Vyos VyOS 1.4-rolling-202110120918 Site to site tunnel with AWS

sinaowolabi · December 28, 2021, 10:18am

Hi

I’m using a VyOS 1.4-rolling-202110120918.

Looking for help on setting up a site-to-site with an AWS VPC.
Tunnel is up, but I cannot ping the AWS vti,
no traffic traversing the tunnel, except for bgp requests from the AWS vti, which are sometimes replied to by the vti on the VyOS.
Also I couldnt completely follow the commands bgp commands in the AWS vpn document, because it appears to have changed.
Please can someone help to set me straight?

My current configuration:

`
set vpn ipsec ike-group vyos-aws-ike-0 lifetime ‘28800’
set vpn ipsec ike-group vyos-aws-ike-0 proposal 1 dh-group ‘2’
set vpn ipsec ike-group vyos-aws-ike-0 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group vyos-aws-ike-0 proposal 1 hash ‘sha1’
set vpn ipsec site-to-site peer authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer authentication pre-shared-secret ‘’
set vpn ipsec site-to-site peer description ‘vyos VPC tunnel 0’
set vpn ipsec site-to-site peer ike-group ‘vyos-aws-ike-0’
set vpn ipsec site-to-site peer local-address ‘’
set vpn ipsec site-to-site peer vti bind ‘vti01’
set vpn ipsec site-to-site peer vti esp-group ‘vyos-aws-esp-0’

set vpn ipsec ipsec-interfaces interface ‘eth2’
set vpn ipsec esp-group vyos-aws-esp-0 compression ‘disable’
set vpn ipsec esp-group vyos-aws-esp-0 lifetime ‘3600’
set vpn ipsec esp-group vyos-aws-esp-0 mode ‘tunnel’
set vpn ipsec esp-group vyos-aws-esp-0 pfs ‘enable’
set vpn ipsec esp-group vyos-aws-esp-0 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group vyos-aws-esp-0 proposal 1 hash ‘sha1’

set vpn ipsec ike-group vyos-aws-ike-0 dead-peer-detection action ‘restart’
set vpn ipsec ike-group vyos-aws-ike-0 dead-peer-detection interval ‘15’
set vpn ipsec ike-group vyos-aws-ike-0 dead-peer-detection timeout ‘30’

set protocols bgp 65000 neighbor 169.254.104.65 remote-as ‘64512’
set protocols bgp 65000 neighbor 169.254.104.65 soft-reconfiguration ‘inbound’
set protocols bgp 65000 neighbor 169.254.104.65 timers holdtime ‘30’
set protocols bgp 65000 neighbor 169.254.104.65 timers keepalive ‘10’

set protocols bgp 65000 network 0.0.0.0/0
`

The bgp commands are rejected as written, what I actually have is

set protocols bgp address-family ipv4-unicast network 10.200.0.0/16 set protocols bgp local-as '65000' set protocols bgp neighbor 169.254.104.65 address-family ipv4-unicast soft-reconfiguration inbound set protocols bgp neighbor 169.254.104.65 capability set protocols bgp neighbor 169.254.104.65 disable-connected-check set protocols bgp neighbor 169.254.104.65 ebgp-multihop '10' set protocols bgp neighbor 169.254.104.65 remote-as '64512' set protocols bgp neighbor 169.254.104.65 timers holdtime '30' set protocols bgp neighbor 169.254.104.65 timers keepalive '10' set protocols bgp neighbor 169.254.104.65 update-source '169.254.104.66'
Cant ping the AWS vti

# ping 169.254.104.65 PING 169.254.104.65 (169.254.104.65) 56(84) bytes of data. From 169.254.104.66 icmp_seq=1 Destination Host Unreachable From 169.254.104.66 icmp_seq=2 Destination Host Unreachable ^C --- 169.254.104.65 ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1026ms

But there are bgp requests from the AWS side:

