Jump to content
Калькуляторы

Vyatta inactive static route

Всем привет!

Имею неприяютную ситуацию.

Есть Vyatta как инстанс в Амазоне. С помощью него делаю IPSec VPN-туннель и статические маршруты, указывающие на сетки на той стороне. Периодически один или оба маршрута становятся inactive. При этому туннель в апе, и IP адрес туннеля с той стороны пингуется.

Вот как это выглядит:

vyatta@VyattaAMI:~$ show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
      O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2
      i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
      > - selected route, * - FIB route, p - stale info

Gateway of last resort is 10.127.10.129 to network 0.0.0.0

S    *> 0.0.0.0/0 [1/0] via 10.127.10.129, eth0
C    *> 10.127.10.128/27 is directly connected, eth0
S       10.127.61.128/25 [1/0] via 169.254.255.5 inactive
S       10.127.61.128/25 [100/0] via 169.254.255.1 inactive (recursive via 10.127.10.129 )
C    *> 127.0.0.0/8 is directly connected, lo

A вот куски конфига:

vyatta@VyattaAMI# show interfaces
ethernet eth0 {
    address 10.127.10.133/27
    duplex auto
    hw-id 02:2a:86:48:02:7d
    smp_affinity auto
    speed auto
}
loopback lo {
}
vti vti0 {
    address 169.254.255.6/30
    description "VPC tunnel 1"
    mtu 1436
}
vti vti1 {
    address 169.254.255.2/30
    description "VPC tunnel 2"
    mtu 1436
}
[edit]

vyatta@VyattaAMI# sh proto
static {
    route 0.0.0.0/0 {
        next-hop 10.127.10.129 {
        }
    }
    route 10.127.61.128/25 {
        next-hop 169.254.255.1 {
            distance 100
        }
        next-hop 169.254.255.5 {
        }
    }
}
[edit]

vyatta@VyattaAMI# sh vpn
ipsec {
    esp-group AWS {
        compression disable
        lifetime 3600
        mode tunnel
        pfs enable
        proposal 1 {
            encryption aes128
            hash sha1
        }
    }
    ike-group AWS {
        dead-peer-detection {
            action restart
            interval 15
            timeout 30
        }
        lifetime 28800
        proposal 1 {
            dh-group 2
            encryption aes128
            hash sha1
        }
    }
    ipsec-interfaces {
        interface eth0
    }
    site-to-site {
        peer <Public-IP-1> {
            authentication {
                mode pre-shared-secret
                pre-shared-secret <супер-секретный-пароль>
            }
            connection-type initiate
            description "VPC tunnel 1"
            ike-group AWS
            local-address 10.127.10.133
            vti {
                bind vti0
                esp-group AWS
            }
        }
        peer <Public-IP-2> {
            authentication {
                mode pre-shared-secret
                pre-shared-secret <супер-секретный-пароль>
            }
            connection-type initiate
            description "VPC tunnel 2"
            ike-group AWS
            local-address 10.127.10.133
            vti {
                bind vti1
                esp-group AWS
            }
        }
    }
}
[edit]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this