Hi, I have setup libreswan IPSec VPN tunnel using route based VPN through VTI interface. Please find the below configurations.
*IPSec VPN Tunnel Server 1 ( IP :- 172.31.1.54)* > [root@ip-172-31-1-54 log]# cat /etc/ipsec.d/vtiipsecrouted.conf > conn routed-vpn > left=172.31.1.54 > right=172.31.15.8 > authby=secret > #leftsubnet=0.0.0.0/0 > #rightsubnet=0.0.0.0/0 > auto=add > # route-based VPN requires marking and an interface > mark=5/0xffffffff > vti-interface=vti01 > # do not setup routing because we don't want to send 0.0.0.0/0 over > the tunnel > vti-routing=no > # If you run a subnet with BGP (bird) daemon over IPsec, you can > configure the VTI interface > leftvti=10.0.1.1/24 > [root@ip-172-31-1-54 log]# ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP > qlen 1000 > link/ether 02:2f:90:d6:66:6a brd ff:ff:ff:ff:ff:ff > inet 172.31.1.54/20 brd 172.31.15.255 scope global dynamic eth0 > valid_lft 2763sec preferred_lft 2763sec > 3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1 > link/ipip 0.0.0.0 brd 0.0.0.0 > 10: vti01@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue > state UNKNOWN qlen 1 > > *link/ipip 172.31.1.54 peer 172.31.15.8* *inet 10.0.1.1/24 > <http://10.0.1.1/24>* scope global vti01 > valid_lft forever preferred_lft forever > [root@ip-172-31-1-54 log]#ps aux | grep ipsec > root 7903 0.0 0.0 204880 7692 ? Ssl 07:10 0:00 > /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork > > [root@ip-172-31-1-54 log]# ip xfrm policy > src 172.31.1.54/32 dst 172.31.15.8/32 > dir out priority 2080 ptype main > mark 5/0xffffffff > tmpl src 172.31.1.54 dst 172.31.15.8 > proto esp reqid 16393 mode tunnel > src 172.31.15.8/32 dst 172.31.1.54/32 > dir fwd priority 2080 ptype main > mark 5/0xffffffff > tmpl src 172.31.15.8 dst 172.31.1.54 > proto esp reqid 16393 mode tunnel > src 172.31.15.8/32 dst 172.31.1.54/32 > dir in priority 2080 ptype main > mark 5/0xffffffff > tmpl src 172.31.15.8 dst 172.31.1.54 > proto esp reqid 16393 mode tunnel > [root@ip-172-31-1-54 log]# > [root@ip-172-31-1-54 log]# ip route list > default via 172.31.0.1 dev eth0 > 10.0.1.0/24 dev vti01 proto kernel scope link src 10.0.1.1 > 172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.1.54 > [root@ip-172-31-1-54 log]# > [root@ip-172-31-1-54 log]# service bird status > Redirecting to /bin/systemctl status bird.service > ● bird.service - BIRD Internet Routing Daemon > Loaded: loaded (/usr/lib/systemd/system/bird.service; enabled; vendor > preset: disabled) > Active: active (running) since Thu 2018-04-12 07:11:00 UTC; 40min ago > Process: 7963 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS) > Main PID: 7964 (bird) > CGroup: /system.slice/bird.service > └─7964 /usr/sbin/bird > Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal > systemd[1]: Starting BIRD Internet Routing Daemon... > Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal > bird[7964]: Started > Apr 12 07:11:00 ip-172-31-1-54.ap-southeast-1.compute.internal > systemd[1]: Started BIRD Internet Routing Daemon. > Apr 12 07:34:16 ip-172-31-1-54.ap-southeast-1.compute.internal > bird[7964]: KIF: Received address message for unknown interface 10 > [root@ip-172-31-1-54 log]# > [root@ip-172-31-1-54 log]# birdc > BIRD 1.6.4 ready. > bird> show status > BIRD 1.6.4 > Router ID is 10.0.1.1 > Current server time is 2018-04-12 07:28:42 > Last reboot on 2018-04-12 07:10:59 > Last reconfiguration on 2018-04-12 07:10:59 > Daemon is up and running > bird> show interfaces > lo up (index=1) > MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536 > 127.0.0.1/8 (Primary, scope host) > eth0 