Merge pull request #629 from goodNETnick/goodNETnick

Warning about IPsec and VTI interfaces

2 files changed, 19 insertions, 1 deletions

diff --git a/docs/configuration/interfaces/vti.rst b/docs/configuration/interfaces/vti.rst
index 34842866..1704b9d1 100644
--- a/docs/configuration/interfaces/vti.rst
+++ b/docs/configuration/interfaces/vti.rst
@@ -20,4 +20,21 @@ Results in:
       address 192.168.2.249/30
       address 2001:db8:2::249/64
       description "Description"
-  }
\ No newline at end of file
+  }
+
+.. warning:: When using site-to-site IPsec with VTI interfaces,
+   be sure to disable route autoinstall
+
+.. code-block:: none
+  
+  set vpn ipsec options disable-route-autoinstall
+
+More details about the IPsec and VTI issue and option disable-route-autoinstall
+https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
+
+The root cause of the problem is that for VTI tunnels to work, their traffic 
+selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even 
+though actual routing decision is made according to netfilter marks. Unless 
+route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a 
+default route through the VTI peer address, which makes all traffic routed 
+to nowhere.
\ No newline at end of file
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index df6433c6..1c4b734c 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -151,6 +151,7 @@ below is always the public key from your peer, not your local one.
 .. code-block:: none
 
   set interfaces wireguard wg01 address '10.1.0.1/30'
+  set interfaces wireguard wg01 description 'VPN-to-wg02'
   set interfaces wireguard wg01 peer to-wg02 allowed-ips '192.168.2.0/24'
   set interfaces wireguard wg01 peer to-wg02 address '192.0.2.1'
   set interfaces wireguard wg01 peer to-wg02 port '51820'