Thermalcircle.de

climbing the thermals

User Tools

Site Tools


linux:ipsec:example:ss1:ip_setup

This is an old revision of the document!


IP setup of Example Site-to-site VPN topology

back to parent article

h1

ip addr add 192.168.1.100/24 dev eth0
ip route add default via 192.168.1.1

h2

ip addr add 192.168.2.100/24 dev eth0
ip route add default via 192.168.2.1

r1

ip addr add 192.168.1.1/24 dev eth0
ip addr add 8.0.0.1/8 dev eth1
ip route add default via 8.0.0.2
sysctl net.ipv4.ip_forward=1

On successful IKE handshake, Strongswan adds an additional routing table (no. 220) here and puts a source route in it which tells r1 to use the IP address 192.168.1.1 of its eth0 interface when sending locally generated packets to hosts in the VPN peer subnet 192.168.2.0/24.

ip route show table 220
192.168.2.0/24 via 8.0.0.2 dev eth1 proto static src 192.168.1.1

This behavior depends on the Strongswan configuration setting charon.install_route, however the default value for this setting is yes. The setting will usually be placed in file /etc/strongswan.d/charon.conf. See reference docu on strongswan.conf.

Strongswan automatically removes this route again when the VPN tunnel is terminated.

rx

ip addr add 8.0.0.2/8 dev eth0
ip addr add 9.0.0.2/8 dev eth1
sysctl net.ipv4.ip_forward=1

Intentionally, no routes to subnets 192.168.1.0/24 and 192.168.2.0/24 are set here because in this topology rx fulfills the role of a router in the Internet and routers in the Internet do not have routes into private subnets behind edge routers like r1 and r2.

r2

ip addr add 192.168.2.1/24 dev eth0
ip addr add 9.0.0.1/8 dev eth1
ip route add default via 9.0.0.2
sysctl net.ipv4.ip_forward=1

This route is added by Strongswan (already explained for r1):

ip route show table 220
192.168.1.0/24 via 9.0.0.2 dev eth1 proto static src 192.168.2.1 
linux/ipsec/example/ss1/ip_setup.1618083195.txt.gz ยท Last modified: 2021-04-10 by Andrej Stender