Project

General

Profile

Issue #3324

multiple VRF connections

Added by Liran Odiz 8 months ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.8.2
Resolution:

Description

is it possible to create multiple VRF connections with multiple configurations files (without using namespaces)?

History

#1 Updated by Tobias Brunner 8 months ago

  • Status changed from New to Feedback

with multiple configurations files (without using namespaces)?

What do you mean exactly?

#2 Updated by Liran Odiz 8 months ago

Tobias Brunner wrote:

with multiple configurations files (without using namespaces)?

What do you mean exactly?

I want to use separated configurations files for each VRF. for example. create 5 VPNs each from separated VRF, each VRF use separated configuration files.

#3 Updated by Tobias Brunner 8 months ago

I want to use separated configurations files for each VRF. for example. create 5 VPNs each from separated VRF, each VRF use separated configuration files.

Why separate configuration files?

#4 Updated by Liran Odiz 8 months ago

Tobias Brunner wrote:

I want to use separated configurations files for each VRF. for example. create 5 VPNs each from separated VRF, each VRF use separated configuration files.

Why separate configuration files?

How can i manage 2 VPNs with the same IP address (each VPN on a different VRF)?

#5 Updated by Tobias Brunner 8 months ago

How can i manage 2 VPNs with the same IP address (each VPN on a different VRF)?

What's the problem with that? Are the traffic selectors/policies identical?

Maybe this is of interest to you.

#6 Updated by Liran Odiz 8 months ago

I am trying to create a tunnel on VRF and got an error message "received netlink error: Invalid argument (22)
unable to install source route for 40.40.40.1" what is wrong?

root@test2:/home/test# cat /etc/ipsec.conf
conn %default
        keyexchange=ikev1
        authby=secret
        type=tunnel
        ike=aes128-sha1-modp2048!
        dpdaction=clear
        dpddelay=1
        dpdtimeout=4
        mobike=no
conn tunnel1_4a010002
        keyexchange=ikev2
        left=20.20.20.1 
        leftsubnet=40.40.40.0/24 
        right=20.20.20.2 
        rightsubnet=50.50.50.0/24 
        esp=aes128-sha1-modp2048! 
        lifetime=8000s 
        lifebytes=313032704 
        ikelifetime =86400000 
        aggressive =no 
        auto=route 
root@test2:/home/test# ip link add VR2 type vrf table 2
root@test2:/home/test# ip link set dev VR2 up
root@test2:/home/test# ip link set dev enp0s8 master VR2
root@test2:/home/test# ip link set dev enp0s8 up
root@test2:/home/test# ip link set dev enp0s9 master VR2
root@test2:/home/test# ip link set dev enp0s9 up
root@test2:/home/test# ifconfig enp0s8 40.40.40.1/24 up
root@test2:/home/test# ifconfig enp0s9 20.20.20.1/24 up
root@test2:/home/test# ip vrf exec VR2 ipsec restart
root@test2:/home/test# ip vrf exec VR2 ipsec up tunnel1_4a010002
initiating IKE_SA tunnel1_4a010002[1] to 20.20.20.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 20.20.20.1[500] to 20.20.20.2[500] (462 bytes)
received packet: from 20.20.20.2[500] to 20.20.20.1[500] (462 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
authentication of '20.20.20.1' (myself) with pre-shared key
establishing CHILD_SA tunnel1_4a010002{3}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 20.20.20.1[500] to 20.20.20.2[500] (252 bytes)
received packet: from 20.20.20.2[500] to 20.20.20.1[500] (220 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
authentication of '20.20.20.2' with pre-shared key successful
IKE_SA tunnel1_4a010002[1] established between 20.20.20.1[20.20.20.1]...20.20.20.2[20.20.20.2]
scheduling reauthentication in 86399421s
maximum IKE_SA lifetime 86399961s
received netlink error: Invalid argument (22)
unable to install source route for 40.40.40.1
CHILD_SA tunnel1_4a010002{3} established with SPIs c44d78f6_i cad4f1da_o and TS 40.40.40.0/24 === 50.50.50.0/24
connection 'tunnel1_4a010002' established successfully

#7 Updated by Tobias Brunner 8 months ago

I am trying to create a tunnel on VRF and got an error message "received netlink error: Invalid argument (22)
unable to install source route for 40.40.40.1" what is wrong?

