Hi
I am trying to setup tunnels with an AWS VPC, and using bgp.
I noticed oddly that BGP responses aren’t being sent through the VTI interfaces (or at all).
I checked with journalctl -x | grep bgp
and interestingly I found this:
Apr 14 09:03:06 gw00 bgpd[1162]: [VZ06J-9VWXE][EC 100663299] can’t bind socket for 169.254.144.29 : Cannot assign requested address
Apr 14 09:03:13 gw00 bgpd[1162]: [VZ06J-9VWXE][EC 100663299] can’t bind socket for 169.254.177.37 : Cannot assign requested address
Apr 14 09:05:06 gw00 bgpd[1162]: [VZ06J-9VWXE][EC 100663299] can’t bind socket for 169.254.144.29 : Cannot assign requested address
Apr 14 09:05:13 gw00 bgpd[1162]: [VZ06J-9VWXE][EC 100663299] can’t bind socket for 169.254.177.37 : Cannot assign requested address
Apr 14 09:07:06 gw00 bgpd[1162]: [VZ06J-9VWXE][EC 100663299] can’t bind socket for 169.254.144.29 : Cannot assign requested address
Apr 14 09:07:13 gw00 bgpd[1162]: [VZ06J-9VWXE][EC 100663299] can’t bind socket for 169.254.177.37 : Cannot assign requested address
Apr 14 09:09:06 gw00 bgpd[1162]: [VZ06J-9VWXE][EC 100663299] can’t bind socket for 169.254.144.29 : Cannot assign requested address
Apr 14 09:09:13 gw00 bgpd[1162]: [VZ06J-9VWXE][EC 100663299] can’t bind socket for 169.254.177.37 : Cannot assign requested address
any reason why bgp will be complaining about this?
My Ipsec config is like this:
set vpn ipsec esp-group to-aws-1 compression ‘disable’
set vpn ipsec esp-group to-aws-1 lifetime ‘3600’
set vpn ipsec esp-group to-aws-1 mode ‘tunnel’
set vpn ipsec esp-group to-aws-1 pfs ‘enable’
set vpn ipsec esp-group to-aws-1 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group to-aws-1 proposal 1 hash ‘sha1’
set vpn ipsec esp-group to-aws-2 compression ‘disable’
set vpn ipsec esp-group to-aws-2 lifetime ‘3600’
set vpn ipsec esp-group to-aws-2 mode ‘tunnel’
set vpn ipsec esp-group to-aws-2 pfs ‘enable’
set vpn ipsec esp-group to-aws-2 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group to-aws-2 proposal 1 hash ‘sha1’
set vpn ipsec ike-group to-aws-1 dead-peer-detection action ‘restart’
set vpn ipsec ike-group to-aws-1 dead-peer-detection interval ‘15’
set vpn ipsec ike-group to-aws-1 dead-peer-detection timeout ‘30’
set vpn ipsec ike-group to-aws-1 lifetime ‘28800’
set vpn ipsec ike-group to-aws-1 proposal 1 dh-group ‘2’
set vpn ipsec ike-group to-aws-1 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group to-aws-1 proposal 1 hash ‘sha1’
set vpn ipsec ike-group to-aws-2 dead-peer-detection action ‘restart’
set vpn ipsec ike-group to-aws-2 dead-peer-detection interval ‘15’
set vpn ipsec ike-group to-aws-2 dead-peer-detection timeout ‘30’
set vpn ipsec ike-group to-aws-2 lifetime ‘28800’
set vpn ipsec ike-group to-aws-2 proposal 1 dh-group ‘2’
set vpn ipsec ike-group to-aws-2 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group to-aws-2 proposal 1 hash ‘sha1’
set vpn ipsec site-to-site peer a.a.a.a authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer a.a.a.a authentication pre-shared-secret ‘’
set vpn ipsec site-to-site peer a.a.a.a description ‘AWS transit VPC tunnel 1’
set vpn ipsec site-to-site peer a.a.a.a ike-group ‘to-aws-1’
set vpn ipsec site-to-site peer a.a.a.a local-address ‘x.x.x.x’
set vpn ipsec site-to-site peer a.a.a.a vti bind ‘vti02’
set vpn ipsec site-to-site peer a.a.a.a vti esp-group ‘to-aws-1’
set vpn ipsec site-to-site peer b.b.b.b authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer b.b.b.b authentication pre-shared-secret ‘’
set vpn ipsec site-to-site peer b.b.b.b description ‘AWS transit VPC tunnel 2’
set vpn ipsec site-to-site peer b.b.b.b ike-group ‘to-aws-2’
set vpn ipsec site-to-site peer b.b.b.b local-address ‘x.x.x.x’
set vpn ipsec site-to-site peer b.b.b.b vti bind ‘vti03’
set vpn ipsec site-to-site peer b.b.b.b vti esp-group ‘to-aws-2’
My bgp configuration is like this:
set protocols bgp address-family ipv4-unicast network 10.100.0.0/16
set protocols bgp local-as ‘65003’
set protocols bgp neighbor 169.254.9.253 address-family ipv4-unicast maximum-prefix ‘50’
set protocols bgp neighbor 169.254.9.253 address-family ipv4-unicast nexthop-self
set protocols bgp neighbor 169.254.9.253 address-family ipv4-unicast prefix-list export ‘AWS_64513-OUT’
set protocols bgp neighbor 169.254.9.253 address-family ipv4-unicast prefix-list import ‘AWS_64513-IN’
set protocols bgp neighbor 169.254.9.253 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 169.254.9.253 capability dynamic
set protocols bgp neighbor 169.254.9.253 description ‘BGP AWS VPC 1’
set protocols bgp neighbor 169.254.9.253 disable-connected-check
set protocols bgp neighbor 169.254.9.253 ebgp-multihop ‘2’
set protocols bgp neighbor 169.254.9.253 remote-as ‘64513’
set protocols bgp neighbor 169.254.9.253 timers holdtime ‘30’
set protocols bgp neighbor 169.254.9.253 timers keepalive ‘10’
set protocols bgp neighbor 169.254.9.253 update-source ‘169.254.9.254’
set protocols bgp neighbor 169.254.176.177 address-family ipv4-unicast maximum-prefix ‘50’
set protocols bgp neighbor 169.254.176.177 address-family ipv4-unicast nexthop-self
set protocols bgp neighbor 169.254.176.177 address-family ipv4-unicast prefix-list export ‘AWS_64513-OUT’
set protocols bgp neighbor 169.254.176.177 address-family ipv4-unicast prefix-list import ‘AWS_64513-IN’
set protocols bgp neighbor 169.254.176.177 address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp neighbor 169.254.176.177 capability dynamic
set protocols bgp neighbor 169.254.176.177 description ‘BGP AWS VPC 2’
set protocols bgp neighbor 169.254.176.177 disable-connected-check
set protocols bgp neighbor 169.254.176.177 ebgp-multihop ‘2’
set protocols bgp neighbor 169.254.176.177 remote-as ‘64513’
set protocols bgp neighbor 169.254.176.177 timers holdtime ‘30’
set protocols bgp neighbor 169.254.176.177 timers keepalive ‘10’
set protocols bgp neighbor 169.254.176.177 update-source ‘169.254.176.178’
set protocols bgp parameters router-id ‘10.0.2.1’
VyOS just does not reply to bgp requests from AWS.
Please what am I doing wrong?