I am trying to do full mesh routing between several networks, which are
geographically separate. The networks are connected via IPSec VPN using
strongSwan. To figure out the correct configurations, I've connected
only two networks for now: site1 and site2. Each network has one VPN
server.
The way strongSwan works, it does not create a new tunnel interface on
Linux, with a dedicated IP address (the way OpenVPN does). Instead,
strongSwan uses an existing interface and encrypts traffic that tries to
exit that interface.
Site1 is assigned the 10.0.1.0/24 net.
Site2 is assigned the 10.0.2.0/24 net.
The site1-vpn server has 10.0.1.254 on eth0.
The site2-vpn server has 10.0.2.254 on eth0.
Each site has a NAT gateway that performs NAT on all traffic with the
Internet. strongSwan is configured with NAT traversal. VPN works fine
between the two servers.
When the tunnel is established, I can ping site1-vpn from site2-vpn and
viceversa, by IP (see IP addresses above). The way strongSwan works, it
does not add a static route to the kernel for the remote tunnel IP,
since it knows that IP is at the remote end of the tunnel (it's
specified in ipsec.conf). So the table looks always like this, no matter
whether the tunnel is up or down:
[root@site1-vpn ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
0.0.0.0 10.0.1.1 0.0.0.0 UG 0 0 0
eth0
However, ping (and all IP protocols) work "magically" as long as
communication is strictly between the two VPN servers. bgpd on one VPN
server can talk just fine with bgpd on the other VPN server. I can ssh
from one VPN server to the other.
I want bgpd to add 10.0.2.0/24 (the site2 network) to the routing table
on the site1-vpn server. That doesn't seem to work with my current zebra
and bgpd configuration, unless I manually add a static route for the
remote VPN server, like this:
route add -host 10.0.2.254 eth0
And then the table becomes:
[root@site1-vpn ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.2.254 0.0.0.0 255.255.255.255 UH 0 0 0
eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
0.0.0.0 10.0.1.1 0.0.0.0 UG 0 0 0
eth0
(and also I need to add the mirror route on the other VPN server)
Then bgpd works and it adds the route advertised by the other server:
[root@site1-vpn ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.2.254 0.0.0.0 255.255.255.255 UH 0 0 0
eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
10.0.2.0 10.0.2.254 255.255.255.0 UG 20 0 0
eth0
0.0.0.0 10.0.1.1 0.0.0.0 UG 0 0 0
eth0
But this manually added static route seems pointless to me, since
strongSwan already can route traffic destined for the remote end of the
tunnel.
How can I make bgpd work without adding this /32 route manually?
Basically, what I have here is two BGP routers that are completely
separate (do not share a common subnet).
Current zebra.conf:
hostname site1-vpn
password zebra
!enable password zebra
interface lo
no link-detect
interface eth0
no link-detect
ip route 0.0.0.0/0 10.0.1.1
ip forwarding
log file /var/log/quagga/zebra.log
Current bgpd.conf:
hostname site1-vpn
password zebra
!enable password please-set-at-here
router bgp 65001
bgp router-id 10.0.1.254
network 10.0.1.0/24
redistribute connected
timers bgp 3 12
neighbor 10.0.2.254 remote-as 65002
neighbor 10.0.2.254 next-hop-self
neighbor 10.0.2.254 ebgp-multihop 2
neighbor 10.0.2.254 activate
access-list all permit any
log file /var/log/quagga/bgpd.log
I am probably missing something very simple. Any help is appreciated,
I'm stuck and I can't figure out what's wrong. Thank you.
--
Florin Andrei
http://florin.myip.org/
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users
geographically separate. The networks are connected via IPSec VPN using
strongSwan. To figure out the correct configurations, I've connected
only two networks for now: site1 and site2. Each network has one VPN
server.
The way strongSwan works, it does not create a new tunnel interface on
Linux, with a dedicated IP address (the way OpenVPN does). Instead,
strongSwan uses an existing interface and encrypts traffic that tries to
exit that interface.
Site1 is assigned the 10.0.1.0/24 net.
Site2 is assigned the 10.0.2.0/24 net.
The site1-vpn server has 10.0.1.254 on eth0.
The site2-vpn server has 10.0.2.254 on eth0.
Each site has a NAT gateway that performs NAT on all traffic with the
Internet. strongSwan is configured with NAT traversal. VPN works fine
between the two servers.
When the tunnel is established, I can ping site1-vpn from site2-vpn and
viceversa, by IP (see IP addresses above). The way strongSwan works, it
does not add a static route to the kernel for the remote tunnel IP,
since it knows that IP is at the remote end of the tunnel (it's
specified in ipsec.conf). So the table looks always like this, no matter
whether the tunnel is up or down:
[root@site1-vpn ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
0.0.0.0 10.0.1.1 0.0.0.0 UG 0 0 0
eth0
However, ping (and all IP protocols) work "magically" as long as
communication is strictly between the two VPN servers. bgpd on one VPN
server can talk just fine with bgpd on the other VPN server. I can ssh
from one VPN server to the other.
I want bgpd to add 10.0.2.0/24 (the site2 network) to the routing table
on the site1-vpn server. That doesn't seem to work with my current zebra
and bgpd configuration, unless I manually add a static route for the
remote VPN server, like this:
route add -host 10.0.2.254 eth0
And then the table becomes:
[root@site1-vpn ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.2.254 0.0.0.0 255.255.255.255 UH 0 0 0
eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
0.0.0.0 10.0.1.1 0.0.0.0 UG 0 0 0
eth0
(and also I need to add the mirror route on the other VPN server)
Then bgpd works and it adds the route advertised by the other server:
[root@site1-vpn ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.2.254 0.0.0.0 255.255.255.255 UH 0 0 0
eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
10.0.2.0 10.0.2.254 255.255.255.0 UG 20 0 0
eth0
0.0.0.0 10.0.1.1 0.0.0.0 UG 0 0 0
eth0
But this manually added static route seems pointless to me, since
strongSwan already can route traffic destined for the remote end of the
tunnel.
How can I make bgpd work without adding this /32 route manually?
Basically, what I have here is two BGP routers that are completely
separate (do not share a common subnet).
Current zebra.conf:
hostname site1-vpn
password zebra
!enable password zebra
interface lo
no link-detect
interface eth0
no link-detect
ip route 0.0.0.0/0 10.0.1.1
ip forwarding
log file /var/log/quagga/zebra.log
Current bgpd.conf:
hostname site1-vpn
password zebra
!enable password please-set-at-here
router bgp 65001
bgp router-id 10.0.1.254
network 10.0.1.0/24
redistribute connected
timers bgp 3 12
neighbor 10.0.2.254 remote-as 65002
neighbor 10.0.2.254 next-hop-self
neighbor 10.0.2.254 ebgp-multihop 2
neighbor 10.0.2.254 activate
access-list all permit any
log file /var/log/quagga/bgpd.log
I am probably missing something very simple. Any help is appreciated,
I'm stuck and I can't figure out what's wrong. Thank you.
--
Florin Andrei
http://florin.myip.org/
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users