Libreswan Route-based VPN

0

I'm trying to configure IPSEC tunnel between two virtual machines (R2 R3) in the same network where one of them would work as a router (R2) so I can send data from third virtual machine (R1) over the IPSEC tunnel to R3.

I have made the following topology:

enter image description here

I changed IP addresses wrong but the VM's are in the same network so it could be like R3: 1.2.3.4, R2: 1.2.3.5, R1: 1.2.3.6

Configuration of R3 VM /etc/ipsec.d/mytunnel.conf:

config setup
    protostack=netkey

#conn mysubnet
#     also=mytunnel
#     leftsubnet=10.0.1.1/24
#     rightsubnet=10.0.0.1/24
#     auto=start

conn mytunnel
    left=4.6.7.8
    right=1.2.3.4
    authby=secret
    leftsubnet=10.0.1.1/24
    rightsubnet=10.0.0.1/24
    auto=start
    # route-based VPN requires marking and an interface
    mark=5/0xffffffff
    vti-interface=vti03
    # do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel
    vti-routing=yes
    # If you run a subnet with BGP (quagga) daemons over IPsec, you can configure the VTI interface
    leftvti=10.0.7.1/24

Configuration of R2 /etc/ipsec.d/mytunnel.conf:

config setup
    protostack=netkey

#conn mysubnet
#     also=mytunnel
#     leftsubnet=10.0.1.1/24
#     rightsubnet=10.0.0.1/24
#     auto=start

conn mytunnel
    left=4.6.7.8
    right=1.2.3.4
    authby=secret
    leftsubnet=10.0.1.1/24
    rightsubnet=10.0.0.1/24
    auto=start
    # route-based VPN requires marking and an interface
    mark=5/0xffffffff
    vti-interface=vti03
    # do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel
    vti-routing=yes
    # If you run a subnet with BGP (quagga) daemons over IPsec, you can configure the VTI interface
    leftvti=10.0.7.1/24

With the configuration above I can ping from R2 to R3 with ping -I 10.0.1.1 10.0.0.1

On the R1 machine I configured static routing which is:

root@9.10.11.12:~# ip route
default via 9.10.11.1 dev ens18 onlink 
10.0.0.0/24 via 5.6.7.8 dev ens18 
10.0.1.0/24 via 5.6.7.8 dev ens18

But when I want to ping 10.0.0.1 from R1 via R2 it gives me icmp_seq=1 Destination Host Unreachable

What should I change so R1 could see R3 via R2 dummy0 interface which is 10.0.1.1 ?

Thanks for any help!

networking
vpn
ipsec
libreswan
asked on Stack Overflow Jan 13, 2021 by vladpoverin

1 Answer

0

I changed the topology and now I send ping to R2 VTI vti03 interface 10.0.7.1/24 via R3 with the slight difference in the .conf files:

leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
answered on Stack Overflow Jan 13, 2021 by vladpoverin

User contributions licensed under CC BY-SA 3.0