Hi All!
I try to use VyOS router for realizing IPsec vpn backup scheme.
Vyos-1 connected to VyOS-3 across two links, eth1 with ip 10.1.3.1/24 and eth3 with ip 10.2.4.1/24.
Vyos-3 connected to VyOS-1 across two links, eth1 with ip 10.1.3.3/24 and eth3 with ip 10.2.4.3/24.
I have two IPsec connection via VTI binding. First connestion used eth1-eth1 and vti0 interfaces, second connection used eth3-eth3 and vti1 interfaces.
For backup I use static interface route with different distances.
Here is my configuration:
vyos@VyOS-1# show
interfaces {
ethernet eth0 {
address xxx
description Inet
duplex auto
hw-id 00:50:56:01:00:4e
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.1.3.1/24
description "Link to VyOS-3"
duplex auto
hw-id 00:50:56:01:00:4f
smp_affinity auto
speed auto
}
ethernet eth3 {
address 10.2.4.1/24
hw-id 00:50:56:01:00:59
}
loopback lo {
}
vti vti0 {
address 10.10.0.1/30
}
vti vti1 {
address 10.10.1.1/30
}
}
protocols {
static {
interface-route 192.168.34.0/24 {
next-hop-interface vti0 {
distance 10
}
next-hop-interface vti1 {
distance 20
}
}
route 0.0.0.0/0 {
next-hop 185.96.86.17 {
}
}
}
}
service {
ssh {
port 22
}
}
vpn {
ipsec {
auto-update 30
esp-group test1-esp {
compression disable
lifetime 30
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group test1-ike {
dead-peer-detection {
action restart
interval 30
timeout 90
}
ikev2-reauth no
key-exchange ikev1
lifetime 30
proposal 1 {
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth1
interface eth3
}
site-to-site {
peer 10.1.3.3 {
authentication {
mode pre-shared-secret
pre-shared-secret Test1Test2Test3
}
connection-type initiate
ike-group test1-ike
ikev2-reauth inherit
local-address 10.1.3.1
vti {
bind vti0
esp-group test1-esp
}
}
peer 10.2.4.3 {
authentication {
mode pre-shared-secret
pre-shared-secret Test1Test2Test3
}
connection-type initiate
ike-group test1-ike
ikev2-reauth inherit
local-address 10.2.4.1
vti {
bind vti1
esp-group test1-esp
}
}
}
}
}
Analog config is on VyOS-3. IPsec connections is established and work well, traffic goes accross vti0, then I disable eth1 for testing backup mechanism traffic goes to vti1, via second ipsec connection. But then I also enable eth1, link goes up, but traffic doesn’t go via first ipsec connection. The cause of it is vti0 is Administrativly Down state, and I can fix it only using “restart vpn” or disable and enable vti0 via config using commit.
[code]vyos@VyOS-1# run sh int vti
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
vti0 10.10.0.1/30 A/D
vti1 10.10.1.1/30 u/u
[edit]
vyos@VyOS-1# run res
reset restart
[edit]
vyos@VyOS-1# run restart vpn
Restarting IPsec process…
[edit]
vyos@VyOS-1# run sh int vti
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
vti0 10.10.0.1/30 u/u
vti1 10.10.1.1/30 u/u [/code]
I think it is some bug with vti hunging. Do somebody have any idea about this issue? Or may be someone know another variant of doing IPsec failover backup with two peers?