AWS Site to Site VPN (VTI) - Policy Based Route Issue



  • Version information:
    2.4.4-RELEASE-p3
    built on Thu May 16 06:01:19 EDT 2019
    FreeBSD 11.2-RELEASE-p10

    Setup:
    I have a pair of VTI tunnels from the Office to AWS Site to Site VPN service.
    I have a gateway group that includes both of the VTI tunnel gateways.
    I am using policy based routes to send traffic from the Office to AWS using the gateway group.
    No BGP

    What works:
    I can ping/RDP from the Office to AWS. This works 100% of the time.
    Packet capture on IPSec interface shows both ping request from office and ping reply from AWS.

    What does not work:
    I cannot ping/RDP from AWS to the Office.
    Packet capture on IPSec interface shows ping request from AWS to the Office but no ping reply.
    Packet capture on WAN interface shows ping reply from the Office to AWS. This is obviously not going to work. Why is the reply traffic not using the policy route. How do I fix it?


  • Rebel Alliance Developer Netgate

    reply-to does not work with IPsec/VTI currently. You have to have a route in the table back to AWS or that return traffic is never going to work properly.

    You should setup BGP so it can handle the failover. You can still use policy routing for your Office->AWS traffic.



  • Just an update. Adding a static route works. However since I cannot select a gateway group when setting up the static route, this option is not very desirable.

    The issues definitely lies in the Policy Routing or my understanding of it.

    Any help would be appreciated.



  • @jimp Thank you. I kept seeing the reply-to issue come up in various posts, but I did not understand what it was for. I will work on setting up BGP.


  • Rebel Alliance Developer Netgate

    From your office to AWS hits your LAN rules and uses route-to which policy routes the traffic as expected.

    From AWS to your office hits the IPsec rules and has two real issues -- #1, there is no reply-to on IPsec tab rules, they have to be on per-interface tabs and #2 per-interface IPsec VTI rules do not work, so we don't have those tabs available. (Thus, even if present, reply-to wouldn't be possible).

    So it falls back to routing based on what is in the table for return traffic, and since you have no routes back to AWS, it leaves via the default gateway.


Log in to reply