vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-12-21 13:03:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #637 from goodNETnick/crux

Browse Source 
Added IPsec VTI warning
This commit is contained in:
Robert Göhler 2021-10-13 15:50:13 +02:00 committed by GitHub
commit fb4388f30f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/configuration/interfaces/tunnel.rst
View File

@ -229,6 +229,23 @@ Results in:
description "Description" description "Description"
} }
.. warning:: When using site-to-site IPsec with VTI interfaces,
be sure to disable route autoinstall
.. code-block:: none
set vpn ipsec options disable-route-autoinstall
More details about the IPsec and VTI issue and option disable-route-autoinstall
https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july
The root cause of the problem is that for VTI tunnels to work, their traffic
selectors have to be set to 0.0.0.0/0 for traffic to match the tunnel, even
though actual routing decision is made according to netfilter marks. Unless
route insertion is disabled entirely, StrongSWAN thus mistakenly inserts a
default route through the VTI peer address, which makes all traffic routed
to nowhere.
.. _RFC2003: https://tools.ietf.org/html/rfc2003 .. _RFC2003: https://tools.ietf.org/html/rfc2003
.. _RFC2473: https://tools.ietf.org/html/rfc2473 .. _RFC2473: https://tools.ietf.org/html/rfc2473