If we use vti interface and IPSec, it auto add a default route to table 220
In that case after this tunnel will be established we lose access to the VyOS instance.
Interfaces
vyos@r4-epa2:~$ show int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 192.168.122.14/24 u/u Wan
eth1 100.64.0.2/30 u/u Lan
192.0.2.1/30
eth2 - u/u
lo 127.0.0.1/8 u/u
::1/128
vti1 10.0.102.2/30 A/D Tunnel to 100.64.0.1The default route should be via 192.168.122.1 eth0:
And we see this entry
vyos@r4-epa2:~$ show ip route 0.0.0.0 Routing entry for 0.0.0.0/0 Known via "static", distance 1, metric 0, best Last update 00:11:43 ago * 192.168.122.1, via eth0, weight 1 vyos@r4-epa2:~$
But IPSec adds more priority route via table 220 on listening VPN interface eth1:
vyos@r4-epa2:~$ sudo ip route get 192.168.122.1
192.168.122.1 via 100.64.0.1 dev eth1 table 220 src 100.64.0.2 uid 0
cache
vyos@r4-epa2:~$To prevent it we must set this command and reset VPN peer or reboot the router:
set vpn ipsec options disable-route-autoinstall
The routes will be correct:
vyos@r4-epa2# sudo ip route get 192.168.122.1
192.168.122.1 dev eth0 src 192.168.122.14 uid 0
cache
[edit]
vyos@r4-epa2#Adding this option by default seems like a smart decision.
It located in /etc/strongswan.d/charon.conf
# Install routes into a separate routing table for established IPsec # tunnels. install_routes = no
Also it was some discussion in T628