You can increase the log level to 2 for the knl subsystem, to see more details about the route installation in the log (not in the ipsec up output you posted there as that always lists level 1 messages only). It will be a route to 50.50.50.0/24 with 40.40.40.1 as preferred source address, maybe the interface selection is a problem. But you might not need that route anyway (i.e. you could perhaps disable charon.install_routes).

#8 Updated by Liran Odiz 8 months ago

Tobias Brunner wrote:

I am trying to create a tunnel on VRF and got an error message "received netlink error: Invalid argument (22)
unable to install source route for 40.40.40.1" what is wrong?

You can increase the log level to 2 for the knl subsystem, to see more details about the route installation in the log (not in the ipsec up output you posted there as that always lists level 1 messages only). It will be a route to 50.50.50.0/24 with 40.40.40.1 as preferred source address, maybe the interface selection is a problem. But you might not need that route anyway (i.e. you could perhaps disable charon.install_routes).

attached the log of knl sybsystem.

Feb  4 12:56:13 test2 charon: 13[CFG] received stroke: initiate 'tunnel1_4a010002'
Feb  4 12:56:13 test2 charon: 15[IKE] initiating IKE_SA tunnel1_4a010002[1] to 20.20.20.2
Feb  4 12:56:13 test2 charon: 15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb  4 12:56:13 test2 charon: 15[NET] sending packet: from 20.20.20.1[500] to 20.20.20.2[500] (462 bytes)
Feb  4 12:56:13 test2 charon: 16[NET] received packet: from 20.20.20.2[500] to 20.20.20.1[500] (462 bytes)
Feb  4 12:56:13 test2 charon: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb  4 12:56:13 test2 charon: 16[IKE] authentication of '20.20.20.1' (myself) with pre-shared key
Feb  4 12:56:13 test2 charon: 16[IKE] establishing CHILD_SA tunnel1_4a010002{3}
Feb  4 12:56:13 test2 charon: 16[KNL] got SPI c12a8240
Feb  4 12:56:13 test2 charon: 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb  4 12:56:13 test2 charon: 16[NET] sending packet: from 20.20.20.1[500] to 20.20.20.2[500] (252 bytes)
Feb  4 12:56:13 test2 charon: 06[NET] received packet: from 20.20.20.2[500] to 20.20.20.1[500] (220 bytes)
Feb  4 12:56:13 test2 charon: 06[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Feb  4 12:56:13 test2 charon: 06[IKE] authentication of '20.20.20.2' with pre-shared key successful
Feb  4 12:56:13 test2 charon: 06[IKE] IKE_SA tunnel1_4a010002[1] established between 20.20.20.1[20.20.20.1]...20.20.20.2[20.20.20.2]
Feb  4 12:56:13 test2 charon: 06[IKE] scheduling reauthentication in 86399021s
Feb  4 12:56:13 test2 charon: 06[IKE] maximum IKE_SA lifetime 86399561s
Feb  4 12:56:13 test2 charon: 06[KNL] adding SAD entry with SPI c12a8240 and reqid {1}
Feb  4 12:56:13 test2 charon: 06[KNL]   using encryption algorithm AES_CBC with key size 128
Feb  4 12:56:13 test2 charon: 06[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Feb  4 12:56:13 test2 charon: 06[KNL]   using replay window of 32 packets
Feb  4 12:56:13 test2 charon: 06[KNL] adding SAD entry with SPI cdb46b57 and reqid {1}
Feb  4 12:56:13 test2 charon: 06[KNL]   using encryption algorithm AES_CBC with key size 128
Feb  4 12:56:13 test2 charon: 06[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Feb  4 12:56:13 test2 charon: 06[KNL]   using replay window of 0 packets
Feb  4 12:56:13 test2 charon: 06[KNL] policy 50.50.50.0/24 === 40.40.40.0/24 in already exists, increasing refcount
Feb  4 12:56:13 test2 charon: 06[KNL] updating policy 50.50.50.0/24 === 40.40.40.0/24 in [priority 375423, refcount 3]
Feb  4 12:56:13 test2 charon: 06[KNL] policy 50.50.50.0/24 === 40.40.40.0/24 fwd already exists, increasing refcount
Feb  4 12:56:13 test2 charon: 06[KNL] updating policy 50.50.50.0/24 === 40.40.40.0/24 fwd [priority 375423, refcount 3]
Feb  4 12:56:13 test2 charon: 06[KNL] policy 40.40.40.0/24 === 50.50.50.0/24 out already exists, increasing refcount
Feb  4 12:56:13 test2 charon: 06[KNL] updating policy 40.40.40.0/24 === 50.50.50.0/24 out [priority 375423, refcount 3]
Feb  4 12:56:13 test2 charon: 06[KNL] getting a local address in traffic selector 40.40.40.0/24
Feb  4 12:56:13 test2 charon: 06[KNL] using host 40.40.40.1
Feb  4 12:56:13 test2 charon: 06[KNL] getting iface name for index 4
Feb  4 12:56:13 test2 charon: 06[KNL] using 20.20.20.2 as nexthop and enp0s9 as dev to reach 20.20.20.2/32
Feb  4 12:56:13 test2 charon: 06[KNL] installing route: 50.50.50.0/24 via 20.20.20.2 src 40.40.40.1 dev enp0s9
Feb  4 12:56:13 test2 charon: 06[KNL] getting iface index for enp0s9
Feb  4 12:56:13 test2 charon: 06[KNL] received netlink error: Invalid argument (22)
Feb  4 12:56:13 test2 charon: 06[KNL] unable to install source route for 40.40.40.1
Feb  4 12:56:13 test2 charon: 06[IKE] CHILD_SA tunnel1_4a010002{3} established with SPIs c12a8240_i cdb46b57_o and TS 40.40.40.0/24 === 50.50.50.0/24
Feb  4 12:56:13 test2 charon: 06[IKE] received AUTH_LIFETIME of 86399427s, scheduling reauthentication in 86398887s
Feb  4 12:56:14 test2 charon: 08[NET] received packet: from 20.20.20.2[500] to 20.20.20.1[500] (76 bytes)

