On Mon, Apr 16, 2018 at 11:52 PM, Kaushal Shriyan <kaushalshri...@gmail.com> wrote:
> Hi, > > I have setup libreswan IPSec VPN tunnel using route based VPN through VTI > interface. Please find the below configurations. > > *IPSec VPN Tunnel Server 1 ( IP :- 172.31.1.54)* >> [root@ip-172-31-1-54 log]# cat /etc/ipsec.d/vtiipsecrouted.conf >> conn routed-vpn >> left=172.31.1.54 >> right=172.31.15.8 >> authby=secret >> #leftsubnet=0.0.0.0/0 >> #rightsubnet=0.0.0.0/0 >> auto=add >> # route-based VPN requires marking and an interface >> mark=5/0xffffffff >> vti-interface=vti01 >> # do not setup routing because we don't want to send 0.0.0.0/0 over >> the tunnel >> vti-routing=no >> # If you run a subnet with BGP (bird) daemon over IPsec, you can >> configure the VTI interface >> leftvti=10.0.1.1/24 >> [root@ip-172-31-1-54 log]# ip a >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> valid_lft forever preferred_lft forever >> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP >> qlen 1000 >> link/ether 02:2f:90:d6:66:6a brd ff:ff:ff:ff:ff:ff >> inet 172.31.1.54/20 brd 172.31.15.255 scope global dynamic eth0 >> valid_lft 2763sec preferred_lft 2763sec >> 3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1 >> link/ipip 0.0.0.0 brd 0.0.0.0 >> 10: vti01@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue >> state UNKNOWN qlen 1 >> >> *link/ipip 172.31.1.54 peer 172.31.15.8* *inet 10.0.1.1/24 >> <http://10.0.1.1/24>* scope global vti01 >> valid_lft forever preferred_lft forever >> [root@ip-172-31-1-54 log]#ps aux | grep ipsec >> root 7903 0.0 0.0 204880 7692 ? Ssl 07:10 0:00 >> /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork >> >> [root@ip-172-31-1-54 log]# ip xfrm policy >> src 172.31.1.54/32 dst 172.31.15.8/32 >> dir out priority 2080 ptype main >> mark 5/0xffffffff >> tmpl src 172.31.1.54 dst 172.31.15.8 >> proto esp reqid 16393 mode tunnel >> src 172.31.15.8/32 dst 172.31.1.54/32 >> dir fwd priority 2080 ptype main >> mark 5/0xffffffff >> tmpl src 172.31.15.8 dst 172.31.1.54 >> proto esp reqid 16393 mode tunnel >> src 172.31.15.8/32 dst 172.31.1.54/32 >> dir in priority 2080 ptype main >> mark 5/0xffffffff >> tmpl src 172.31.15.8 dst 172.31.1.54 >> proto esp reqid 16393 mode tunnel >> [root@ip-172-31-1-54 log]# >> [root@ip-172-31-1-54 log]# ip route list >> default via 172.31.0.1 dev eth0 >> 10.0.1.0/24 dev vti01 proto kernel scope link src 10.0.1.1 >> 172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.1.54 >> [root@ip-172-31-1-54 log]# >> [root@ip-172-31-1-54 log]# service bird status >> Redirecting to /bin/systemctl status bird.service >> ● bird.service - BIRD Internet Routing Daemon >> Loaded: loaded (/usr/lib/systemd/system/bird.service; enabled; vendor >> preset: disabled) >> Active: active (running) since Thu 2018-04-12 07:11:00 UTC; 40min ago >> Process: 7963 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS) >> Main PID: 7964 (bird) >> CGroup: /system.slice/bird.service >> └─7964 /usr/sbin/bird >> Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal >> systemd[1]: Starting BIRD Internet Routing Daemon... >> Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal >> bird[7964]: Started >> Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal >> systemd[1]: Started BIRD Internet Routing Daemon. >> Apr 12 07:34:16 ip-172-31-1-54.ap-southeast-1.compute.internal >> bird[7964]: KIF: Received address message for unknown interface 10 >> [root@ip-172-31-1-54 log]# >> [root@ip-172-31-1-54 log]# birdc >> BIRD 1.6.4 ready. >> bird> show status >> BIRD 1.6.4 >> Router ID is 10.0.1.1 >> Current server time is 2018-04-12 07:28:42 >> Last reboot on 2018-04-12 07:10:59 >> Last reconfiguration on 2018-04-12 07:10:59 >> Daemon is up and running >> bird> show interfaces >> lo up (index=1) >> MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536 >> 