routing like OSPF or BGP.

fernando · June 12, 2023, 11:54am

Maybe you should chose another type of VPN , route-base in case that you want to add redistribution into a dynamic routing .

Viacheslav · June 12, 2023, 2:41pm

Try restart vpn or reboot the router

zakwan · June 13, 2023, 1:36am

Hi @fernando

I really love to go with Routing Based like VTI or GRE but some of our customers are insists to use Policy Based.

BTW do you know how to install the routing into the routing table?

With 1.1.8 its automatically stored in Kernel routing table.

zakwan · June 13, 2023, 1:38am

Hi @Viacheslav ,

I have a few customers connected to this router. I will try to reboot it tonight.

Any other way to make it goes to routing table?

16again · June 13, 2023, 4:18am

To add it to routing table, just add static routes like 10.35.110.0/24 , pointing to your internet gateway as next hop.
Then you can redistribute those on your LAN side.
It does make some sense to do hard-coding like this: The VPN policies are also hard coded.
Convincing customers is part of my job too…

zakwan · June 13, 2023, 6:52am

Hi @16again

Understand. Just play with SNAT and static route.

Thanks.

system · June 15, 2023, 6:52am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.