From 9340aca617e941e7c7d165aa9b2f353312a2865b Mon Sep 17 00:00:00 2001 From: goodNETnick Date: Thu, 7 Oct 2021 19:56:50 +1000 Subject: Warning about IPsec and VTI interfaces --- docs/configuration/interfaces/vti.rst | 10 ++++++++-- docs/configuration/interfaces/wireguard.rst | 1 + 2 files changed, 9 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index 34842866..cb25773d 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -3,7 +3,6 @@ ############################## VTI - Virtual Tunnel Interface ############################## - Set Virtual Tunnel Interface .. code-block:: none @@ -20,4 +19,11 @@ Results in: address 192.168.2.249/30 address 2001:db8:2::249/64 description "Description" - } \ No newline at end of file + } + +.. warning:: When using site-to-site IPsec with VTI interfaces, + be sure to disable route autoinstall + +.. code-block:: none + + set vpn ipsec options disable-route-autoinstall \ No newline at end of file diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index df6433c6..1c4b734c 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -151,6 +151,7 @@ below is always the public key from your peer, not your local one. .. code-block:: none set interfaces wireguard wg01 address '10.1.0.1/30' + set interfaces wireguard wg01 description 'VPN-to-wg02' set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24' set interfaces wireguard wg01 peer to-wg02 address '192.0.2.1' set interfaces wireguard wg01 peer to-wg02 port '51820' -- cgit v1.2.3 From eb6d3a7c2b6deb1d3a7361e58d06185a91fb4a34 Mon Sep 17 00:00:00 2001 From: goodNETnick Date: Thu, 7 Oct 2021 20:00:54 +1000 Subject: Warning about IPsec and VTI interfaces --- docs/configuration/interfaces/vti.rst | 1 + 1 file changed, 1 insertion(+) (limited to 'docs') diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index cb25773d..9fb152c7 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -3,6 +3,7 @@ ############################## VTI - Virtual Tunnel Interface ############################## + Set Virtual Tunnel Interface .. code-block:: none -- cgit v1.2.3 From 934ea7c11654046028f967c0783b8885cbd39447 Mon Sep 17 00:00:00 2001 From: goodNETnick Date: Sun, 10 Oct 2021 21:59:37 +1000 Subject: Warning about IPsec and VTI interfaces + Link --- docs/configuration/interfaces/vti.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index 9fb152c7..7816529c 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -27,4 +27,7 @@ Results in: .. code-block:: none - set vpn ipsec options disable-route-autoinstall \ No newline at end of file + set vpn ipsec options disable-route-autoinstall + +More details about the IPsec and VTI issue and option disable-route-autoinstall: +https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july \ No newline at end of file -- cgit v1.2.3 From e4dc6e74f78d44b19018d9bbb15bddb5f6e07653 Mon Sep 17 00:00:00 2001 From: goodNETnick Date: Sun, 10 Oct 2021 22:12:15 +1000 Subject: Description about IPsec and VTI issue --- docs/configuration/interfaces/vti.rst | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index 7816529c..c5f843a5 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -30,4 +30,10 @@ Results in: set vpn ipsec options disable-route-autoinstall More details about the IPsec and VTI issue and option disable-route-autoinstall: -https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july \ No newline at end of file +https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july + +The root cause of the problem is that for VTI tunnels to work, their traffic selectors +have to be set to 0.0.0.0/0 for traffic to match the tunnel, even though actual routing +decision is made according to netfilter marks. Unless route insertion is disabled +entirely, StrongSWAN thus mistakenly inserts a default route through the +VTI peer address, which makes all traffic routed to nowhere. \ No newline at end of file -- cgit v1.2.3 From d6da7e765e851473a25b534e702b675b72402359 Mon Sep 17 00:00:00 2001 From: goodNETnick Date: Mon, 11 Oct 2021 18:03:06 +1000 Subject: Alignment --- docs/configuration/interfaces/vti.rst | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'docs') diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst index c5f843a5..1704b9d1 100644 --- a/docs/configuration/interfaces/vti.rst +++ b/docs/configuration/interfaces/vti.rst @@ -29,11 +29,12 @@ Results in: set vpn ipsec options disable-route-autoinstall -More details about the IPsec and VTI issue and option disable-route-autoinstall: +More details about the IPsec and VTI issue and option disable-route-autoinstall https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july -The root cause of the problem is that for VTI tunnels to work, their traffic selectors -have to be set to 0.0.0.0/0 for traffic to match the tunnel, even though actual routing -decision is made according to netfilter marks. Unless route insertion is disabled -entirely, StrongSWAN thus mistakenly inserts a default route through the -VTI peer address, which makes all traffic routed to nowhere. \ No newline at end of file +The root cause of the problem is that for VTI tunnels to work, their traffic +selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even +though actual routing decision is made according to netfilter marks. Unless +route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a +default route through the VTI peer address, which makes all traffic routed +to nowhere. \ No newline at end of file -- cgit v1.2.3