Re: Route based VPN in Linux

17 Apr 2018

      On Mon, Apr 16, 2018 at 11:52 PM, Kaushal Shriyan <kaushalshriyan@gmail.com>
wrote:
...
Hi,
I have setup libreswan IPSec VPN tunnel using route based VPN through VTI
interface. Please find the below configurations.
*IPSec VPN Tunnel Server 1 ( IP :- 172.31.1.54)*
...
[root@ip-172-31-1-54 log]# cat /etc/ipsec.d/vtiipsecrouted.conf
conn routed-vpn
    left=172.31.1.54
    right=172.31.15.8
    authby=secret
    #leftsubnet=0.0.0.0/0
    #rightsubnet=0.0.0.0/0
    auto=add
    # route-based VPN requires marking and an interface
    mark=5/0xffffffff
    vti-interface=vti01
    # do not setup routing because we don't want to send 0.0.0.0/0 over
the tunnel
    vti-routing=no
    # If you run a subnet with BGP (bird) daemon over IPsec, you can
configure the VTI interface
    leftvti=10.0.1.1/24
[root@ip-172-31-1-54 log]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP
qlen 1000
    link/ether 02:2f:90:d6:66:6a brd ff:ff:ff:ff:ff:ff
    inet 172.31.1.54/20 brd 172.31.15.255 scope global dynamic eth0
       valid_lft 2763sec preferred_lft 2763sec
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0
10: vti01@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue
state UNKNOWN qlen 1
*link/ipip 172.31.1.54 peer 172.31.15.8*    *inet 10.0.1.1/24
<http://10.0.1.1/24>* scope global vti01
       valid_lft forever preferred_lft forever
[root@ip-172-31-1-54 log]#ps aux | grep ipsec
root      7903  0.0  0.0 204880  7692 ?        Ssl  07:10   0:00
/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
[root@ip-172-31-1-54 log]# ip xfrm policy
src 172.31.1.54/32 dst 172.31.15.8/32
dir out priority 2080 ptype main
mark 5/0xffffffff
tmpl src 172.31.1.54 dst 172.31.15.8
proto esp reqid 16393 mode tunnel
src 172.31.15.8/32 dst 172.31.1.54/32
dir fwd priority 2080 ptype main
mark 5/0xffffffff
tmpl src 172.31.15.8 dst 172.31.1.54
proto esp reqid 16393 mode tunnel
src 172.31.15.8/32 dst 172.31.1.54/32
dir in priority 2080 ptype main
mark 5/0xffffffff
tmpl src 172.31.15.8 dst 172.31.1.54
proto esp reqid 16393 mode tunnel
[root@ip-172-31-1-54 log]#
[root@ip-172-31-1-54 log]# ip route list
default via 172.31.0.1 dev eth0
10.0.1.0/24 dev vti01 proto kernel scope link src 10.0.1.1
172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.1.54
[root@ip-172-31-1-54 log]#
[root@ip-172-31-1-54 log]# service bird status
Redirecting to /bin/systemctl status bird.service
● bird.service - BIRD Internet Routing Daemon
   Loaded: loaded (/usr/lib/systemd/system/bird.service; enabled; vendor
preset: disabled)
   Active: active (running) since Thu 2018-04-12 07:11:00 UTC; 40min ago
  Process: 7963 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS)
 Main PID: 7964 (bird)
   CGroup: /system.slice/bird.service
           └─7964 /usr/sbin/bird
Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal
systemd[1]: Starting BIRD Internet Routing Daemon...
Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal
bird[7964]: Started
Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal
systemd[1]: Started BIRD Internet Routing Daemon.
Apr 12 07:34:16 ip-172-31-1-54.ap-southeast-1.compute.internal
bird[7964]: KIF: Received address message for unknown interface 10
[root@ip-172-31-1-54 log]#
[root@ip-172-31-1-54 log]# birdc
BIRD 1.6.4 ready.
bird> show status
BIRD 1.6.4
Router ID is 10.0.1.1
Current server time is 2018-04-12 07:28:42
Last reboot on 2018-04-12 07:10:59
Last reconfiguration on 2018-04-12 07:10:59
Daemon is up and running
bird> show interfaces
lo up (index=1)
MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536
127.0.0.1/8 (Primary, scope host)
eth0 up (index=2)
MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001
172.31.1.54/20 (Primary, scope site)
ip_vti0 DOWN (index=3)
MultiAccess AdminDown LinkDown MTU=1480
vti01 up (index=10)
PtP Multicast AdminUp LinkUp MTU=8981
10.0.1.1/24 (Primary, scope site)
bird> show protocols
name     proto    table    state  since       info
kernel1  Kernel   master   up     07:11:00
