summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2021-10-12 20:08:33 +0200
committerGitHub <noreply@github.com>2021-10-12 20:08:33 +0200
commitd354b188f79180192044a42b0765a43aa1151410 (patch)
tree185f9fb3b39888d1c8b1a2922df27d559e837a3f
parentc949341dcf8f97b021cdb16c61667cdf1ced9e10 (diff)
parented884660e0f1b53ff934072cefe90eb91188ee1d (diff)
downloadvyos-documentation-d354b188f79180192044a42b0765a43aa1151410.tar.gz
vyos-documentation-d354b188f79180192044a42b0765a43aa1151410.zip
Merge pull request #634 from goodNETnick/gNN-1.3
Add VTI interface IPsec warning VyOS 1.3
-rw-r--r--docs/configuration/interfaces/vti.rst19
1 files changed, 18 insertions, 1 deletions
diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst
index 34842866..1704b9d1 100644
--- a/docs/configuration/interfaces/vti.rst
+++ b/docs/configuration/interfaces/vti.rst
@@ -20,4 +20,21 @@ Results in:
address 192.168.2.249/30
address 2001:db8:2::249/64
description "Description"
- } \ No newline at end of file
+ }
+
+.. warning:: When using site-to-site IPsec with VTI interfaces,
+ be sure to disable route autoinstall
+
+.. code-block:: none
+
+ set vpn ipsec options disable-route-autoinstall
+
+More details about the IPsec and VTI issue and option disable-route-autoinstall
+https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
+
+The root cause of the problem is that for VTI tunnels to work, their traffic
+selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even
+though actual routing decision is made according to netfilter marks. Unless
+route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a
+default route through the VTI peer address, which makes all traffic routed
+to nowhere. \ No newline at end of file