Hi,
I have setup libreswan IPSec VPN tunnel using route based VPN through VTI interface. Please find the below configurations.
IPSec VPN Tunnel Server 1 ( IP :- 172.31.1.54)
[root@ip-172-31-1-54 log]# cat /etc/ipsec.d/vtiipsecrouted.conf
conn routed-vpn
left=172.31.1.54
right=172.31.15.8
authby=secret
#leftsubnet=0.0.0.0/0
#rightsubnet=0.0.0.0/0
auto=add
# route-based VPN requires marking and an interface
mark=5/0xffffffff
vti-interface=vti01
# do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel
vti-routing=no
# If you run a subnet with BGP (bird) daemon over IPsec, you can configure the VTI interface
leftvti=10.0.1.1/24
[root@ip-172-31-1-54 log]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP qlen 1000
link/ether 02:2f:90:d6:66:6a brd ff:ff:ff:ff:ff:ff
inet 172.31.1.54/20 brd 172.31.15.255 scope global dynamic eth0
valid_lft 2763sec preferred_lft 2763sec
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
10: vti01@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue state UNKNOWN qlen 1
link/ipip 172.31.1.54 peer 172.31.15.8
inet 10.0.1.1/24 scope global vti01
valid_lft forever preferred_lft forever
[root@ip-172-31-1-54 log]#ps aux | grep ipsec
root 7903 0.0 0.0 204880 7692 ? Ssl 07:10 0:00 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
[root@ip-172-31-1-54 log]# ip xfrm policy
src 172.31.1.54/32 dst 172.31.15.8/32
dir out priority 2080 ptype main
mark 5/0xffffffff
tmpl src 172.31.1.54 dst 172.31.15.8
proto esp reqid 16393 mode tunnel
src 172.31.15.8/32 dst 172.31.1.54/32
dir fwd priority 2080 ptype main
mark 5/0xffffffff
tmpl src 172.31.15.8 dst 172.31.1.54
proto esp reqid 16393 mode tunnel
src 172.31.15.8/32 dst 172.31.1.54/32
dir in priority 2080 ptype main
mark 5/0xffffffff
tmpl src 172.31.15.8 dst 172.31.1.54
proto esp reqid 16393 mode tunnel
[root@ip-172-31-1-54 log]#
[root@ip-172-31-1-54 log]# ip route list
default via 172.31.0.1 dev eth0
10.0.1.0/24 dev vti01 proto kernel scope link src 10.0.1.1
172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.1.54
[root@ip-172-31-1-54 log]#
[root@ip-172-31-1-54 log]# service bird status
Redirecting to /bin/systemctl status bird.service
● bird.service - BIRD Internet Routing Daemon
Loaded: loaded (/usr/lib/systemd/system/bird.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2018-04-12 07:11:00 UTC; 40min ago
Process: 7963 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS)
Main PID: 7964 (bird)
CGroup: /system.slice/bird.service
└─7964 /usr/sbin/bird
Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal systemd[1]: Starting BIRD Internet Routing Daemon...
Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal bird[7964]: Started
Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal systemd[1]: Started BIRD Internet Routing Daemon.
Apr 12 07:34:16 ip-172-31-1-54.ap-southeast-1.compute.internal bird[7964]: KIF: Received address message for unknown interface 10
[root@ip-172-31-1-54 log]#
[root@ip-172-31-1-54 log]# birdc
BIRD 1.6.4 ready.
bird> show status
BIRD 1.6.4
Router ID is 10.0.1.1
Current server time is 2018-04-12 07:28:42
Last reboot on 2018-04-12 07:10:59
Last reconfiguration on 2018-04-12 07:10:59
Daemon is up and running
bird> show interfaces
lo up (index=1)
MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536
127.0.0.1/8 (Primary, scope host)
eth0 up (index=2)
MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001
172.31.1.54/20 (Primary, scope site)
ip_vti0 DOWN (index=3)
MultiAccess AdminDown LinkDown MTU=1480
vti01 up (index=10)
PtP Multicast AdminUp LinkUp MTU=8981
10.0.1.1/24 (Primary, scope site)
bird> show protocols
name proto table state since info
kernel1 Kernel master up 07:11:00
device1 Device master up 07:11:00
testbgp BGP master start 07:11:00 Idle
bird> show protocols all
name proto table state since info
kernel1 Kernel master up 07:10:59
Preference: 10
Input filter: ACCEPT
Output filter: ACCEPT
Routes: 1 imported, 0 exported, 1 preferred
Route change stats: received rejected filtered ignored accepted
Import updates: 1 0 0 0 1
Import withdraws: 0 0 --- 0 0
Export updates: 1 1 0 --- 0
Export withdraws: 0 --- --- --- 0
device1 Device master up 07:10:59
Preference: 240
Input filter: ACCEPT
Output filter: REJECT
Routes: 0 imported, 0 exported, 0 preferred
Route change stats: received rejected filtered ignored accepted
Import updates: 0 0 0 0 0
Import withdraws: 0 0 --- 0 0
Export updates: 0 0 0 --- 0
Export withdraws: 0 --- --- --- 0
testbgp BGP master start 07:10:59 Idle
Preference: 160
Input filter: ACCEPT
Output filter: (unnamed)
Routes: 0 imported, 0 exported, 0 preferred
Route change stats: received rejected filtered ignored accepted
Import updates: 0 0 0 0 0
Import withdraws: 0 0 --- 0 0
Export updates: 0 0 0 --- 0
Export withdraws: 0 --- --- --- 0
BGP state: Idle
Neighbor address: 10.1.2.2
Neighbor AS: 65003
bird>
IPSec VPN Tunnel Server 2 ( IP :- 172.31.15.8)
[root@ip-172-31-15-8 ~]# cat /etc/ipsec.d/vtiipsecrouted.conf
conn routed-vpn
left=172.31.15.8
