Routable network addresses with OpenIKED and systemd-networkd
I’ve been using OpenIKED for some time now to configure my VPN.
One of its features is that it can dynamically assign addresses on the internal network to clients, and clients can assign these addresses and routes to interfaces.
However, these interfaces must exist before iked can start.
Some months ago I switched my Debian laptop’s configuration from the traditional ifupdown to systemd-networkd.
It took me some time to figure out how to have systemd-networkd create dummy interfaces on which iked can install addresses, but also not interfere with iked by trying to manage these interfaces.
Here is my working configuration.
First, I have systemd create the interface dummy1 by creating a systemd.netdev(5) configuration file at /etc/systemd/network/20-dummy1.netdev:
[NetDev]
Name=dummy1
Kind=dummy
Then I tell systemd not to manage this interface by creating a systemd.network(5) configuration file at /etc/systemd/network/20-dummy1.network:
[Match]
Name=dummy1
Unmanaged=yes
Restarting systemd-networkd causes these interfaces to get created, and we can then check their status using networkctl(8):
$ systemctl restart systemd-networkd.service
$ networkctl
IDX LINK TYPE OPERATIONAL SETUP
1 lo loopback carrier unmanaged
2 enp2s0f0 ether off unmanaged
3 enp5s0 ether off unmanaged
4 dummy1 ether degraded configuring
5 dummy3 ether degraded configuring
6 sit0 sit off unmanaged
8 wlp3s0 wlan routable configured
9 he-ipv6 sit routable configured
8 links listed.
Finally, I configure my flows in /etc/iked.conf, making sure to assign the received address to the interface dummy1.
ikev2 'hades' active esp \
from dynamic to 10.0.1.0/24 \
peer hades.rak.ac \
srcid '/CN=asteria.rak.ac' \
dstid '/CN=hades.rak.ac' \
request address 10.0.1.103 \
iface dummy1
Restarting openiked and checking the status of the interface reveals that it has been assigned an address on the internal network and that it is routable:
$ systemctl restart openiked.service
$ networkctl status dummy1
● 4: dummy1
Link File: /usr/lib/systemd/network/99-default.link
Network File: /etc/systemd/network/20-dummy1.network
Type: ether
Kind: dummy
State: routable (configured)
Online state: online
Driver: dummy
Hardware Address: 22:50:5f:98:a1:a9
MTU: 1500
QDisc: noqueue
IPv6 Address Generation Mode: eui64
Queue Length (Tx/Rx): 1/1
Address: 10.0.1.103
fe80::2050:5fff:fe98:a1a9
DNS: 10.0.1.1
Route Domains: .
Activation Policy: up
Required For Online: yes
DHCP6 Client DUID: DUID-EN/Vendor:0000ab11aafa4f02d6ac68d40000
I’d be happy to hear if there are simpler or more idiomatic ways to configure this under systemd.
Comments: To comment on this post, send me an email following the template below. Your email address will not be posted, unless you choose to include it in the link: field. If your web browser is configured to handle mailto: links, click comment to load the template into your mail client.
To: Ryan Kavanagh <rak@rak.ac> Subject: [blog-comment] /blog/2022-06-25-routable-network-addresses-openiked-systemd-networkd/ post_id: /blog/2022-06-25-routable-network-addresses-openiked-systemd-networkd/ author: [How should you be identified? Usually your name or "Anonymous"] link: [optional link to your website] Your comments here. Markdown syntax accepted.0 Comments