#9 Updated by Tobias Brunner 8 months ago

These are the relevant lines if you are interested in the route installation:

Feb  4 12:56:13 test2 charon: 06[KNL] getting a local address in traffic selector 40.40.40.0/24
Feb  4 12:56:13 test2 charon: 06[KNL] using host 40.40.40.1
Feb  4 12:56:13 test2 charon: 06[KNL] getting iface name for index 4
Feb  4 12:56:13 test2 charon: 06[KNL] using 20.20.20.2 as nexthop and enp0s9 as dev to reach 20.20.20.2/32
Feb  4 12:56:13 test2 charon: 06[KNL] installing route: 50.50.50.0/24 via 20.20.20.2 src 40.40.40.1 dev enp0s9
Feb  4 12:56:13 test2 charon: 06[KNL] getting iface index for enp0s9
Feb  4 12:56:13 test2 charon: 06[KNL] received netlink error: Invalid argument (22)
Feb  4 12:56:13 test2 charon: 06[KNL] unable to install source route for 40.40.40.1

Check the validity of the arguments, try installing such a route manually etc.

But again, the route might not be necessary. What exactly is the problem?

#10 Updated by Liran Odiz 8 months ago

Tobias Brunner wrote:

These are the relevant lines if you are interested in the route installation:

[...]

Check the validity of the arguments, try installing such a route manually etc.

But again, the route might not be necessary. What exactly is the problem?

installing the route manually is working fine.
The route is necessary for the data path (to 50.50.50.0/24). without the route, the traffic is not passed in the tunnel.

#11 Updated by Tobias Brunner 8 months ago

installing the route manually is working fine.

Using ip route add 50.50.50.0/24 via 20.20.20.2 src 40.40.40.1 dev enp0s9 table 220 (that's about what the daemon tries to do)? Or what command/parameters?

Also available in: Atom PDF