blob: c5f843a598f2e8f2a28fdd5b886c7a7070ed9e20 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
.. _vti-interface:
##############################
VTI - Virtual Tunnel Interface
##############################
Set Virtual Tunnel Interface
.. code-block:: none
set interfaces vti vti0 address 192.168.2.249/30
set interfaces vti vti0 address 2001:db8:2::249/64
Results in:
.. code-block:: none
vyos@vyos# show interfaces vti
vti vti0 {
address 192.168.2.249/30
address 2001:db8:2::249/64
description "Description"
}
.. warning:: When using site-to-site IPsec with VTI interfaces,
be sure to disable route autoinstall
.. code-block:: none
set vpn ipsec options disable-route-autoinstall
More details about the IPsec and VTI issue and option disable-route-autoinstall:
https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
The root cause of the problem is that for VTI tunnels to work, their traffic selectors
have to be set to 0.0.0.0/0 for traffic to match the tunnel, even though actual routing
decision is made according to netfilter marks. Unless route insertion is disabled
entirely, StrongSWAN thus mistakenly inserts a default route through the
VTI peer address, which makes all traffic routed to nowhere.
|