device1  Device   master   up     07:11:00
testbgp  BGP      master   start  07:11:00    Idle
bird> show protocols all
name     proto    table    state  since       info
kernel1  Kernel   master   up     07:10:59
  Preference:     10
  Input filter:   ACCEPT
  Output filter:  ACCEPT
  Routes:         1 imported, 0 exported, 1 preferred
  Route change stats:     received   rejected   filtered    ignored
 accepted
    Import updates:              1          0          0          0
    1
    Import withdraws:            0          0        ---          0
    0
    Export updates:              1          1          0        ---
    0
    Export withdraws:            0        ---        ---        ---
    0
device1  Device   master   up     07:10:59
  Preference:     240
  Input filter:   ACCEPT
  Output filter:  REJECT
  Routes:         0 imported, 0 exported, 0 preferred
  Route change stats:     received   rejected   filtered    ignored
 accepted
    Import updates:              0          0          0          0
    0
    Import withdraws:            0          0        ---          0
    0
    Export updates:              0          0          0        ---
    0
    Export withdraws:            0        ---        ---        ---
    0
testbgp  BGP      master   start  07:10:59    Idle
  Preference:     160
  Input filter:   ACCEPT
  Output filter:  (unnamed)
  Routes:         0 imported, 0 exported, 0 preferred
  Route change stats:     received   rejected   filtered    ignored
 accepted
    Import updates:              0          0          0          0
    0
    Import withdraws:            0          0        ---          0
    0
    Export updates:              0          0          0        ---
    0
    Export withdraws:            0        ---        ---        ---
    0
  BGP state:          Idle
    Neighbor address: 10.1.2.2
    Neighbor AS:      65003
bird>
...
*IPSec VPN Tunnel Server 2 ( IP :- 172.31.15.8)*
[root@ip-172-31-15-8 ~]# cat /etc/ipsec.d/vtiipsecrouted.conf
conn routed-vpn
    left=172.31.15.8
    right=172.31.1.54
    authby=secret
    #leftsubnet=0.0.0.0/0
    #rightsubnet=0.0.0.0/0
    auto=add
    # route-based VPN requires marking and an interface
    mark=5/0xffffffff
    vti-interface=vti01
    # do not setup routing because we don't want to send 0.0.0.0/0 over
the tunnel
    vti-routing=no
    # If you run a subnet with BGP (quagga) daemons over IPsec, you can
configure the VTI interface
    leftvti=10.0.1.1/24
[root@ip-172-31-15-8 ~]#
[root@ip-172-31-15-8 ~]# ps aux | grep ipsec
root      6483  0.0  0.0 204880  7684 ?        Ssl  07:36   0:00
/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
[root@ip-172-31-15-8 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP
qlen 1000
    link/ether 02:87:cf:47:b5:5e brd ff:ff:ff:ff:ff:ff
    inet 172.31.15.8/20 brd 172.31.15.255 scope global dynamic eth0
       valid_lft 3063sec preferred_lft 3063sec
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0
7: vti01@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue
state UNKNOWN qlen 1
*link/ipip 172.31.15.8 peer 172.31.1.54*    *inet 10.0.1.1/24
<http://10.0.1.1/24>* scope global vti01
       valid_lft forever preferred_lft forever
[root@ip-172-31-15-8 ~]#
[root@ip-172-31-15-8 ~]# ip xfrm policy
src 172.31.15.8/32 dst 172.31.1.54/32
dir out priority 2080 ptype main
mark 5/0xffffffff
tmpl src 172.31.15.8 dst 172.31.1.54
proto esp reqid 16393 mode tunnel
src 172.31.1.54/32 dst 172.31.15.8/32
dir fwd priority 2080 ptype main
mark 5/0xffffffff
tmpl src 172.31.1.54 dst 172.31.15.8
proto esp reqid 16393 mode tunnel
src 172.31.1.54/32 dst 172.31.15.8/32
dir in priority 2080 ptype main
mark 5/0xffffffff
tmpl src 172.31.1.54 dst 172.31.15.8
proto esp reqid 16393 mode tunnel
[root@ip-172-31-15-8 ~]#
[root@ip-172-31-15-8 ~]#  ip route list
default via 172.31.0.1 dev eth0
10.0.1.0/24 dev vti01 proto kernel scope link src 10.0.1.1
172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.15.8
[root@ip-172-31-15-8 ~]#
[root@ip-172-31-15-8 ~]# service bird status
