Project

General

Profile

Issue #3545

Configuration model for multiple-VRF tunnel endpoints

Added by Pete McAllister 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.8.2
Resolution:

Description

Hi,

I wish to configure IPsec tunnels with endpoints in different VRFs, but can't work out what the right way to achieve this is. I'm using VRFs for other things already and don't want the scaling problems of network namespaces, but also need VRF separation because my use-case might have multiple tunnel endpoints with the same IP address in different VRFs.

With a single charon instance, this could be done by configuring tunnel endpoints with the VRF ID or routing table ID or local interface (bound to a VRF) that we would expect the packets to be received on but can't see how. Is this possible?

Perhaps the mentions of separate vici sockets or the "routing engine" [here](https://wiki.strongswan.org/issues/3530#note-1) are talking about the same kind of issue, but I can't see how to apply this to solve my problem. Is there a config example somewhere I could look at to understand this better, if so?

Alternatively, I could use one instance of charon per VRF, run using `ip vrf exec`. I've got this running (using mount namespaces to separate the config files and piddirs) but the tunnels aren't getting set up. This is probably due to netlink errors in setting up the routes:

```
charon: 12[KNL] installing route: 10.226.132.202/32 via 10.226.132.202 src 10.226.132.238 dev if-vrf-2
charon: 12[KNL] getting iface index for if-vrf-2
charon: 12[KNL] sending RTM_NEWROUTE 207: => 60 bytes 0x7f99527faca0
charon: 12[KNL] 0: 3C 00 00 00 18 00 05 05 CF 00 00 00 6D 5B 00 00 <...........m[..
charon: 12[KNL] 16: 02 20 00 00 DC 04 00 01 00 00 00 00 08 00 01 00 . ..............
charon: 12[KNL] 32: 0A E2 84 CA 08 00 07 00 0A E2 84 EE 08 00 05 00 ................
charon: 12[KNL] 48: 0A E2 84 CA 08 00 04 00 0E 00 00 00 ............
charon: 12[KNL] received (2) 207: => 80 bytes
0x7f9924002410
charon: 12[KNL] 0: 50 00 00 00 02 00 00 00 CF 00 00 00 6D 5B 00 00 P...........m[..
charon: 12[KNL] 16: EA FF FF FF 3C 00 00 00 18 00 05 05 CF 00 00 00 ....<...........
charon: 12[KNL] 32: 6D 5B 00 00 02 20 00 00 DC 04 00 01 00 00 00 00 m[... ..........
charon: 12[KNL] 48: 08 00 01 00 0A E2 84 CA 08 00 07 00 0A E2 84 EE ................
charon: 12[KNL] 64: 08 00 05 00 0A E2 84 CA 08 00 04 00 0E 00 00 00 ................
charon: 12[KNL] received netlink error: Invalid argument (22)
charon: 12[KNL] received netlink error: Invalid argument (22)
```

This in turn is presumably because 10.226.132.238 isn't a valid local address in the default routing table; manually running `ip route add 10.226.132.202/32 via 10.226.132.202 dev if-vrf-2 vrf vrf-2` works.

Adding an explicit charon.routing_table entry for the routing table of the VRF makes this worse: I then get routes in one VRF using next-hops from the default route in another. Is this config option supposed to be the routing table in which to look up next hop and local host address information, or is it something else? Or should I be also using install_routes=false?

Possibly I'm fundamentally confused as to how this is supposed to work, in which case, sorry if bits of my question doesn't make a great deal of sense :)

Pete

Also available in: Atom PDF