[quagga-users 15020] BGP routers that do not share a common subnet (IPSec VPN with strongSwan)

Florin Andrei florin at andrei.myip.org
Tue May 21 04:07:50 BST 2019


I am trying to do full mesh routing between several networks, which are 
geographically separate. The networks are connected via IPSec VPN using 
strongSwan. To figure out the correct configurations, I've connected 
only two networks for now: site1 and site2. Each network has one VPN 
server.

The way strongSwan works, it does not create a new tunnel interface on 
Linux, with a dedicated IP address (the way OpenVPN does). Instead, 
strongSwan uses an existing interface and encrypts traffic that tries to 
exit that interface.

Site1 is assigned the 10.0.1.0/24 net.
Site2 is assigned the 10.0.2.0/24 net.

The site1-vpn server has 10.0.1.254 on eth0.
The site2-vpn server has 10.0.2.254 on eth0.

Each site has a NAT gateway that performs NAT on all traffic with the 
Internet. strongSwan is configured with NAT traversal. VPN works fine 
between the two servers.

When the tunnel is established, I can ping site1-vpn from site2-vpn and 
viceversa, by IP (see IP addresses above). The way strongSwan works, it 
does not add a static route to the kernel for the remote tunnel IP, 
since it knows that IP is at the remote end of the tunnel (it's 
specified in ipsec.conf). So the table looks always like this, no matter 
whether the tunnel is up or down:

[root at site1-vpn ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 
eth0
0.0.0.0         10.0.1.1        0.0.0.0         UG    0      0        0 
eth0

However, ping (and all IP protocols) work "magically" as long as 
communication is strictly between the two VPN servers. bgpd on one VPN 
server can talk just fine with bgpd on the other VPN server. I can ssh 
from one VPN server to the other.

I want bgpd to add 10.0.2.0/24 (the site2 network) to the routing table 
on the site1-vpn server. That doesn't seem to work with my current zebra 
and bgpd configuration, unless I manually add a static route for the 
remote VPN server, like this:

route add -host 10.0.2.254 eth0

And then the table becomes:

[root at site1-vpn ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
10.0.2.254      0.0.0.0         255.255.255.255 UH    0      0        0 
eth0
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 
eth0
0.0.0.0         10.0.1.1        0.0.0.0         UG    0      0        0 
eth0

(and also I need to add the mirror route on the other VPN server)

Then bgpd works and it adds the route advertised by the other server:

[root at site1-vpn ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
10.0.2.254      0.0.0.0         255.255.255.255 UH    0      0        0 
eth0
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 
eth0
10.0.2.0        10.0.2.254      255.255.255.0   UG    20     0        0 
eth0
0.0.0.0         10.0.1.1        0.0.0.0         UG    0      0        0 
eth0

But this manually added static route seems pointless to me, since 
strongSwan already can route traffic destined for the remote end of the 
tunnel.

How can I make bgpd work without adding this /32 route manually?

Basically, what I have here is two BGP routers that are completely 
separate (do not share a common subnet).

Current zebra.conf:

hostname site1-vpn
password zebra
!enable password zebra
interface lo
   no link-detect
interface eth0
   no link-detect
ip route 0.0.0.0/0 10.0.1.1
ip forwarding
log file /var/log/quagga/zebra.log

Current bgpd.conf:

hostname site1-vpn
password zebra
!enable password please-set-at-here
router bgp 65001
   bgp router-id 10.0.1.254
   network 10.0.1.0/24
   redistribute connected
   timers bgp 3 12
   neighbor 10.0.2.254 remote-as 65002
   neighbor 10.0.2.254 next-hop-self
   neighbor 10.0.2.254 ebgp-multihop 2
   neighbor 10.0.2.254 activate
access-list all permit any
log file /var/log/quagga/bgpd.log

I am probably missing something very simple. Any help is appreciated, 
I'm stuck and I can't figure out what's wrong. Thank you.

-- 
Florin Andrei
http://florin.myip.org/


More information about the Quagga-users mailing list