up (index=2) > MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001 > 172.31.1.54/20 (Primary, scope site) > ip_vti0 DOWN (index=3) > MultiAccess AdminDown LinkDown MTU=1480 > vti01 up (index=10) > PtP Multicast AdminUp LinkUp MTU=8981 > 10.0.1.1/24 (Primary, scope site) > bird> show protocols > name proto table state since info > kernel1 Kernel master up 07:11:00 > device1 Device master up 07:11:00 > testbgp BGP master start 07:11:00 Idle > bird> show protocols all > name proto table state since info > kernel1 Kernel master up 07:10:59 > Preference: 10 > Input filter: ACCEPT > Output filter: ACCEPT > Routes: 1 imported, 0 exported, 1 preferred > Route change stats: received rejected filtered ignored > accepted > Import updates: 1 0 0 0 > 1 > Import withdraws: 0 0 --- 0 > 0 > Export updates: 1 1 0 --- > 0 > Export withdraws: 0 --- --- --- > 0 > device1 Device master up 07:10:59 > Preference: 240 > Input filter: ACCEPT > Output filter: REJECT > Routes: 0 imported, 0 exported, 0 preferred > Route change stats: received rejected filtered ignored > accepted > Import updates: 0 0 0 0 > 0 > Import withdraws: 0 0 --- 0 > 0 > Export updates: 0 0 0 --- > 0 > Export withdraws: 0 --- --- --- > 0 > testbgp BGP master start 07:10:59 Idle > Preference: 160 > Input filter: ACCEPT > Output filter: (unnamed) > Routes: 0 imported, 0 exported, 0 preferred > Route change stats: received rejected filtered ignored > accepted > Import updates: 0 0 0 0 > 0 > Import withdraws: 0 0 --- 0 > 0 > Export updates: 0 0 0 --- > 0 > Export withdraws: 0 --- --- --- > 0 > BGP state: Idle > Neighbor address: 10.1.2.2 > Neighbor AS: 65003 > bird> > > *IPSec VPN Tunnel Server 2 ( IP :- 172.31.15.8)* > [root@ip-172-31-15-8 ~]# cat /etc/ipsec.d/vtiipsecrouted.conf > conn routed-vpn > left=172.31.15.8 > right=172.31.1.54 > authby=secret > #leftsubnet=0.0.0.0/0 > #rightsubnet=0.0.0.0/0 > auto=add > # route-based VPN requires marking and an interface > mark=5/0xffffffff > vti-interface=vti01 > # do not setup routing because we don't want to send 0.0.0.0/0 over > the tunnel > vti-routing=no > # If you run a subnet with BGP (quagga) daemons over IPsec, you can > configure the VTI interface > leftvti=10.0.1.1/24 > [root@ip-172-31-15-8 ~]# > [root@ip-172-31-15-8 ~]# ps aux | grep ipsec > root 6483 0.0 0.0 204880 7684 ? Ssl 07:36 0:00 > /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork > [root@ip-172-31-15-8 ~]# ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP > qlen 1000 > link/ether 02:87:cf:47:b5:5e brd ff:ff:ff:ff:ff:ff > inet 172.31.15.8/20 brd 172.31.15.255 scope global dynamic eth0 > valid_lft 3063sec preferred_lft 3063sec > 3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1 > link/ipip 0.0.0.0 brd 0.0.0.0 > 7: vti01@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8981 qdisc noqueue > state UNKNOWN qlen 1 > > *link/ipip 172.31.15.8 peer 172.31.1.54* *inet 10.0.1.1/24 > <http://10.0.1.1/24>* scope global vti01 > valid_lft forever preferred_lft forever > [root@ip-172-31-15-8 ~]# > [root@ip-172-31-15-8 ~]# ip xfrm policy > src 172.31.15.8/32 dst 172.31.1.54/32 > dir out priority 2080 ptype main > mark 5/0xffffffff > tmpl src 172.31.15.8 dst 172.31.1.54 > proto esp reqid 16393 mode tunnel > src 172.31.1.54/32 dst 172.31.15.8/32 > dir fwd priority 2080 ptype main > mark 5/0xffffffff > tmpl src 172.31.1.54 dst 172.31.15.8 > proto esp reqid 16393 mode tunnel > src 172.31.1.54/32 dst 172.31.15.8/32 > dir in priority 2080 ptype main > mark 5/0xffffffff > tmpl src 172.31.1.54 dst 172.31.15.8 > proto esp reqid 16393 mode tunnel > [root@ip-172-31-15-8 ~]# > [root@ip-172-31-15-8 ~]# ip route list > default via 172.31.0.1 dev eth0 > 10.0.1.0/24 dev vti01 proto kernel scope link src 10.0.1.1 > 172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.15.8 > [root@ip-172-31-15-8 ~]# > > [root@ip-172-31-15-8 ~]# service bird status > Redirecting to /bin/systemctl status bird.service > ● bird.service - BIRD Internet Routing Daemon > Loaded: loaded (/usr/lib/systemd/system/bird.service; enabled; vendor > preset: disabled) > Active: active (running) since Thu 2018-04-12 07:48:44 UTC; 18s ago > Process: 6659 ExecStart=/usr/sbin/bird (code=exited, status=0/SUCCESS) > Main PID: 6660 (bird) > CGroup: /system.slice/bird.service > └─6660 /usr/sbin/bird > Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal > systemd[1]: Starting BIRD Internet Routing Daemon... > Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal > systemd[1]: Started BIRD Internet Routing Daemon. > Apr 12 07:48:44 ip-172-31-15-8.ap-southeast-1.compute.internal > bird[6660]: Started > [root@ip-172-31-15-8 ~]# birdc > BIRD 1.6.4 ready. > bird> show status > BIRD 1.6.4 > Router ID is 10.0.1.2 > Current server time is 2018-04-12 07:49:13 > Last reboot on 2018-04-12 07:48:43 > Last reconfiguration on 2018-04-12 07:48:43 > Daemon is up and running > bird> show interfaces > lo up (index=1) > MultiAccess AdminUp LinkUp Loopback Ignored MTU=65536 > 127.0.0.1/8 (Primary, scope host) > eth0 up (index=2) > MultiAccess Broadcast Multicast AdminUp LinkUp MTU=9001 > 172.31.15.8/20 (Primary, scope site) > ip_vti0 DOWN (index=3) > MultiAccess AdminDown LinkDown MTU=1480 > vti01 up (index=7) > PtP Multicast AdminUp LinkUp MTU=8981 > 10.0.1.1/24 (Primary, scope site) > bird> show protocols > name proto table state since info > kernel1 Kernel master up 07:48:43 > device1 Device master up 07:48:43 > testbgp BGP master start 07:48:43 Idle > bird> show protocols all > name proto table state since info > kernel1 Kernel master up 07:48:44 > Preference: 10 > Input filter: ACCEPT > Output filter: ACCEPT > Routes: 1 imported, 0 exported, 1 preferred > Route change stats: received rejected filtered ignored > accepted > Import updates: 1 0 0 0 > 1 > Import withdraws: 0 0 --- 0 > 0 > Export updates: 1 1 0 --- > 0 > Export withdraws: 0 --- --- --- > 0 > device1 Device master up 07:48:44 > Preference: 240 > Input filter: ACCEPT > Output filter: REJECT > Routes: 0 imported, 0 exported, 0 preferred > Route change stats: received rejected filtered ignored > accepted > Import updates: 0 0 0 0 > 0 > Import withdraws: 0 0 --- 0 > 0 > Export updates: 0 0 0 --- > 0 > Export withdraws: 0 --- --- --- > 0 > testbgp BGP master start 07:48:44 Idle > Preference: 160 > Input filter: ACCEPT > Output filter: (unnamed) > Routes: 0 imported, 0 exported, 0 preferred > Route change stats: received rejected filtered ignored > accepted > Import updates: 0 0 0 0 > 0 > Import withdraws: 0 0 --- 0 > 0 > Export updates: 0 0 0 --- > 0 > Export withdraws: 0 --- --- --- > 0 > BGP state: Idle > Neighbor address: 10.1.2.2 > Neighbor AS: 65003 > bird> > [root@ip-172-31-15-8 ~]# Please let me know if the above configurations are correct and is the right approach to setup redundant route based VPN using VTI. I have couple of followup questions like how do i test failover between the two IPSec VPN servers using VTI and how do i test BIRD Daemon using BGP as i have configured BIRD on both the servers for the network architecture shown in https://i.imgur.com/dLFovre.png Thanks in Advance and your help will be really appreciated. I look forward to hearing from you. Best Regards, Kaushal
