Configuration example with VRF

We will configure a VPN gateway on a network that interconnects two sites via a public network.

Network topology:

10.22.1.0/24 ================ 10.23.1.0/24 +--------------+ 10.24.1.0/24
-------------| VPN gateway  |==============|   remote     |-------------
   private   |     with     |    public    |     VPN      |  private
   network   | cp-ipsec-ike |   network    |   gateway    |  network
 (plaintext) ================   (IPsec)    +--------------+ (plaintext)
                  .101                         .201

The network interfaces are in the network namespace vrf1.

To launch a strongSwan instance in a specific VRF its configuration must be stored in ‘/etc/netns/<netns name>/ike’ directory.

1. Configure IP addresses and routes:

   In this example, interfaces eth0 and eth2 are moved to network namespace vrf1.

   # vrfctl add 1
   # ip link set eth0 down netns vrf1
   # ip link set eth2 down netns vrf1
   # ip netns exec vrf1 ip link set eth0 up
   # ip netns exec vrf1 ip addr add 10.22.1.101/24 dev eth0
   # ip netns exec vrf1 ip link set eth2 up
   # ip netns exec vrf1 ip addr add 10.23.1.101/24 dev eth2
   # ip netns exec vrf1 ip route add 0.0.0.0/0 via 10.23.1.201
   

2. Create strongSwan working directories:

   # mkdir -p /etc/ike/ipsec.d/run
   # mkdir -p /etc/netns/vrf1/ike/ipsec.d/run
   

   See also

   For more information, see strongSwan netns wiki or ip netns man page.

3. Edit the /etc/netns/vrf1/ike/ipsec.conf file as follows:

   config setup
   
   conn %default
           keyexchange=ikev2
           keyingtries=1
           mobike=no
           ikelifetime=57600s
           rekeymargin=5760s
           keylife=28800s
   
   conn myconnection
           auto=route
           left=10.23.1.101
           right=10.23.1.201
           leftsubnet=10.22.1.0/24
           rightsubnet=10.24.1.0/24
           type=tunnel
           ike=aes-sha1-modp1024!
           esp=aes-sha1-modp1024!
           authby=psk
   

   This file defines the SPs and the negotiation parameters of the SAs.

4. Add the following line to the /etc/netns/vrf1/ike/ipsec.secrets file.

   10.23.1.101 10.23.1.201 : PSK 0x12345678
   

   This file defines authentication secrets, such as pre-shared keys or certificates.

5. Add the following lines to the /etc/netns/vrf1/ike/strongswan.conf file:

   charon {
           install_routes = no
   }
   

   This file defines global configuration options for IKE daemons.

6. Start IKE daemons:

   # ip netns exec vrf1 ipsec start
   Starting strongSwan 5.4.0 IPsec [starter]...
   no netkey IPsec stack detected
   no KLIPS IPsec stack detected
   no known IPsec stack detected, ignoring!
   

   Once IKE daemons are started, the IPsec SPs are configured in the kernel and in the fast path.

   A negotiation is automatically initiated the next time the IPsec gateway must forward a dataplane packet from the private network 10.22.1.0/24 to the remote private network 10.24.1.0/24.

7. Display the IKE daemons’ state:

   Before a negotiation:

   # ip netns exec vrf1 ipsec statusall
   Status of IKE charon daemon (strongSwan 5.4.0, Linux 4.4.6, x86_64):
     uptime: 6 seconds, since Jun 09 13:59:13 2016
     malloc: sbrk 1486848, mmap 0, used 451904, free 1034944
     worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
     loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
   revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
   pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
   socket-default stroke vici updown eap-identity eap-aka eap-aka-3gpp2
   eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-radius xauth-generic
   Listening IP addresses:
     10.22.1.101
     10.23.1.101
   Connections:
   myconnection:  10.23.1.101...10.23.1.201  IKEv2
   myconnection:   local:  [10.23.1.101] uses pre-shared key authentication
   myconnection:   remote: [10.23.1.201] uses pre-shared key authentication
   myconnection:   child:  10.22.1.0/24 === 10.24.1.0/24 TUNNEL
   Routed Connections:
   myconnection{1}:  ROUTED, TUNNEL, reqid 1
   myconnection{1}:   10.22.1.0/24 === 10.24.1.0/24
   Security Associations (0 up, 0 connecting):
     none
   

   After a successful negotiation:

   # ip netns exec vrf1 ipsec statusall
   Status of IKE charon daemon (strongSwan 5.4.0, Linux 4.4.6, x86_64):
     uptime: 2 minutes, since Jun 09 13:59:13 2016
     malloc: sbrk 2027520, mmap 0, used 477696, free 1549824
     worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
     loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
   revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
   pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
   socket-default stroke vici updown eap-identity eap-aka eap-aka-3gpp2
   eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-radius xauth-generic
   Listening IP addresses:
     10.22.1.101
     10.23.1.101
   Connections:
   myconnection:  10.23.1.101...10.23.1.201  IKEv2
   myconnection:   local:  [10.23.1.101] uses pre-shared key authentication
   myconnection:   remote: [10.23.1.201] uses pre-shared key authentication
   myconnection:   child:  10.22.1.0/24 === 10.24.1.0/24 TUNNEL
   Routed Connections:
   myconnection{1}:  ROUTED, TUNNEL, reqid 1
   myconnection{1}:   10.22.1.0/24 === 10.24.1.0/24
   Security Associations (1 up, 0 connecting):
   myconnection[1]: ESTABLISHED 54 seconds ago, 10.23.1.101[10.23.1.101]...10.23.1.201[10.23.1.201]
   myconnection[1]: IKEv2 SPIs: 465f61cc6e4c6d25_i* fbea95b6b8eaa14e_r, pre-shared key reauthentication in 11 hours
   myconnection[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
   myconnection{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c6fefb62_i ce610510_o
   myconnection{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 5 hours
   myconnection{2}:   10.22.1.0/24 === 10.24.1.0/24
   

