Reputation: 315
Libreswan Route-based VPN
I'm trying to configure IPSEC tunnel between two virtual machines (R2 R3) in the same network where one of them would work as a router (R2) so I can send data from third virtual machine (R1) over the IPSEC tunnel to R3.
I have made the following topology:
I changed IP addresses wrong but the VM's are in the same network so it could be like R3: 1.2.3.4, R2: 1.2.3.5, R1: 1.2.3.6
Configuration of R3 VM /etc/ipsec.d/mytunnel.conf:
config setup
protostack=netkey
#conn mysubnet
# also=mytunnel
# leftsubnet=10.0.1.1/24
# rightsubnet=10.0.0.1/24
# auto=start
conn mytunnel
left=4.6.7.8
right=1.2.3.4
authby=secret
leftsubnet=10.0.1.1/24
rightsubnet=10.0.0.1/24
auto=start
# route-based VPN requires marking and an interface
mark=5/0xffffffff
vti-interface=vti03
# do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel
vti-routing=yes
# If you run a subnet with BGP (quagga) daemons over IPsec, you can configure the VTI interface
leftvti=10.0.7.1/24
Configuration of R2 /etc/ipsec.d/mytunnel.conf:
config setup
protostack=netkey
#conn mysubnet
# also=mytunnel
# leftsubnet=10.0.1.1/24
# rightsubnet=10.0.0.1/24
# auto=start
conn mytunnel
left=4.6.7.8
right=1.2.3.4
authby=secret
leftsubnet=10.0.1.1/24
rightsubnet=10.0.0.1/24
auto=start
# route-based VPN requires marking and an interface
mark=5/0xffffffff
vti-interface=vti03
# do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel
vti-routing=yes
# If you run a subnet with BGP (quagga) daemons over IPsec, you can configure the VTI interface
leftvti=10.0.7.1/24
With the configuration above I can ping from R2 to R3 with ping -I 10.0.1.1 10.0.0.1
On the R1 machine I configured static routing which is:
[email protected]:~# ip route
default via 9.10.11.1 dev ens18 onlink
10.0.0.0/24 via 5.6.7.8 dev ens18
10.0.1.0/24 via 5.6.7.8 dev ens18
But when I want to ping 10.0.0.1 from R1 via R2 it gives me icmp_seq=1 Destination Host Unreachable
What should I change so R1 could see R3 via R2 dummy0 interface which is 10.0.1.1 ?
Thanks for any help!
Upvotes: 0
Views: 1902
Answers (1)
Reputation: 315
I changed the topology and now I send ping to R2 VTI vti03 interface 10.0.7.1/24 via R3 with the slight difference in the .conf files:
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
Upvotes: 1
Related Questions
- Route only certain IP range with VPN connection
- AWS Site to Site VPN Openswan Issue
- How to setup cloud VPN tunnel using IPsec as third party?
- Ipsec (strongswan) vpn not working properly with ubuntu 19.04 as client?
- AWS site-to-site VPN high availability
- VPN internet traffic routing
- Openswan on EC2 VPC
- VPN Client implementation specific to application
- Programming a VPN, Authontication stage - RFC not clear enough
- Using IPsec to secure traffic