Redirecting to /bin/systemctl status bird.service
● bird.service - BIRD Internet Routing Daemon
   Loaded: loaded (/usr/lib/systemd/system/bird.service; enabled; vendor
preset: disabled)
   Active: active (running) since Thu 2018-04-12 07:48:44 UTC; 18s ago
  Process: 6659 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS)
 Main PID: 6660 (bird)
   CGroup: /system.slice/bird.service
           └─6660 /usr/sbin/bird
Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal
systemd[1]: Starting BIRD Internet Routing Daemon...
Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal
systemd[1]: Started BIRD Internet Routing Daemon.
Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal
bird[6660]: Started
[root@ip-172-31-15-8 ~]# birdc
BIRD 1.6.4 ready.
bird> show status
BIRD 1.6.4
Router ID is 10.0.1.2
Current server time is 2018-04-12 07:49:13
Last reboot on 2018-04-12 07:48:43
Last reconfiguration on 2018-04-12 07:48:43
Daemon is up and running
bird> show interfaces
lo up (index=1)
MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536
127.0.0.1/8 (Primary, scope host)
eth0 up (index=2)
MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001
172.31.15.8/20 (Primary, scope site)
ip_vti0 DOWN (index=3)
MultiAccess AdminDown LinkDown MTU=1480
vti01 up (index=7)
PtP Multicast AdminUp LinkUp MTU=8981
10.0.1.1/24 (Primary, scope site)
bird> show protocols
name     proto    table    state  since       info
kernel1  Kernel   master   up     07:48:43
device1  Device   master   up     07:48:43
testbgp  BGP      master   start  07:48:43    Idle
bird> show protocols all
name     proto    table    state  since       info
kernel1  Kernel   master   up     07:48:44
  Preference:     10
  Input filter:   ACCEPT
  Output filter:  ACCEPT
  Routes:         1 imported, 0 exported, 1 preferred
  Route change stats:     received   rejected   filtered    ignored
 accepted
    Import updates:              1          0          0          0
    1
    Import withdraws:            0          0        ---          0
    0
    Export updates:              1          1          0        ---
    0
    Export withdraws:            0        ---        ---        ---
    0
device1  Device   master   up     07:48:44
  Preference:     240
  Input filter:   ACCEPT
  Output filter:  REJECT
  Routes:         0 imported, 0 exported, 0 preferred
  Route change stats:     received   rejected   filtered    ignored
 accepted
    Import updates:              0          0          0          0
    0
    Import withdraws:            0          0        ---          0
    0
    Export updates:              0          0          0        ---
    0
    Export withdraws:            0        ---        ---        ---
    0
testbgp  BGP      master   start  07:48:44    Idle
  Preference:     160
  Input filter:   ACCEPT
  Output filter:  (unnamed)
  Routes:         0 imported, 0 exported, 0 preferred
  Route change stats:     received   rejected   filtered    ignored
 accepted
    Import updates:              0          0          0          0
    0
    Import withdraws:            0          0        ---          0
    0
    Export updates:              0          0          0        ---
    0
    Export withdraws:            0        ---        ---        ---
    0
  BGP state:          Idle
    Neighbor address: 10.1.2.2
    Neighbor AS:      65003
bird>
[root@ip-172-31-15-8 ~]#
Please let me know if the above configurations are correct and is the
right approach to setup redundant route based VPN using VTI. I have couple
of followup questions like how do i test failover between the two IPSec VPN
servers using VTI and how do i test BIRD Daemon using BGP as i have
configured BIRD on both the servers for the network architecture shown in
https://i.imgur.com/dLFovre.png
Thanks in Advance and your help will be really appreciated. I look
forward to hearing from you.
Best Regards,
Kaushal
Hi,

Checking in if anyone can pitch in for help for my post to this mailing
list.

Thanks in Advance.

Best Regards,

Kaushal