8. Display the Linux IPsec SPs:

   # ip netns exec vrf1 ip xfrm policy show
   src 10.24.1.0/24 dst 10.22.1.0/24
           dir fwd priority 2883 ptype main
           tmpl src 10.23.1.201 dst 10.23.1.101
                   proto esp reqid 1 mode tunnel
   src 10.24.1.0/24 dst 10.22.1.0/24
           dir in priority 2883 ptype main
           tmpl src 10.23.1.201 dst 10.23.1.101
                   proto esp reqid 1 mode tunnel
   src 10.22.1.0/24 dst 10.24.1.0/24
           dir out priority 2883 ptype main
           tmpl src 10.23.1.101 dst 10.23.1.201
                   proto esp reqid 1 mode tunnel
   src 0.0.0.0/0 dst 0.0.0.0/0
           socket in priority 0 ptype main
   src 0.0.0.0/0 dst 0.0.0.0/0
           socket out priority 0 ptype main
   src 0.0.0.0/0 dst 0.0.0.0/0
           socket in priority 0 ptype main
   src 0.0.0.0/0 dst 0.0.0.0/0
           socket out priority 0 ptype main
   src ::/0 dst ::/0
           socket in priority 0 ptype main
   src ::/0 dst ::/0
           socket out priority 0 ptype main
   src ::/0 dst ::/0
           socket in priority 0 ptype main
   src ::/0 dst ::/0
           socket out priority 0 ptype main
   

9. Display the negotiated Linux IPsec SAs:

   # ip netns exec vrf1 ip xfrm state show
   src 10.23.1.101 dst 10.23.1.201
           proto esp spi 0xce610510 reqid 1 mode tunnel
           replay-window 32 flag af-unspec
           auth-trunc hmac(sha1) 0x926c0f31eaf115743e3c22521157407442f8e093 96
           enc cbc(aes) 0x3afd5f64605ee03e645cd77fac8b4f30
           anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
   src 10.23.1.201 dst 10.23.1.101
           proto esp spi 0xc6fefb62 reqid 1 mode tunnel
           replay-window 32 flag af-unspec
           auth-trunc hmac(sha1) 0x1f0d9a43c813cc8aff0e5b505aaf71682111e216 96
           enc cbc(aes) 0x528ef1cff76437f66660d468dedc9eb6
           anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
   

10. Display the fast path IPsec SPs:

    <fp-0> vrf-exec 1 ipsec4-spd all
    vrf1:
    Inbound SPD: 1 rules
    1: 10.24.1.0/24 10.22.1.0/24 proto any vr1 protect prio 2883
         link-vr1
         ESP tunnel 10.23.1.201 - 10.23.1.101 reqid=1
         sp_packets=0 sp_bytes=0 sp_exceptions=0 sp_errors=0
    Outbound SPD: 1 rules
    1: 10.22.1.0/24 10.24.1.0/24 proto any vr1 protect prio 2883
         link-vr1 cached-SA 0 (genid 0)
         ESP tunnel 10.23.1.101 - 10.23.1.201 reqid=1
         sp_packets=0 sp_bytes=0 sp_exceptions=0 sp_errors=0
    

11. Display the negotiated fast path IPsec SAs:

    <fp-0> vrf-exec 1 ipsec4-sad all
    vrf1:
    SAD 2 SA.
    1: 10.23.1.201 - 10.23.1.101 vr1 spi 0xc6fefb62 ESP tunnel
         x-vr1 reqid=1 counter 1 (genid 1)
         AES-CBC HMAC-SHA1
         key enc:528ef1cff76437f66660d468dedc9eb6
         digest length: 12
         key auth:1f0d9a43c813cc8aff0e5b505aaf71682111e216
         sa_packets=0 sa_bytes=0 sa_auth_errors=0 sa_decrypt_errors=0
         sa_replay_errors=0 sa_selector_errors=0
         replay width=32 seq=0x0 - oseq=0x0
         00000000
    2: 10.23.1.101 - 10.23.1.201 vr1 spi 0xce610510 ESP tunnel
         x-vr1 reqid=1 counter 1 (genid 2)
         AES-CBC HMAC-SHA1
         key enc:3afd5f64605ee03e645cd77fac8b4f30
         digest length: 12
         key auth:926c0f31eaf115743e3c22521157407442f8e093
         sa_packets=0 sa_bytes=0 sa_auth_errors=0 sa_decrypt_errors=0
         sa_replay_errors=0 sa_selector_errors=0
         replay width=32 seq=0x0 - oseq=0x0
         00000000
    

12. Stop IKE daemons:

    # ip netns exec vrf1 ipsec stop
    

    This command stops IKE daemons and removes all SPs and SAs.