[strongSwan] Route based VPN in Linux

Kaushal Shriyan kaushalshriyan at gmail.com
Tue Apr 17 20:12:55 CEST 2018


Hi Andrii,

I have setup libreswan IPSec VPN tunnel using route based VPN through VTI
interface. Please find the below configurations.

*IPSec VPN Tunnel Server 1 ( IP :- 172.31.1.54)*
> [root at ip-172-31-1-54 log]# cat /etc/ipsec.d/vtiipsecrouted.conf
> conn routed-vpn
>     left=172.31.1.54
>     right=172.31.15.8
>     authby=secret
>     #leftsubnet=0.0.0.0/0
>     #rightsubnet=0.0.0.0/0
>     auto=add
>     # route-based VPN requires marking and an interface
>     mark=5/0xffffffff
>     vti-interface=vti01
>     # do not setup routing because we don't want to send 0.0.0.0/0 over
> the tunnel
>     vti-routing=no
>     # If you run a subnet with BGP (bird) daemon over IPsec, you can
> configure the VTI interface
>     leftvti=10.0.1.1/24
> [root at ip-172-31-1-54 log]# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP
> qlen 1000
>     link/ether 02:2f:90:d6:66:6a brd ff:ff:ff:ff:ff:ff
>     inet 172.31.1.54/20 brd 172.31.15.255 scope global dynamic eth0
>        valid_lft 2763sec preferred_lft 2763sec
> 3: ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
>     link/ipip 0.0.0.0 brd 0.0.0.0
> 10: vti01 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue
> state UNKNOWN qlen 1
>
> *link/ipip 172.31.1.54 peer 172.31.15.8*    *inet 10.0.1.1/24
> <http://10.0.1.1/24>* scope global vti01
>        valid_lft forever preferred_lft forever
> [root at ip-172-31-1-54 log]#ps aux | grep ipsec
> root      7903  0.0  0.0 204880  7692 ?        Ssl  07:10   0:00
> /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
>
> [root at ip-172-31-1-54 log]# ip xfrm policy
> src 172.31.1.54/32 dst 172.31.15.8/32
> dir out priority 2080 ptype main
> mark 5/0xffffffff
> tmpl src 172.31.1.54 dst 172.31.15.8
> proto esp reqid 16393 mode tunnel
> src 172.31.15.8/32 dst 172.31.1.54/32
> dir fwd priority 2080 ptype main
> mark 5/0xffffffff
> tmpl src 172.31.15.8 dst 172.31.1.54
> proto esp reqid 16393 mode tunnel
> src 172.31.15.8/32 dst 172.31.1.54/32
> dir in priority 2080 ptype main
> mark 5/0xffffffff
> tmpl src 172.31.15.8 dst 172.31.1.54
> proto esp reqid 16393 mode tunnel
> [root at ip-172-31-1-54 log]#
> [root at ip-172-31-1-54 log]# ip route list
> default via 172.31.0.1 dev eth0
> 10.0.1.0/24 dev vti01 proto kernel scope link src 10.0.1.1
> 172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.1.54
> [root at ip-172-31-1-54 log]#
> [root at ip-172-31-1-54 log]# service bird status
> Redirecting to /bin/systemctl status bird.service
> ● bird.service - BIRD Internet Routing Daemon
>    Loaded: loaded (/usr/lib/systemd/system/bird.service; enabled; vendor
> preset: disabled)
>    Active: active (running) since Thu 2018-04-12 07:11:00 UTC; 40min ago
>   Process: 7963 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS)
>  Main PID: 7964 (bird)
>    CGroup: /system.slice/bird.service
>            └─7964 /usr/sbin/bird
> Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal
> systemd[1]: Starting BIRD Internet Routing Daemon...
> Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal
> bird[7964]: Started
> Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal
> systemd[1]: Started BIRD Internet Routing Daemon.
> Apr 12 07:34:16 ip-172-31-1-54.ap-southeast-1.compute.internal
> bird[7964]: KIF: Received address message for unknown interface 10
> [root at ip-172-31-1-54 log]#
> [root at ip-172-31-1-54 log]# birdc
> BIRD 1.6.4 ready.
> bird> show status
> BIRD 1.6.4
> Router ID is 10.0.1.1
> Current server time is 2018-04-12 07:28:42
> Last reboot on 2018-04-12 07:10:59
> Last reconfiguration on 2018-04-12 07:10:59
> Daemon is up and running
> bird> show interfaces
> lo up (index=1)
> MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536
> 127.0.0.1/8 (Primary, scope host)
> eth0 up (index=2)
> MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001
> 172.31.1.54/20 (Primary, scope site)
> ip_vti0 DOWN (index=3)
> MultiAccess AdminDown LinkDown MTU=1480
> vti01 up (index=10)
> PtP Multicast AdminUp LinkUp MTU=8981
> 10.0.1.1/24 (Primary, scope site)
> bird> show protocols
> name     proto    table    state  since       info
> kernel1  Kernel   master   up     07:11:00
> device1  Device   master   up     07:11:00
> testbgp  BGP      master   start  07:11:00    Idle
> bird> show protocols all
> name     proto    table    state  since       info
> kernel1  Kernel   master   up     07:10:59
>   Preference:     10
>   Input filter:   ACCEPT
>   Output filter:  ACCEPT
>   Routes:         1 imported, 0 exported, 1 preferred
>   Route change stats:     received   rejected   filtered    ignored
>  accepted
>     Import updates:              1          0          0          0
>   1
>     Import withdraws:            0          0        ---          0
>   0
>     Export updates:              1          1          0        ---
>   0
>     Export withdraws:            0        ---        ---        ---
>   0
> device1  Device   master   up     07:10:59
>   Preference:     240
>   Input filter:   ACCEPT
>   Output filter:  REJECT
>   Routes:         0 imported, 0 exported, 0 preferred
>   Route change stats:     received   rejected   filtered    ignored
>  accepted
>     Import updates:              0          0          0          0
>   0
>     Import withdraws:            0          0        ---          0
>   0
>     Export updates:              0          0          0        ---
>   0
>     Export withdraws:            0        ---        ---        ---
>   0
> testbgp  BGP      master   start  07:10:59    Idle
>   Preference:     160
>   Input filter:   ACCEPT
>   Output filter:  (unnamed)
>   Routes:         0 imported, 0 exported, 0 preferred
>   Route change stats:     received   rejected   filtered    ignored
>  accepted
>     Import updates:              0          0          0          0
>   0
>     Import withdraws:            0          0        ---          0
>   0
>     Export updates:              0          0          0        ---
>   0
>     Export withdraws:            0        ---        ---        ---
>   0
>   BGP state:          Idle
>     Neighbor address: 10.1.2.2
>     Neighbor AS:      65003
> bird>
>



