Scribd
Upload
30 views9 pages

Configure IPSec IKEv2 with VTI Interface

Uploaded by

ctrbudisantoso
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
30 views9 pages

Configure IPSec IKEv2 with VTI Interface

Uploaded by

ctrbudisantoso
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

VISION: To establish IPSec (IKEv2) Site-to-Site and bind it with

a VTI interface

- In this case, we have established an IPSec(IKEv2) Site-to-Site with a


Fortigate firewall installed in AWS.

- The configuration for VTI interface remains the same irrespective of


the device present on the remote end.

- opkg update && opkg install strongswan-full ip-full kmod-ip-vti


vtiv4

Step 1: Stop ipsec service with the command:


- ipsec stop
Step 2: Edit the /etc/[Link] file and do the following changes:
charon {
load_modular = yes
install_routes = no
install_virtual_ip = no
plugins {
include strongswan.d/charon/*.conf
}
}

include strongswan.d/*.conf

Step 3: Create the vti interface using the following commands:


- ip tunnel add vti1 mode vti local [Link] remote (server wan ip)
- ikey 32 okey 42
- ip link set vti1 up
- sysctl -w [Link].vti1.disable_policy=1
- sysctl -w [Link].vti1.rp_filter=0
- ip link set vti1 up

Step 4: Edit or paste the following configuration in /etc/[Link] file


- The IP parameters will be different for every configuration.
- Be mindful of the same while editing this file.
- Ensure that the mark_in and mark_out parameters carry the same
values as you have mentioned while creating vti interface in step 3

config setup
# strictcrlpolicy=yes
# uniqueids = no

# Add connections here.


conn to-secondary
type=tunnel
left=[Link]
leftsubnet=[Link]/32
leftid=TestSST
leftfirewall=yes
ikelifetime=86400
keylife=43200
right= server wan ip
rightid=TestSST
rightsubnet=[Link]/22
authby=secret
auto=start
ike=aes128gcm16-prfsha256-modp1024
esp=aes128gcm16-modp1024
rekey=yes
keyexchange=ikev2
leftikeport = 4500
rightikeport = 4500
aggressive=no
forceencaps=yes
mark_in=32
mark_out=42

Note: leftsubnet in the above configuration is the IP address of our vti


interface. Preferably the vti IP address subnet should be on a different
from your LAN subnet to avoid any clashes

Step 5: Edit the /etc/[Link] file and enter the pre-shared key in the same
format as shown below.
- The pre-shared key may be different for every scenario.
- Ensure that there are no syntactical errors.

: PSK "Testing@123"
Step 6: Restart the ipsec service using the command:
- ipsec start / restart

Step 7: Create an interface using the GUI & bind it with the vti interface in
the following manner:
Network > Interfaces > Add new interface
Click on “ Create Interface ” > Save > Save and Apply
Note: You can mention a static IP address for the vti interface by selecting
the protocol as “Static Address” and do the following:

Click on Create Interface and proceed to give IP address.


Step 8: Add a static persistent route using the GUI:
Network > Static Routes > Add

Click on Firewall Settings and add it to vpn zone:

Click on Save > Save and Apply


OR
To add route via CLI use the following command (route will not persist after
reboot):
- ip route add [Link]/22 dev vti1

Step 9 : Create zone “ vpn” in Network > Firewall if not created before:

Click on “ Edit “ and do the following changes:


Click on Save > Save and Apply

Additional information:
1. To delete route via CLI use the command:
- ip route del [Link]/22 dev vti1

2. Statistics on VTI devices may be displayed with:


- ip -s tunnel show

3. A VTI device may be removed with :


- ip tunnel del vti1
Note:
- In case of vti creation for IPSec, it is mandatory to assign IP to vti
interface and mention the same as leftsubnet in [Link] file.

- In case of binding vti with IPSec tunnel, we don’t have to put iptables
rule.

You might also like