VPN IPSEC routing issue


I just upgraded my VyOS 1.1.8 to 1.3.2. On this router I previously have a VPN IPSEC Policy Based with one of my client. It works for several months.

After I upgrade the router, VPN is up but the remote prefix is not in routing table.
Strange things is I can ping peer prefix.

vRouter:~$ sh vpn ipsec sa 
Connection                      State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
------------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ------------------------
peer-183.x.x.x-tunnel-1      up       7s        308B/0B         7/0               183.x.x.x      mrcc         AES_CBC_256/HMAC_SHA1_96
vRouter:~$ sh ip ro
Routing entry for
  Known via "static", distance 1, metric 0, best
  Last update 2d19h55m ago
  *, via eth0, weight 1

Routing table 220 did not shows anything

vRouter:~$ sh ip ro table 220

But can ping to remote prefix :

vRouter:~$ ping source-address
PING ( from : 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=29.7 ms
64 bytes from icmp_seq=2 ttl=64 time=271 ms
64 bytes from icmp_seq=3 ttl=64 time=230 ms
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 6ms

Policy routes are not always installed in the routing table.
It used routes to match “policy”. You can get them with

sudo ip x policy show

Hi @Viacheslav

How to install it into routing table? So that my router can find the destination and also can be advertised through other dynamic routing like OSPF or BGP.

Maybe you should chose another type of VPN , route-base in case that you want to add redistribution into a dynamic routing .

Try restart vpn or reboot the router

Hi @fernando

I really love to go with Routing Based like VTI or GRE but some of our customers are insists to use Policy Based.

BTW do you know how to install the routing into the routing table?

With 1.1.8 its automatically stored in Kernel routing table.

Hi @Viacheslav ,

I have a few customers connected to this router. I will try to reboot it tonight.

Any other way to make it goes to routing table?

To add it to routing table, just add static routes like , pointing to your internet gateway as next hop.
Then you can redistribute those on your LAN side.
It does make some sense to do hard-coding like this: The VPN policies are also hard coded.
Convincing customers is part of my job too…


Hi @16again

Understand. Just play with SNAT and static route.


This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.