diff options
author | Robert Göhler <github@ghlr.de> | 2021-10-12 20:08:33 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-12 20:08:33 +0200 |
commit | d354b188f79180192044a42b0765a43aa1151410 (patch) | |
tree | 185f9fb3b39888d1c8b1a2922df27d559e837a3f | |
parent | c949341dcf8f97b021cdb16c61667cdf1ced9e10 (diff) | |
parent | ed884660e0f1b53ff934072cefe90eb91188ee1d (diff) | |
download | vyos-documentation-d354b188f79180192044a42b0765a43aa1151410.tar.gz vyos-documentation-d354b188f79180192044a42b0765a43aa1151410.zip |
Merge pull request #634 from goodNETnick/gNN-1.3
Add VTI interface IPsec warning VyOS 1.3
-rw-r--r-- | docs/configuration/interfaces/vti.rst | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index 34842866..1704b9d1 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -20,4 +20,21 @@ Results in: address 192.168.2.249/30 address 2001:db8:2::249/64 description "Description" - }
\ No newline at end of file + } + +.. warning:: When using site-to-site IPsec with VTI interfaces, + be sure to disable route autoinstall + +.. code-block:: none + + set vpn ipsec options disable-route-autoinstall + +More details about the IPsec and VTI issue and option disable-route-autoinstall +https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july + +The root cause of the problem is that for VTI tunnels to work, their traffic +selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even +though actual routing decision is made according to netfilter marks. Unless +route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a +default route through the VTI peer address, which makes all traffic routed +to nowhere.
\ No newline at end of file |