Route based VPN in Linux
Kaushal Shriyan
kaushalshriyan at gmail.com
Tue Apr 17 20:16:38 CEST 2018
On Mon, Apr 16, 2018 at 11:52 PM, Kaushal Shriyan <kaushalshriyan at gmail.com>
wrote:
> Hi,
>
> I have setup libreswan IPSec VPN tunnel using route based VPN through VTI
> interface. Please find the below configurations.
>
> *IPSec VPN Tunnel Server 1 ( IP :- 172.31.1.54)*
>> [root at ip-172-31-1-54 log]# cat /etc/ipsec.d/vtiipsecrouted.conf
>> conn routed-vpn
>> left=172.31.1.54
>> right=172.31.15.8
>> authby=secret
>> #leftsubnet=0.0.0.0/0
>> #rightsubnet=0.0.0.0/0
>> auto=add
>> # route-based VPN requires marking and an interface
>> mark=5/0xffffffff
>> vti-interface=vti01
>> # do not setup routing because we don't want to send 0.0.0.0/0 over
>> the tunnel
>> vti-routing=no
>> # If you run a subnet with BGP (bird) daemon over IPsec, you can
>> configure the VTI interface
>> leftvti=10.0.1.1/24
>> [root at ip-172-31-1-54 log]# ip a
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>> valid_lft forever preferred_lft forever
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP
>> qlen 1000
>> link/ether 02:2f:90:d6:66:6a brd ff:ff:ff:ff:ff:ff
>> inet 172.31.1.54/20 brd 172.31.15.255 scope global dynamic eth0
>> valid_lft 2763sec preferred_lft 2763sec
>> 3: ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
>> link/ipip 0.0.0.0 brd 0.0.0.0
>> 10: vti01 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue
>> state UNKNOWN qlen 1
>>
>> *link/ipip 172.31.1.54 peer 172.31.15.8* *inet 10.0.1.1/24
>> <http://10.0.1.1/24>* scope global vti01
>> valid_lft forever preferred_lft forever
>> [root at ip-172-31-1-54 log]#ps aux | grep ipsec
>> root 7903 0.0 0.0 204880 7692 ? Ssl 07:10 0:00
>> /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
>>
>> [root at ip-172-31-1-54 log]# ip xfrm policy
>> src 172.31.1.54/32 dst 172.31.15.8/32
>> dir out priority 2080 ptype main
>> mark 5/0xffffffff
>> tmpl src 172.31.1.54 dst 172.31.15.8
>> proto esp reqid 16393 mode tunnel
>> src 172.31.15.8/32 dst 172.31.1.54/32
>> dir fwd priority 2080 ptype main
>> mark 5/0xffffffff
>> tmpl src 172.31.15.8 dst 172.31.1.54
>> proto esp reqid 16393 mode tunnel
>> src 172.31.15.8/32 dst 172.31.1.54/32
>> dir in priority 2080 ptype main
>> mark 5/0xffffffff
>> tmpl src 172.31.15.8 dst 172.31.1.54
>> proto esp reqid 16393 mode tunnel
>> [root at ip-172-31-1-54 log]#
>> [root at ip-172-31-1-54 log]# ip route list
>> default via 172.31.0.1 dev eth0
>> 10.0.1.0/24 dev vti01 proto kernel scope link src 10.0.1.1
>> 172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.1.54
>> [root at ip-172-31-1-54 log]#
>> [root at ip-172-31-1-54 log]# service bird status
>> Redirecting to /bin/systemctl status bird.service
>> ● bird.service - BIRD Internet Routing Daemon
>> Loaded: loaded (/usr/lib/systemd/system/bird.service; enabled; vendor
>> preset: disabled)
>> Active: active (running) since Thu 2018-04-12 07:11:00 UTC; 40min ago
>> Process: 7963 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS)
>> Main PID: 7964 (bird)
>> CGroup: /system.slice/bird.service
>> └─7964 /usr/sbin/bird
>> Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal
>> systemd[1]: Starting BIRD Internet Routing Daemon...
>> Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal
>> bird[7964]: Started
>> Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal
>> systemd[1]: Started BIRD Internet Routing Daemon.
>> Apr 12 07:34:16 ip-172-31-1-54.ap-southeast-1.compute.internal
>> bird[7964]: KIF: Received address message for unknown interface 10
>> [root at ip-172-31-1-54 log]#
>> [root at ip-172-31-1-54 log]# birdc
>> BIRD 1.6.4 ready.