> *IPSec VPN Tunnel Server 2 ( IP :- 172.31.15.8)*
> [root at ip-172-31-15-8 ~]# cat /etc/ipsec.d/vtiipsecrouted.conf
> conn routed-vpn
>     left=172.31.15.8
>     right=172.31.1.54
>     authby=secret
>     #leftsubnet=0.0.0.0/0
>     #rightsubnet=0.0.0.0/0
>     auto=add
>     # route-based VPN requires marking and an interface
>     mark=5/0xffffffff
>     vti-interface=vti01
>     # do not setup routing because we don't want to send 0.0.0.0/0 over
> the tunnel
>     vti-routing=no
>     # If you run a subnet with BGP (quagga) daemons over IPsec, you can
> configure the VTI interface
>     leftvti=10.0.1.1/24
> [root at ip-172-31-15-8 ~]#
> [root at ip-172-31-15-8 ~]# ps aux | grep ipsec
> root      6483  0.0  0.0 204880  7684 ?        Ssl  07:36   0:00
> /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
> [root at ip-172-31-15-8 ~]# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP
> qlen 1000
>     link/ether 02:87:cf:47:b5:5e brd ff:ff:ff:ff:ff:ff
>     inet 172.31.15.8/20 brd 172.31.15.255 scope global dynamic eth0
>        valid_lft 3063sec preferred_lft 3063sec
> 3: ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
>     link/ipip 0.0.0.0 brd 0.0.0.0
> 7: vti01 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue
> state UNKNOWN qlen 1
>
> *link/ipip 172.31.15.8 peer 172.31.1.54*    *inet 10.0.1.1/24
> <http://10.0.1.1/24>* scope global vti01
>        valid_lft forever preferred_lft forever
> [root at ip-172-31-15-8 ~]#
> [root at ip-172-31-15-8 ~]# ip xfrm policy
> src 172.31.15.8/32 dst 172.31.1.54/32
> dir out priority 2080 ptype main
> mark 5/0xffffffff
> tmpl src 172.31.15.8 dst 172.31.1.54
> proto esp reqid 16393 mode tunnel
> src 172.31.1.54/32 dst 172.31.15.8/32
> dir fwd priority 2080 ptype main
> mark 5/0xffffffff
> tmpl src 172.31.1.54 dst 172.31.15.8
> proto esp reqid 16393 mode tunnel
> src 172.31.1.54/32 dst 172.31.15.8/32
> dir in priority 2080 ptype main
> mark 5/0xffffffff
> tmpl src 172.31.1.54 dst 172.31.15.8
> proto esp reqid 16393 mode tunnel
> [root at ip-172-31-15-8 ~]#
> [root at ip-172-31-15-8 ~]#  ip route list
> default via 172.31.0.1 dev eth0
> 10.0.1.0/24 dev vti01 proto kernel scope link src 10.0.1.1
> 172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.15.8
> [root at ip-172-31-15-8 ~]#
>
> [root at ip-172-31-15-8 ~]# service bird status
> Redirecting to /bin/systemctl status bird.service
> ● bird.service - BIRD Internet Routing Daemon
>    Loaded: loaded (/usr/lib/systemd/system/bird.service; enabled; vendor
> preset: disabled)
>    Active: active (running) since Thu 2018-04-12 07:48:44 UTC; 18s ago
>   Process: 6659 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS)
>  Main PID: 6660 (bird)
>    CGroup: /system.slice/bird.service
>            └─6660 /usr/sbin/bird
> Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal
> systemd[1]: Starting BIRD Internet Routing Daemon...
> Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal
> systemd[1]: Started BIRD Internet Routing Daemon.
> Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal
> bird[6660]: Started
> [root at ip-172-31-15-8 ~]# birdc
> BIRD 1.6.4 ready.
> bird> show status
> BIRD 1.6.4
> Router ID is 10.0.1.2
> Current server time is 2018-04-12 07:49:13
> Last reboot on 2018-04-12 07:48:43
> Last reconfiguration on 2018-04-12 07:48:43
> Daemon is up and running
> bird> show interfaces
> lo up (index=1)
> MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536
> 127.0.0.1/8 (Primary, scope host)
> eth0 up (index=2)
> MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001
> 172.31.15.8/20 (Primary, scope site)
> ip_vti0 DOWN (index=3)
> MultiAccess AdminDown LinkDown MTU=1480
> vti01 up (index=7)
> PtP Multicast AdminUp LinkUp MTU=8981
> 10.0.1.1/24 (Primary, scope site)
> bird> show protocols
> name     proto    table    state  since       info
> kernel1  Kernel   master   up     07:48:43
> device1  Device   master   up     07:48:43
> testbgp  BGP      master   start  07:48:43    Idle
> bird> show protocols all
> name     proto    table    state  since       info
> kernel1  Kernel   master   up     07:48:44
>   Preference:     10
>   Input filter:   ACCEPT
>   Output filter:  ACCEPT
>   Routes:         1 imported, 0 exported, 1 preferred
>   Route change stats:     received   rejected   filtered    ignored
>  accepted
>     Import updates:              1          0          0          0
>   1
>     Import withdraws:            0          0        ---          0
>   0
>     Export updates:              1          1          0        ---
>   0
>     Export withdraws:            0        ---        ---        ---
>   0
> device1  Device   master   up     07:48:44
>   Preference:     240
>   Input filter:   ACCEPT
>   Output filter:  REJECT
>   Routes:         0 imported, 0 exported, 0 preferred
>   Route change stats:     received   rejected   filtered    ignored
>  accepted
>     Import updates:              0          0          0          0
>   0
>     Import withdraws:            0          0        ---          0
>   0
>     Export updates:              0          0          0        ---
>   0
>     Export withdraws:            0        ---        ---        ---
>   0
> testbgp  BGP      master   start  07:48:44    Idle
>   Preference:     160
>   Input filter:   ACCEPT
>   Output filter:  (unnamed)
>   Routes:         0 imported, 0 exported, 0 preferred
>   Route change stats:     received   rejected   filtered    ignored
>  accepted
>     Import updates:              0          0          0          0
>   0
>     Import withdraws:            0          0        ---          0
>   0
>     Export updates:              0          0          0        ---
>   0
>     Export withdraws:            0        ---        ---        ---
>   0
>   BGP state:          Idle
>     Neighbor address: 10.1.2.2
>     Neighbor AS:      65003
> bird>
> [root at ip-172-31-15-8 ~]#


Please let me know if the above configurations are correct and is the right
approach to setup redundant route based VPN using VTI. I have couple of
followup questions like how do i test failover between the two IPSec VPN
servers using VTI and how do i test BIRD Daemon using BGP as i have
configured BIRD on both the servers for the network architecture shown in
https://i.imgur.com/dLFovre.png

Thanks in Advance and your help will be really appreciated. I look forward
to hearing from you.

Best Regards,

Kaushal



On Tue, Apr 17, 2018 at 12:40 AM, Andrii Petrenko <aplsms at gmail.com> wrote:

> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>
> ---
> Andrii Petrenko
> aplsms at gmail.com
>
> On Apr 16, 2018, at 11:26, Kaushal Shriyan <kaushalshriyan at gmail.com>
> wrote:
>
> Hi,
>
> I will appreciate if anyone can point me to a doc to setup Route based VPN
> in Linux using VTI
> Thanks in Advance.
>
> I look forward to hearing from you.
>
> Best Regards,
>
> Kaushal
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180417/d7c5a1c7/attachment-0001.html>


More information about the Users mailing list