From ed884660e0f1b53ff934072cefe90eb91188ee1d Mon Sep 17 00:00:00 2001 From: goodNETnick Date: Tue, 12 Oct 2021 13:47:08 +1000 Subject: Add VTI IPsec warning (1.3) --- docs/configuration/interfaces/vti.rst | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index 34842866..1704b9d1 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -20,4 +20,21 @@ Results in: address 192.168.2.249/30 address 2001:db8:2::249/64 description "Description" - } \ No newline at end of file + } + +.. warning:: When using site-to-site IPsec with VTI interfaces, + be sure to disable route autoinstall + +.. code-block:: none + + set vpn ipsec options disable-route-autoinstall + +More details about the IPsec and VTI issue and option disable-route-autoinstall +https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july + +The root cause of the problem is that for VTI tunnels to work, their traffic +selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even +though actual routing decision is made according to netfilter marks. Unless +route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a +default route through the VTI peer address, which makes all traffic routed +to nowhere. \ No newline at end of file -- cgit v1.2.3