127.0.0.1/8 (Primary, scope host) >> eth0 up (index=2) >> MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001 >> 172.31.1.54/20 (Primary, scope site) >> ip_vti0 DOWN (index=3) >> MultiAccess AdminDown LinkDown MTU=1480 >> vti01 up (index=10) >> PtP Multicast AdminUp LinkUp MTU=8981 >> 10.0.1.1/24 (Primary, scope site) >> bird> show protocols >> name proto table state since info >> kernel1 Kernel master up 07:11:00 >> device1 Device master up 07:11:00 >> testbgp BGP master start 07:11:00 Idle >> bird> show protocols all >> name proto table state since info >> kernel1 Kernel master up 07:10:59 >> Preference: 10 >> Input filter: ACCEPT >> Output filter: ACCEPT >> Routes: 1 imported, 0 exported, 1 preferred >> Route change stats: received rejected filtered ignored >> accepted >> Import updates: 1 0 0 0 >> 1 >> Import withdraws: 0 0 --- 0 >> 0 >> Export updates: 1 1 0 --- >> 0 >> Export withdraws: 0 --- --- --- >> 0 >> device1 Device master up 07:10:59 >> Preference: 240 >> Input filter: ACCEPT >> Output filter: REJECT >> Routes: 0 imported, 0 exported, 0 preferred >> Route change stats: received rejected filtered ignored >> accepted >> Import updates: 0 0 0 0 >> 0 >> Import withdraws: 0 0 --- 0 >> 0 >> Export updates: 0 0 0 --- >> 0 >> Export withdraws: 0 --- --- --- >> 0 >> testbgp BGP master start 07:10:59 Idle >> Preference: 160 >> Input filter: ACCEPT >> Output filter: (unnamed) >> Routes: 0 imported, 0 exported, 0 preferred >> Route change stats: received rejected filtered ignored >> accepted >> Import updates: 0 0 0 0 >> 0 >> Import withdraws: 0 0 --- 0 >> 0 >> Export updates: 0 0 0 --- >> 0 >> Export withdraws: 0 --- --- --- >> 0 >> BGP state: Idle >> Neighbor address: 10.1.2.2 >> Neighbor AS: 65003 >> bird> >> > > > >> *IPSec VPN Tunnel Server 2 ( IP :- 172.31.15.8)* >> [root@ip-172-31-15-8 ~]# cat /etc/ipsec.d/vtiipsecrouted.conf >> conn routed-vpn >> left=172.31.15.8 >> right=172.31.1.54 >> authby=secret >> #leftsubnet=0.0.0.0/0 >> #rightsubnet=0.0.0.0/0 >> auto=add >> # route-based VPN requires marking and an interface >> mark=5/0xffffffff >> vti-interface=vti01 >> # do not setup routing because we don't want to send 0.0.0.0/0 over >> the tunnel >> vti-routing=no >> # If you run a subnet with BGP (quagga) daemons over IPsec, you can >> configure the VTI interface >> leftvti=10.0.1.1/24 >> [root@ip-172-31-15-8 ~]# >> [root@ip-172-31-15-8 ~]# ps aux | grep ipsec >> root 6483 0.0 0.0 204880 7684 ? Ssl 07:36 0:00 >> /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork >> [root@ip-172-31-15-8 ~]# ip a >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> valid_lft forever preferred_lft forever >> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP >> qlen 1000 >> link/ether 02:87:cf:47:b5:5e brd ff:ff:ff:ff:ff:ff >> inet 172.31.15.8/20 brd 172.31.15.255 scope global dynamic eth0 >> valid_lft 3063sec preferred_lft 3063sec >> 3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1 >> link/ipip 0.0.0.0 brd 0.0.0.0 >> 7: vti01@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue >> state UNKNOWN qlen 1 >> >> *link/ipip 172.31.15.8 peer 172.31.1.54* *inet 10.0.1.1/24 >> <http://10.0.1.1/24>* scope global vti01 >> valid_lft forever preferred_lft forever >> [root@ip-172-31-15-8 ~]# >> [root@ip-172-31-15-8 ~]# ip xfrm policy >> src 172.31.15.8/32 dst 172.31.1.54/32 >> dir out priority 2080 ptype main >> mark 5/0xffffffff >> tmpl src 172.31.15.8 dst 172.31.1.54 >> proto esp reqid 16393 mode tunnel >> src 172.31.1.54/32 dst 172.31.15.8/32 >> dir fwd priority 2080 ptype main >> mark 5/0xffffffff >> tmpl src 172.31.1.54 dst 172.31.15.8 >> proto esp reqid 16393 mode tunnel >> src 172.31.1.54/32 dst 172.31.15.8/32 >> dir in priority 2080 ptype main >> mark 5/0xffffffff >> tmpl src 172.31.1.54 dst 172.31.15.8 >> proto esp reqid 16393 mode tunnel >> [root@ip-172-31-15-8 ~]# >> [root@ip-172-31-15-8 ~]# ip route list >> default via 172.31.0.1 dev eth0 >> 10.0.1.0/24 dev vti01 proto kernel scope link src 10.0.1.1 >> 172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.15.8 >> [root@ip-172-31-15-8 ~]# >> >> [root@ip-172-31-15-8 ~]# service bird status >> Redirecting to /bin/systemctl status bird.service >> ● bird.service - BIRD Internet Routing Daemon >> Loaded: loaded (/usr/lib/systemd/system/bird.service; enabled; vendor >> preset: disabled) >> Active: active (running) since Thu 2018-04-12 07:48:44 UTC; 18s ago >> Process: 6659 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS) >> Main PID: 6660 (bird) >> CGroup: /system.slice/bird.service >> └─6660 /usr/sbin/bird >> Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal >> systemd[1]: Starting BIRD Internet Routing Daemon... >> Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal >> systemd[1]: Started BIRD Internet Routing Daemon. >> Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal >> bird[6660]: Started >> [root@ip-172-31-15-8 ~]# birdc >> BIRD 1.6.4 ready. >> bird> show status >> BIRD 1.6.4 >> Router ID is 10.0.1.2 >> Current server time is 2018-04-12 07:49:13 >> Last reboot on 2018-04-12 07:48:43 >> Last reconfiguration on 2018-04-12 07:48:43 >> Daemon is up and running >> bird> show interfaces >> lo up (index=1) >> MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536 >> 127.0.0.1/8 (Primary, scope host) >> eth0 up (index=2) >> MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001 >> 172.31.15.8/20 (Primary, scope site) >> ip_vti0 DOWN (index=3) >> MultiAccess AdminDown LinkDown MTU=1480 >> vti01 up (index=7) >> PtP Multicast AdminUp LinkUp MTU=8981 >> 10.0.1.1/24 (Primary, scope site) >> bird> show protocols >> name proto table state since info >> kernel1 Kernel master up 07:48:43 >> device1 Device master up 07:48:43 >> testbgp BGP master start 07:48:43 Idle >> bird> show protocols all >> name proto table state since info >> kernel1 Kernel master up 07:48:44 >> Preference: 10 >> Input filter: ACCEPT >> Output filter: ACCEPT >> Routes: 1 imported, 0 exported, 1 preferred >> Route change stats: received rejected filtered ignored >> accepted >> Import updates: 1 0 0 0 >> 1 >> Import withdraws: 0 0 --- 0 >> 0 >> Export updates: 1 1 0 --- >> 0 >> Export withdraws: 0 --- --- --- >> 0 >> device1 Device master up 07:48:44 >> Preference: 240 >> Input filter: ACCEPT >> Output filter: REJECT >> Routes: 0 imported, 0 exported, 0 preferred >> Route change stats: received rejected filtered ignored >> accepted >> Import updates: 0 0 0 0 >> 0 >> Import withdraws: 0 0 --- 0 >> 0 >> Export updates: 0 0 0 --- >> 0 >> Export withdraws: 0 --- --- --- >> 0 >> testbgp BGP master start 07:48:44 Idle >> Preference: 160 >> Input filter: ACCEPT >> Output filter: (unnamed) >> Routes: 0 imported, 0 exported, 0 preferred >> Route change stats: received rejected filtered ignored >> accepted >> Import updates: 0 0 0 0 >> 0 >> Import withdraws: 0 0 --- 0 >> 0 >> Export updates: 0 0 0 --- >> 0 >> Export withdraws: 0 --- --- --- >> 0 >> BGP state: Idle >> Neighbor address: 10.1.2.2 >> Neighbor AS: 65003 >> bird> >> [root@ip-172-31-15-8 ~]# > > > > Please let me know if the above configurations are correct and is the > right approach to setup redundant route based VPN using VTI. I have couple > of followup questions like how do i test failover between the two IPSec VPN > servers using VTI and how do i test BIRD Daemon using BGP as i have > configured BIRD on both the servers for the network architecture shown in > https://i.imgur.com/dLFovre.png > > Thanks in Advance and your help will be really appreciated. I look > forward to hearing from you. > > Best Regards, > > Kaushal > > Hi, Checking in if anyone can pitch in for help for my post to this mailing list. Thanks in Advance. Best Regards, Kaushal