I'm trying to use Strongswan to create an Ipsec tunnel on a server with Netplan. Netplan has currently no configuration for the tunnel1
and tunnel2
interfaces that Ipsec brings up when the tunnels are created. This seems (almost) correct to me.
The ipsec services run a script which creates the tunnel[1,2]
interfaces (these could possibly called vti[1,2]
if needs be). If a tunnel fails, ipsec will "down" the interface associated with it (using this script). This script also sets a route for the network the other side of the VPN. This route only persists until Netplan runs, whereupon it is removed. The tunnel
interfaces look like this:
25: tunnel2@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN group default qlen 1000
link/ipip 1.2.3.4 peer 2.3.4.5
inet 169.254.9.238 peer 169.254.9.237/30 scope global tunnel2
valid_lft forever preferred_lft forever
inet6 fe80::200:5efe:c6f4:8f78/64 scope link
valid_lft forever preferred_lft forever
26: tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN group default qlen 1000
link/ipip 1.2.3.4 peer 3.4.5.6
inet 169.254.199.162 peer 169.254.199.161/30 scope global tunnel1
valid_lft forever preferred_lft forever
inet6 fe80::200:5efe:c6f4:8f78/64 scope link
valid_lft forever preferred_lft forever
The route I'd like to add via netplan is can be added manually like this:
ip route add 10.1.0.0/16 dev tunnel1 scope link src 10.0.16.170/24 metric 100
Is there a way to tell netplan any of these:
- to leave the routes for specific interfaces/destinations alone?
- To tell netplan to ignore anything to do with the
tunnel[1,2]
interfaces?
- to tell netplan to create routes for interfaces that don't exist and aren't under its control?
...or any other way to make Netplan play nicely with ipsec. I'd rather not have to go the "heavy" route of disabling netplan just to make my ipsec VPNs work.
What's the right way to make all this stuff hang together?