right=172.31.1.54
authby=secret
#leftsubnet=0.0.0.0/0
#rightsubnet=0.0.0.0/0
auto=add
# route-based VPN requires marking and an interface
mark=5/0xffffffff
vti-interface=vti01
# do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel
vti-routing=no
# If you run a subnet with BGP (quagga) daemons over IPsec, you can configure the VTI interface
leftvti=10.0.1.1/24
[root@ip-172-31-15-8 ~]#
[root@ip-172-31-15-8 ~]# ps aux | grep ipsec
root 6483 0.0 0.0 204880 7684 ? Ssl 07:36 0:00 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
[root@ip-172-31-15-8 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP qlen 1000
link/ether 02:87:cf:47:b5:5e brd ff:ff:ff:ff:ff:ff
inet 172.31.15.8/20 brd 172.31.15.255 scope global dynamic eth0
valid_lft 3063sec preferred_lft 3063sec
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
7: vti01@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue state UNKNOWN qlen 1
link/ipip 172.31.15.8 peer 172.31.1.54
inet 10.0.1.1/24 scope global vti01
valid_lft forever preferred_lft forever
[root@ip-172-31-15-8 ~]#
[root@ip-172-31-15-8 ~]# ip xfrm policy
src 172.31.15.8/32 dst 172.31.1.54/32
dir out priority 2080 ptype main
mark 5/0xffffffff
tmpl src 172.31.15.8 dst 172.31.1.54
proto esp reqid 16393 mode tunnel
src 172.31.1.54/32 dst 172.31.15.8/32
dir fwd priority 2080 ptype main
mark 5/0xffffffff
tmpl src 172.31.1.54 dst 172.31.15.8
proto esp reqid 16393 mode tunnel
src 172.31.1.54/32 dst 172.31.15.8/32
dir in priority 2080 ptype main
mark 5/0xffffffff
tmpl src 172.31.1.54 dst 172.31.15.8
proto esp reqid 16393 mode tunnel
[root@ip-172-31-15-8 ~]#
[root@ip-172-31-15-8 ~]# ip route list
default via 172.31.0.1 dev eth0
10.0.1.0/24 dev vti01 proto kernel scope link src 10.0.1.1
172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.15.8
[root@ip-172-31-15-8 ~]#
[root@ip-172-31-15-8 ~]# service bird status
Redirecting to /bin/systemctl status bird.service
● bird.service - BIRD Internet Routing Daemon
Loaded: loaded (/usr/lib/systemd/system/bird.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2018-04-12 07:48:44 UTC; 18s ago
Process: 6659 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS)
Main PID: 6660 (bird)
CGroup: /system.slice/bird.service
└─6660 /usr/sbin/bird
Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal systemd[1]: Starting BIRD Internet Routing Daemon...
Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal systemd[1]: Started BIRD Internet Routing Daemon.
Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal bird[6660]: Started
[root@ip-172-31-15-8 ~]# birdc
BIRD 1.6.4 ready.
bird> show status
BIRD 1.6.4
Router ID is 10.0.1.2
Current server time is 2018-04-12 07:49:13
Last reboot on 2018-04-12 07:48:43
Last reconfiguration on 2018-04-12 07:48:43
Daemon is up and running
bird> show interfaces
lo up (index=1)
MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536
127.0.0.1/8 (Primary, scope host)
eth0 up (index=2)
MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001
172.31.15.8/20 (Primary, scope site)
ip_vti0 DOWN (index=3)
MultiAccess AdminDown LinkDown MTU=1480
vti01 up (index=7)
PtP Multicast AdminUp LinkUp MTU=8981
10.0.1.1/24 (Primary, scope site)
bird> show protocols
name proto table state since info
kernel1 Kernel master up 07:48:43
device1 Device master up 07:48:43
testbgp BGP master start 07:48:43 Idle
bird> show protocols all
name proto table state since info
kernel1 Kernel master up 07:48:44
Preference: 10
Input filter: ACCEPT
Output filter: ACCEPT
Routes: 1 imported, 0 exported, 1 preferred
Route change stats: received rejected filtered ignored accepted
Import updates: 1 0 0 0 1
Import withdraws: 0 0 --- 0 0
Export updates: 1 1 0 --- 0
Export withdraws: 0 --- --- --- 0
device1 Device master up 07:48:44
Preference: 240
Input filter: ACCEPT
Output filter: REJECT
Routes: 0 imported, 0 exported, 0 preferred
Route change stats: received rejected filtered ignored accepted
Import updates: 0 0 0 0 0
Import withdraws: 0 0 --- 0 0
Export updates: 0 0 0 --- 0
Export withdraws: 0 --- --- --- 0
testbgp BGP master start 07:48:44 Idle
Preference: 160
Input filter: ACCEPT
Output filter: (unnamed)
Routes: 0 imported, 0 exported, 0 preferred
Route change stats: received rejected filtered ignored accepted
Import updates: 0 0 0 0 0
Import withdraws: 0 0 --- 0 0
Export updates: 0 0 0 --- 0
Export withdraws: 0 --- --- --- 0
BGP state: Idle
Neighbor address: 10.1.2.2
Neighbor AS: 65003
bird>
[root@ip-172-31-15-8 ~]#
Please let me know if the above configurations are correct and is the right approach to setup redundant route based VPN using VTI. I have couple of followup questions like how do i test failover between the two IPSec VPN servers using VTI and how do i test BIRD Daemon using BGP as i have configured BIRD on both the servers for the network architecture shown in
https://i.imgur.com/dLFovre.png
Thanks in Advance and your help will be really appreciated. I look forward to hearing from you.
Best Regards,
Kaushal