VPN without default route

Policy Based VPN without default route

How to create VPN between two sites where there is no default gateway (route)


We have following situation:
- two or more sites connected using dedicated lines
- sites have no access to internet
- there is no default gateway
- we want IPSec VPN between sites
- we have to be 100% sure that traffic will go through VPN
- if not it will be drop on first firewall






In out example, traffic encyption is priority. If we will use dynamic routing (or static) and add every network to routing table, there is possibility (in case of misconfiguration or when VPN goes down) that traffic will reach destination, but it will not be encrypted.
We have following options:
- Force VPN. Some firewalls are capable to force traffic to use VPN in ruleset, but not all of them
- Route based VPN. Once again, not every firewall can do that
- Policy based VPN without routes configuration


Normally when we create policy based VPN there is default route on border firewall. This route will allow access to internet. In our scenario there is not default gateway. And therefore VPN will not work as expected.

vyos@vyos:~$ /usr/sbin/tcpdump -i any "icmp" -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
09:14:53.515186 IP 10.10.0.200 > 192.168.111.20: ICMP echo request, id 2515, seq 119, length 64
09:14:53.515252 IP 192.168.111.20 > 10.10.0.200: ICMP echo reply, id 2515, seq 119, length 64
09:14:53.515725 IP 192.168.111.1 > 192.168.111.20: ICMP net 10.10.0.200 unreachable, length 92
09:14:54.515228 IP 10.10.0.200 > 192.168.111.20: ICMP echo request, id 2515, seq 120, length 64
09:14:54.515291 IP 192.168.111.20 > 10.10.0.200: ICMP echo reply, id 2515, seq 120, length 64
09:14:54.515784 IP 192.168.111.1 > 192.168.111.20: ICMP net 10.10.0.200 unreachable, length 92
09:14:55.514898 IP 10.10.0.200 > 192.168.111.20: ICMP echo request, id 2515, seq 121, length 64
09:14:55.514962 IP 192.168.111.20 > 10.10.0.200: ICMP echo reply, id 2515, seq 121, length 64
09:14:55.515439 IP 192.168.111.1 > 192.168.111.20: ICMP net 10.10.0.200 unreachable, length 92
09:14:56.515523 IP 10.10.0.200 > 192.168.111.20: ICMP echo request, id 2515, seq 122, length 64
09:14:56.515584 IP 192.168.111.20 > 10.10.0.200: ICMP echo reply, id 2515, seq 122, length 64
09:14:56.516132 IP 192.168.111.1 > 192.168.111.20: ICMP net 10.10.0.200 unreachable, length 92
09:14:57.515212 IP 10.10.0.200 > 192.168.111.20: ICMP echo request, id 2515, seq 123, length 64
09:14:57.515277 IP 192.168.111.20 > 10.10.0.200: ICMP echo reply, id 2515, seq 123, length 64
09:14:57.515748 IP 192.168.111.1 > 192.168.111.20: ICMP net 10.10.0.200 unreachable, length 92
09:14:58.515560 IP 10.10.0.200 > 192.168.111.20: ICMP echo request, id 2515, seq 124, length 64
09:14:58.515624 IP 192.168.111.20 > 10.10.0.200: ICMP echo reply, id 2515, seq 124, length 64
09:14:58.516128 IP 192.168.111.1 > 192.168.111.20: ICMP net 10.10.0.200 unreachable, length 92


Traffic will be dropped by OS. It will not we handled by VPN process. To fix this we have to add fake route

set interface loop00 state on
set interface loop00 ipv4-address 1.1.1.1 mask-length 32

set static-route 10.10.0.0/24 nexthop gateway logical loop00 on

Now route will by active and traffic will reach VPN process.

vyos@vyos:~$ /usr/sbin/tcpdump -i any "icmp" -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
09:16:37.465779 IP 10.10.0.200 > 192.168.111.20: ICMP echo request, id 2519, seq 1, length 64
09:16:37.465813 IP 192.168.111.20 > 10.10.0.200: ICMP echo reply, id 2519, seq 1, length 64
09:16:38.467256 IP 10.10.0.200 > 192.168.111.20: ICMP echo request, id 2519, seq 2, length 64
09:16:38.467311 IP 192.168.111.20 > 10.10.0.200: ICMP echo reply, id 2519, seq 2, length 64
09:16:39.469496 IP 10.10.0.200 > 192.168.111.20: ICMP echo request, id 2519, seq 3, length 64
09:16:39.469553 IP 192.168.111.20 > 10.10.0.200: ICMP echo reply, id 2519, seq 3, length 64
09:16:40.470220 IP 10.10.0.200 > 192.168.111.20: ICMP echo request, id 2519, seq 4, length 64
09:16:40.470287 IP 192.168.111.20 > 10.10.0.200: ICMP echo reply, id 2519, seq 4, length 64
09:16:41.471546 IP 10.10.0.200 > 192.168.111.20: ICMP echo request, id 2519, seq 5, length 64
09:16:41.471578 IP 192.168.111.20 > 10.10.0.200: ICMP echo reply, id 2519, seq 5, length 64
09:16:42.474529 IP 10.10.0.200 > 192.168.111.20: ICMP echo request, id 2519, seq 6, length 64