diff options
| author | Robert Göhler <github@ghlr.de> | 2021-10-12 20:08:33 +0200 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-10-12 20:08:33 +0200 | 
| commit | d354b188f79180192044a42b0765a43aa1151410 (patch) | |
| tree | 185f9fb3b39888d1c8b1a2922df27d559e837a3f | |
| parent | c949341dcf8f97b021cdb16c61667cdf1ced9e10 (diff) | |
| parent | ed884660e0f1b53ff934072cefe90eb91188ee1d (diff) | |
| download | vyos-documentation-d354b188f79180192044a42b0765a43aa1151410.tar.gz vyos-documentation-d354b188f79180192044a42b0765a43aa1151410.zip | |
Merge pull request #634 from goodNETnick/gNN-1.3
Add VTI interface IPsec warning VyOS 1.3
| -rw-r--r-- | docs/configuration/interfaces/vti.rst | 19 | 
1 files changed, 18 insertions, 1 deletions
| diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index 34842866..1704b9d1 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -20,4 +20,21 @@ Results in:        address 192.168.2.249/30        address 2001:db8:2::249/64        description "Description" -  }
\ No newline at end of file +  } + +.. warning:: When using site-to-site IPsec with VTI interfaces, +   be sure to disable route autoinstall + +.. code-block:: none +   +  set vpn ipsec options disable-route-autoinstall + +More details about the IPsec and VTI issue and option disable-route-autoinstall +https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july + +The root cause of the problem is that for VTI tunnels to work, their traffic  +selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even  +though actual routing decision is made according to netfilter marks. Unless  +route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a  +default route through the VTI peer address, which makes all traffic routed  +to nowhere.
\ No newline at end of file | 
