[strongSwan] Route-Based Site-to-site VPN
Ed Hunter
edhunterr at outlook.com
Sat Mar 26 14:53:38 CET 2022
Hi Tobias and thank you for the detailed reply.
Ok, i think i got it now, so Charon, based on the traffic selectors set when configuring the VPN will install routes but based on physical interface rather than the gateway configured for the tunnel.
For most of my client based policy vpns that is ok. But for the site-to-site vpns i configured now, i want to control traffic with static routing, or OSPF later (i.e transport multicast over some kind of tunnel, i think VTI interfaces should suffice for this, i,e no need for GRE (the other side is a fortigate))
Since i have a lot of policy based client VPNs as well as GRE site to site VPNs, how would i go about installing routes in a higher priority table for the new site-to-site i want to configure? From what i gather from your detailed explanation of automatic route installation by the IKE daemon, if i disable it, i am going to have issues with my policy based VPNs right?
I would post config of my tunnels and ipsec configs but its a lot. I will try to obfuscate some IP addressing and reply back with sample config of one of my policy based client vpns, one of my site to site over GRE vpns and the new site to site vpn with vti interfaces i am setting up now.
How can i see charon installed routes? Are these the ones i see with ip xfrm policy?
Actually, here is my vpn config for the new vpn im trying to work with. It is already established but obviously traffic is not going through yet due to routing.
conn test_forti_s2s
type=tunnel
auto=start
left=X.X.X.X
leftsubnet=192.168.132.20/32
leftauth=psk
right=Y.Y.Y.Y
rightsubnet=10.0.10.0/24
# rightid=Y.Y.Y.Y
rightauth=psk
keyexchange=ikev2
ike=aes256-sha256-modp2048!
esp=aes256-sha1-modp2048!
mobike=no
mark=111
ikelifetime=1440m
lifetime=12h
margintime=3m
keyingtries=3
rekeyfuzz=100%
dpddelay=100s
dpdtimeout=300s
inactivity=600s
dpdaction=clear
So, if i do
ip tunnel add vti100 local X.X.X.X remote Y.Y.Y.Y mode vti key 111
ip link set vti0 up
ip route add 10.0.10.0/24 dev vti100
Would that be sufficient at least for this /24?
This is how my route table looks now
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 Z.Z.Z.Z 0.0.0.0 UG 80 0 0 eth1
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 *
10.11.11.0 192.168.191.57 255.255.255.248 UG 4 0 0 eth8
.
.
.
Thanks.
On 25 Mar 2022, at 12:55, Tobias Brunner <tobias at strongswan.org> wrote:
Hi Ed,
Would that have any effect on the rest of my tunnels? What does disabling route installation by the IKE daemon means exactly in this case and why is it needed?
The main reason for the automatic route installation is to select a specific source IP (one contained in the local traffic selectors) to send packets that originate from the IPsec gateway itself through the tunnel. Otherwise, the packets won't match the negotiated IPsec policies.
For instance, in our testing environment, if gateways moon and sun negotiate a tunnel between 10.1.0.0/16 and 10.2.0.0/16, we want to make sure that moon uses 10.1.0.1 when sending packets to hosts in 10.2.0.0/16 and not 192.168.0.1, which its default route might indicate. So a specific route to 10.2.0.0/16 is installed in table 220 that lists 10.1.0.1 as preferred source address.
Whether such routes are necessary depends on the negotiated traffic selectors, the existing (or any manually installed) routes, and whether the gateway is only forwarding traffic (in which case existing routes might already cover the traffic) or is actually sending traffic to remote hosts itself.
Anyway, with any of the route-based approaches the automatically installed routes are generally not correct (they go via physical interfaces), which is why charon.install_routes should be disabled and routes via tunnel interfaces have to be managed externally (installing them in routing tables that have higher priority than the one strongSwan uses is also an option to still use automatic routes for policy-based tunnels).
Regards,
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220326/ec732638/attachment-0001.html>
More information about the Users
mailing list