>> bird> show status
>> BIRD 1.6.4
>> Router ID is 10.0.1.1
>> Current server time is 2018-04-12 07:28:42
>> Last reboot on 2018-04-12 07:10:59
>> Last reconfiguration on 2018-04-12 07:10:59
>> Daemon is up and running
>> bird> show interfaces
>> lo up (index=1)
>> MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536
>> 127.0.0.1/8 (Primary, scope host)
>> eth0 up (index=2)
>> MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001
>> 172.31.1.54/20 (Primary, scope site)
>> ip_vti0 DOWN (index=3)
>> MultiAccess AdminDown LinkDown MTU=1480
>> vti01 up (index=10)
>> PtP Multicast AdminUp LinkUp MTU=8981
>> 10.0.1.1/24 (Primary, scope site)
>> bird> show protocols
>> name proto table state since info
>> kernel1 Kernel master up 07:11:00
>> device1 Device master up 07:11:00
>> testbgp BGP master start 07:11:00 Idle
>> bird> show protocols all
>> name proto table state since info
>> kernel1 Kernel master up 07:10:59
>> Preference: 10
>> Input filter: ACCEPT
>> Output filter: ACCEPT
>> Routes: 1 imported, 0 exported, 1 preferred
>> Route change stats: received rejected filtered ignored
>> accepted
>> Import updates: 1 0 0 0
>> 1
>> Import withdraws: 0 0 --- 0
>> 0
>> Export updates: 1 1 0 ---
>> 0
>> Export withdraws: 0 --- --- ---
>> 0
>> device1 Device master up 07:10:59
>> Preference: 240
>> Input filter: ACCEPT
>> Output filter: REJECT
>> Routes: 0 imported, 0 exported, 0 preferred
>> Route change stats: received rejected filtered ignored
>> accepted
>> Import updates: 0 0 0 0
>> 0
>> Import withdraws: 0 0 --- 0
>> 0
>> Export updates: 0 0 0 ---
>> 0
>> Export withdraws: 0 --- --- ---
>> 0
>> testbgp BGP master start 07:10:59 Idle
>> Preference: 160
>> Input filter: ACCEPT
>> Output filter: (unnamed)
>> Routes: 0 imported, 0 exported, 0 preferred
>> Route change stats: received rejected filtered ignored
>> accepted
>> Import updates: 0 0 0 0
>> 0
>> Import withdraws: 0 0 --- 0
>> 0
>> Export updates: 0 0 0 ---
>> 0
>> Export withdraws: 0 --- --- ---
>> 0
>> BGP state: Idle
>> Neighbor address: 10.1.2.2
>> Neighbor AS: 65003
>> bird>
>>
>
>
>
>> *IPSec VPN Tunnel Server 2 ( IP :- 172.31.15.8)*
>> [root at ip-172-31-15-8 ~]# cat /etc/ipsec.d/vtiipsecrouted.conf
>> conn routed-vpn
>> left=172.31.15.8
>> right=172.31.1.54
>> authby=secret
>> #leftsubnet=0.0.0.0/0
>> #rightsubnet=0.0.0.0/0
>> auto=add
>> # route-based VPN requires marking and an interface
>> mark=5/0xffffffff
>> vti-interface=vti01
>> # do not setup routing because we don't want to send 0.0.0.0/0 over
>> the tunnel
>> vti-routing=no
>> # If you run a subnet with BGP (quagga) daemons over IPsec, you can
>> configure the VTI interface
>> leftvti=10.0.1.1/24
>> [root at ip-172-31-15-8 ~]#
>> [root at ip-172-31-15-8 ~]# ps aux | grep ipsec
>> root 6483 0.0 0.0 204880 7684 ? Ssl 07:36 0:00
>> /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
>> [root at ip-172-31-15-8 ~]# ip a
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>> valid_lft forever preferred_lft forever
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP
>> qlen 1000
>> link/ether 02:87:cf:47:b5:5e brd ff:ff:ff:ff:ff:ff
>> inet 172.31.15.8/20 brd 172.31.15.255 scope global dynamic eth0
>> valid_lft 3063sec preferred_lft 3063sec
>> 3: ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
>> link/ipip 0.0.0.0 brd 0.0.0.0
>> 7: vti01 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue
>> state UNKNOWN qlen 1
>>
>> *link/ipip 172.31.15.8 peer 172.31.1.54* *inet 10.0.1.1/24
>> <http://10.0.1.1/24>* scope global vti01
>> valid_lft forever preferred_lft forever
>> [root at ip-172-31-15-8 ~]#
>> [root at ip-172-31-15-8 ~]# ip xfrm policy
>> src 172.31.15.8/32 dst 172.31.1.54/32
>> dir out priority 2080 ptype main
>> mark 5/0xffffffff
>> tmpl src 172.31.15.8 dst 172.31.1.54
>> proto esp reqid 16393 mode tunnel
>> src 172.31.1.54/32 dst 172.31.15.8/32
>> dir fwd priority 2080 ptype main
>> mark 5/0xffffffff
>> tmpl src 172.31.1.54 dst 172.31.15.8
>> proto esp reqid 16393 mode tunnel
>> src 172.31.1.54/32 dst 172.31.15.8/32
>> dir in priority 2080 ptype main
>> mark 5/0xffffffff
>> tmpl src 172.31.1.54 dst 172.31.15.8
>> proto esp reqid 16393 mode tunnel
>> [root at ip-172-31-15-8 ~]#
>> [root at ip-172-31-15-8 ~]# ip route list
>> default via 172.31.0.1 dev eth0
>> 10.0.1.0/24 dev vti01 proto kernel scope link src 10.0.1.1
>> 172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.15.8
>> [root at ip-172-31-15-8 ~]#
>>
>> [root at ip-172-31-15-8 ~]# service bird status
>> Redirecting to /bin/systemctl status bird.service
>> ● bird.service - BIRD Internet Routing Daemon
>> Loaded: loaded (/usr/lib/systemd/system/bird.service; enabled; vendor
>> preset: disabled)
>> Active: active (running) since Thu 2018-04-12 07:48:44 UTC; 18s ago
>> Process: 6659 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS)
>> Main PID: 6660 (bird)
>> CGroup: /system.slice/bird.service
>> └─6660 /usr/sbin/bird
>> Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal
>> systemd[1]: Starting BIRD Internet Routing Daemon...
>> Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal
>> systemd[1]: Started BIRD Internet Routing Daemon.
>> Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal
>> bird[6660]: Started
>> [root at ip-172-31-15-8 ~]# birdc
>> BIRD 1.6.4 ready.
>> bird> show status
>> BIRD 1.6.4
>> Router ID is 10.0.1.2
>> Current server time is 2018-04-12 07:49:13
>> Last reboot on 2018-04-12 07:48:43
>> Last reconfiguration on 2018-04-12 07:48:43
>> Daemon is up and running
>> bird> show interfaces
>> lo up (index=1)
>> MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536
>> 127.0.0.1/8 (Primary, scope host)
>> eth0 up (index=2)
>> MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001
>> 172.31.15.8/20 (Primary, scope site)
>> ip_vti0 DOWN (index=3)
>> MultiAccess AdminDown LinkDown MTU=1480
>> vti01 up (index=7)
>> PtP Multicast AdminUp LinkUp MTU=8981
>> 10.0.1.1/24 (Primary, scope site)
>> bird> show protocols
>> name proto table state since info
>> kernel1 Kernel master up 07:48:43
>> device1 Device master up 07:48:43
>> testbgp BGP master start 07:48:43 Idle
>> bird> show protocols all
>> name proto table state since info
>> kernel1 Kernel master up 07:48:44
>> Preference: 10
>> Input filter: ACCEPT
>> Output filter: ACCEPT
>> Routes: 1 imported, 0 exported, 1 preferred
>> Route change stats: received rejected filtered ignored
>> accepted
>> Import updates: 1 0 0 0
>> 1
>> Import withdraws: 0 0 --- 0
>> 0
>> Export updates: 1 1 0 ---
>> 0
>> Export withdraws: 0 --- --- ---
>> 0
>> device1 Device master up 07:48:44
>> Preference: 240
>> Input filter: ACCEPT
>> Output filter: REJECT
>> Routes: 0 imported, 0 exported, 0 preferred
>> Route change stats: received rejected filtered ignored
>> accepted
>> Import updates: 0 0 0 0
>> 0
>> Import withdraws: 0 0 --- 0
>> 0
>> Export updates: 0 0 0 ---
>> 0
>> Export withdraws: 0 --- --- ---
>> 0
>> testbgp BGP master start 07:48:44 Idle
>> Preference: 160
>> Input filter: ACCEPT
>> Output filter: (unnamed)
>> Routes: 0 imported, 0 exported, 0 preferred
>> Route change stats: received rejected filtered ignored
>> accepted
>> Import updates: 0 0 0 0
>> 0
>> Import withdraws: 0 0 --- 0
>> 0
>> Export updates: 0 0 0 ---
>> 0
>> Export withdraws: 0 --- --- ---
>> 0
>> BGP state: Idle
>> Neighbor address: 10.1.2.2
>> Neighbor AS: 65003
>> bird>
>> [root at ip-172-31-15-8 ~]#
>
>
>
> Please let me know if the above configurations are correct and is the
> right approach to setup redundant route based VPN using VTI. I have couple
> of followup questions like how do i test failover between the two IPSec VPN
> servers using VTI and how do i test BIRD Daemon using BGP as i have
> configured BIRD on both the servers for the network architecture shown in
> https://i.imgur.com/dLFovre.png
>
> Thanks in Advance and your help will be really appreciated. I look
> forward to hearing from you.
>
> Best Regards,
>
> Kaushal
>
>
Hi,
Checking in if anyone can pitch in for help for my post to this mailing
list.
Thanks in Advance.
Best Regards,
Kaushal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20180417/51c775b4/attachment.html>
More information about the Bird-users
mailing list