VPN IPsec vti OSPF

zakwan · June 29, 2022, 7:49am

Hi,

I already bring up VPN IPsec over vti interface with OSPF routing successfully and I already done this setup before with no issue. My VyOS is 1.1.8.

Then this few days, I want to bring up VPN IPsec vti with OSPF from my existing VyOS 1.1.8 with new router VyOS 1.3.1. The VPN and vti tunnel is up and I can ping each other with no issue.
However, after I want to bring up OSPF between this vti, after few seconds I cannot ping both remote WAN and vti peer.

This is consistent where I can ping both WAN and vti peer for around 10 seconds, then cannot ping for around 45 seconds then can ping again for 10 seconds and repeatedly can ping and cannot ping. I try to set mss clam at both side but the issue still persist.

Kindly anyone help me on this. Thanks

Nikolay · June 30, 2022, 1:18am

Hi,

In those 45 seconds you cannot ping only VTI interfaces or WAN interfaces are not pinging either?
Could you provide the configs from both devices?

zakwan · June 30, 2022, 2:29am

Hi @Nikolay ,

I cannot ping both VTI and WAN IP.

Site A VyOS version 1.1.8
set vpn ipsec site-to-site peer 210.X.X.X authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 210.X.X.X authentication pre-shared-secret ‘ABC’
set vpn ipsec site-to-site peer 210.X.X.X connection-type ‘initiate’
set vpn ipsec site-to-site peer 210.X.X.X description ‘Site A’
set vpn ipsec site-to-site peer 210.X.X.X ike-group ‘IKE’
set vpn ipsec site-to-site peer 210.X.X.X ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 210.X.X.X local-address ‘211.X.X.X’
set vpn ipsec site-to-site peer 210.X.X.X vti bind ‘vti2’
set vpn ipsec site-to-site peer 210.X.X.X vti esp-group ‘ESP’

set interfaces vti vti2 address ‘10.255.1.29/30’
set interfaces vti vti2 firewall local name ‘DENY-ALL-EX-OSPF-SSH-SNMP’
set interfaces vti vti2 ip ospf authentication md5 key-id 2 md5-key ‘ABCtest’
set interfaces vti vti2 ip ospf dead-interval ‘40’
set interfaces vti vti2 ip ospf hello-interval ‘10’
set interfaces vti vti2 ip ospf network ‘point-to-point’
set interfaces vti vti2 ip ospf priority ‘1’
set interfaces vti vti2 ip ospf retransmit-interval ‘5’
set interfaces vti vti2 ip ospf transmit-delay ‘1’

Site B VyOS version 1.3.1
set vpn ipsec site-to-site peer 211.X.X.X authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 211.X.X.X authentication pre-shared-secret ‘ABC’
set vpn ipsec site-to-site peer 211.X.X.X connection-type ‘initiate’
set vpn ipsec site-to-site peer 211.X.X.X description ‘Site B’
set vpn ipsec site-to-site peer 211.X.X.X ike-group ‘IKE’
set vpn ipsec site-to-site peer 211.X.X.X ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 211.X.X.X local-address ‘210.X.X.X’
set vpn ipsec site-to-site peer 211.X.X.X vti bind ‘vti0’
set vpn ipsec site-to-site peer 211.X.X.X vti esp-group ‘ESP’

set interfaces vti vti0 address ‘10.255.1.30/30’
set interfaces vti vti0 firewall local name ‘DENY-ALL-EX-OSPF-SSH-SNMP’
set interfaces vti vti0 ip ospf authentication md5 key-id 2 md5-key ‘ABCtest’
set interfaces vti vti0 ip ospf dead-interval ‘40’
set interfaces vti vti0 ip ospf hello-interval ‘10’
set interfaces vti vti0 ip ospf network ‘point-to-point’
set interfaces vti vti0 ip ospf priority ‘1’
set interfaces vti vti0 ip ospf retransmit-interval ‘5’
set interfaces vti vti0 ip ospf transmit-delay ‘1’

Ping 10.255.1.29 From Site B. Can get response around 15 seconds and loss around 45 seconds
ping 10.255.1.29
PING 10.255.1.29 (10.255.1.29) 56(84) bytes of data.
64 bytes from 10.255.1.29: icmp_seq=36 ttl=64 time=34.7 ms
64 bytes from 10.255.1.29: icmp_seq=37 ttl=64 time=34.0 ms
64 bytes from 10.255.1.29: icmp_seq=38 ttl=64 time=33.8 ms
64 bytes from 10.255.1.29: icmp_seq=39 ttl=64 time=34.1 ms
64 bytes from 10.255.1.29: icmp_seq=40 ttl=64 time=33.9 ms
64 bytes from 10.255.1.29: icmp_seq=41 ttl=64 time=34.0 ms
64 bytes from 10.255.1.29: icmp_seq=42 ttl=64 time=34.2 ms
64 bytes from 10.255.1.29: icmp_seq=43 ttl=64 time=34.0 ms
64 bytes from 10.255.1.29: icmp_seq=44 ttl=64 time=34.5 ms
64 bytes from 10.255.1.29: icmp_seq=45 ttl=64 time=34.3 ms
64 bytes from 10.255.1.29: icmp_seq=46 ttl=64 time=34.1 ms
64 bytes from 10.255.1.29: icmp_seq=47 ttl=64 time=34.2 ms
64 bytes from 10.255.1.29: icmp_seq=48 ttl=64 time=34.0 ms
64 bytes from 10.255.1.29: icmp_seq=49 ttl=64 time=34.4 ms
64 bytes from 10.255.1.29: icmp_seq=50 ttl=64 time=34.1 ms
64 bytes from 10.255.1.29: icmp_seq=51 ttl=64 time=34.2 ms
^C
— 10.255.1.29 ping statistics —
55 packets transmitted, 16 received, 70.9091% packet loss, time 970ms
rtt min/avg/max/mdev = 33.847/34.161/34.666/0.292 ms

After remove OSPF from VTI network I can ping both VTI and WAN without packet loss

Nikolay · June 30, 2022, 4:01am

It looks like you are sending your WAN IP via OSPF.
Try to exclude the WAN links from OSPF.

zakwan · June 30, 2022, 4:53am

Yes that’s it. What a silly mistake
Thank you so much @Nikolay

Nikolay · June 30, 2022, 4:59am

Pretty common mistake
Did it myself more than once