Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 3322 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route-based VPN, xfrm IP

Vault Sec

Hi all,

when setting up a route-based VPN tunnel, the IP configuration for the xfrm interface is necessary to enable it. On other firewalls a IP configuration is not required, unless you want to do monitoring or OSPF, etc. I assume I do not need the other peer to have an IP in the same subnet on their VTI, unless we want to monitor? Otherwise migrating to XG would require us to contact all other peers and reconfigure their tunnels. I can create a static route based on the interface, so it shouldn't be a problem to route the traffic into the tunnel regardless.

Regards



This thread was automatically locked due to age.
Parents
  • 0

    Actually, if you simply do not configure a IP on the XFRM Interface, it should still work (did not test this one).

    On the other hand, you could place a dummy interface on the XFRM interface, regardless of the peer configuration. That should work until you start to NAT (of course). 

  • 0 in reply to LuCar Toni

    Hi Lucar,

    thanks, I was confused by the "disabled" tag when looking at the interface. Although I have now noted that after setting an IP on the interface, it still says disabled. I assume it will change to "connected" once the tunnel is established. Could you confirm that?

    Also, once you set an IP address on the xfrm you cannot remove it, as it said to be required. I removed the IPsec policy, which removed the interface and set it up again.

    Regards

  • 0 in reply to Vault Sec

    The XFRM Interface will only switch to Connected, if the Tunnel (SA) is connected. This is per definition the best approach to give the kernel the chance to route proper. 

    Yes, you cannot remove the IP. But as i mentioned early, the IP should not be important for the routing stack. 

    Tested following right now:

    XG to XG VTI tunnel.

    Both in the same subnet range (/30).

    Change the XFRM ip of one XG to 1.2.3.4 / 24.

    Changed the routing on both to Interface level, not IP level.

    Still worked fine for both ends. 

     

Reply
  • 0 in reply to Vault Sec

    The XFRM Interface will only switch to Connected, if the Tunnel (SA) is connected. This is per definition the best approach to give the kernel the chance to route proper. 

    Yes, you cannot remove the IP. But as i mentioned early, the IP should not be important for the routing stack. 

    Tested following right now:

    XG to XG VTI tunnel.

    Both in the same subnet range (/30).

    Change the XFRM ip of one XG to 1.2.3.4 / 24.

    Changed the routing on both to Interface level, not IP level.

    Still worked fine for both ends. 

     

Children
  • 0 in reply to LuCar Toni

    Hi Lucar,

    I want to note that my peer will not be an XG. As of now, I have only seen examples with XG to XG configs, but I assume that the proposed configs will work connecting with any other peer firewall. I also just noticed that I cannot select the interface when creating a static route, if the interface does not have an IP configured. So I basically just chose some "random" dummy IPs. Thanks so far.

    Regards