Routed IPsec VPNs are landing in IPFire 2.21 - Core Update 129

by Michael Tremer, March 18, 2019

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

The forthcoming Core Update will have some brilliant changes to our IPsec stack.

These changes were required for a project that Lightning Wire Labs has been doing and are potentially a little bit niche. We have backported these as well from IPFire 3 where this feature is even more advanced and - to me - a lot more exciting, too.

Routed VPNs

We are introducing support for routed IPsec VPNs. As mentioned, many users probably are perfectly happy with the IPsec tunnels that they have. They are fast, secure and route all the traffic between two IPFire instances. But sometimes you need a little bit more. In this case, we needed some dynamic routing and therefore needed this extra flexibility.

The corporate vendors like Cisco and Juniper usually wrap an extra layer around the IPsec tunnels. In the past that used to be GRE (Generic Routing Encapsulation) and nowadays it is VTI (Virtual Tunnel Interface). They both have the same functionality which is to encapsulate an IP packet so that it can be sent over any layer 3 network - in this case, is a kind of peer-to-peer VPN connection. All this adds a little bit of extra overhead which is why IPsec Transport Mode, which has some smaller headers, is supported now, too.

What is it for?

This way, we can route all sorts of traffic between two peers that have such a connection set up and trust each other. But why all this extra effort when a standard tunnelled IPsec connection can do the same trick?

We use IPFire as redundant gateways. That means that we have multiple IPsec connections to the other side. So there is a backup in case the primary connection becomes unavailable. Then, with a classic VPN tunnel, that traffic would not go anywhere any more. We need something that detects the outage and re-routes traffic: BGP

We use bird as our BGP routing daemon of choice (others are available) which talks to the other side and changes the routing tables to the connection that is active and preferred.

So, I guess we will leave it at this for this short post. There is some documentation on the wiki if you need to set up a redundant setup of IPsec tunnels. Or just contact our professional support.