# tcpdump -i vti01 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on vti01, link-type RAW (Raw IP), snapshot length 262144 bytes 10:17:48.885995 IP 169.254.104.66.46395 > 169.254.104.65.bgp: Flags [S], seq 1435613076, win 64216, options [mss 1396,sackOK,TS val 1887071169 ecr 0,nop,wscale 7], length 0 10:18:00.606147 IP 169.254.104.65.42681 > 169.254.104.66.bgp: Flags [S], seq 3124765092, win 26880, options [mss 1375,sackOK,TS val 2481240683 ecr 0,nop,wscale 7], length 0 10:18:01.644345 IP 169.254.104.65.42681 > 169.254.104.66.bgp: Flags [S], seq 3124765092, win 26880, options [mss 1375,sackOK,TS val 2481241721 ecr 0,nop,wscale 7], length 0 10:18:03.652778 IP 169.254.104.65.42681 > 169.254.104.66.bgp: Flags [S], seq 3124765092, win 26880, options [mss 1375,sackOK,TS val 2481243730 ecr 0,nop,wscale 7], length 0 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel

I also assumed (wrongly?) that I would see bgp here:

# run show bgp No BGP prefixes displayed, 0 exist

Thanks for any advice!

n.fort · December 28, 2021, 12:01pm

Hi @sinaowolabi .
BGP commands are different in 1.3 and 1.4 version.
You may find proper BGP commands for 1.4 version in our docs.

What is the output when new bgp commands are rejected?
Also, can you share vti config?

In previous lab, these was the minimum config on vyos side for bgp and vti. As you said vpn is up, i just omit that config:

# Tunnel-01 config
# Public address, vti address and psk obtained from tunnel config in AWS.
set interfaces vti vti0 address 169.254.198.165/30

# Tunnel-02 config
# Public address, vti address and psk obtained from tunnel config in AWS.
set interfaces vti vti1 address 169.254.89.249/30

# BGP Config
set protocol bgp 65510 address-family ipv4-unicast network 192.168.0.0/16
set protocol bgp 65510 parameters router-id 192.0.2.2

set protocol bgp 65510 neighbor 169.254.150.89 description "BGP - AWS tunnel 01"
set protocol bgp 65510 neighbor 169.254.150.89 remote-as 65515
set protocol bgp 65510 neighbor 169.254.150.89 update-source 169.254.150.90

set protocol bgp 65510 neighbor 169.254.76.37 description "BGP - AWS tunnel 02"
set protocol bgp 65510 neighbor 169.254.76.37 remote-as 65515
set protocol bgp 65510 neighbor 169.254.76.37 update-source 169.254.76.38

Hope this “Template” is useful for you, and please note that those commands are for 1.2 and 1.3 version!

sinaowolabi · December 28, 2021, 7:57pm

Thanks.
But the problem I am having is to translate these 1.2/1.3 commands into proper 1.4 format. Thats whats confusing for me
For example set protocol bgp 65510 address-family ipv4-unicast network 192.168.0.0/16

n.fort · December 29, 2021, 10:47am

Same commands for 1.4:

# BGP Config
vyos@vyos:~$ show config comm | grep bgp
set protocols bgp address-family ipv4-unicast network 192.168.0.0/16
set protocols bgp local-as '65510'
set protocols bgp neighbor 169.254.76.37 description 'BGP - AWS tunnel 02'
set protocols bgp neighbor 169.254.76.37 remote-as '65515'
set protocols bgp neighbor 169.254.76.37 update-source '169.254.76.38'
set protocols bgp neighbor 169.254.150.89 description 'BGP - AWS tunnel 01'
set protocols bgp neighbor 169.254.150.89 remote-as '65515'
set protocols bgp neighbor 169.254.150.89 update-source '169.254.150.90'
set protocols bgp parameters router-id '192.0.2.2'

# Show version 
vyos@vyos:~$ show version

Version:          VyOS 1.4-rolling-202111280953
Release train:    sagitta

And once again, all bgp commands for 1.4 are available in vyos docs, including configuration examples.

sinaowolabi · December 29, 2021, 2:47pm

Thank you. Apologies for being a bother.
Beginning to think there are problems at the AWS end, which I don’t have access to or manage.

system · December 31, 2021, 2:48pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.