Route-based VPN

This article relates to LoadMaster firmware version 7.2.53.

Prior to LoadMaster firmware version 7.2.53, the LoadMaster only supported policy-based Virtual Private Networks (VPNs). As of LoadMaster version 7.2.53, route-based VPN support has been introduced. The route-based VPN functionality is available as an add-on pack which you can download from the Kemp Support site. When you have the add-on file, install it in System Configuration > System Administration > Update Software. Reboot the LoadMaster after installing the add-on to activate it (System Configuration > System Administration > System Reboot).

The route-based VPN add-on is only supported in firmware version 7.2.53 and above.

After installing the add-on and rebooting the LoadMaster, a new main menu option becomes available: System Configuration > Network Setup > Route Based VPN. Specify a unique name to identify the connection and click Create.

Ensure the Connection Name is the same as the connection name in the ipsec.conf file you will be uploading.

The Connection Name must be at least three and at most 20 characters in length. Valid characters are a-z, A-Z, 0-9, _, and -.

After creating the connection initially, you must upload the connection configuration, route configuration, and secrets files based on the strongSwan standard format.

Ensure to set the left IP address in the ipsec.conf file to your LoadMaster IP address (eth0).

Once the files have been uploaded and validated, the Connection Details are shown in the fields on the View/Modify VPN Connection screen.

You can display the connection status by clicking IPSec Status.

You can display the connection logs by clicking Logs.

After adding the connection, you can see details about it in System Configuration > Network Setup > Route Based VPN, including details about the Local Subnet(s) and Remote Subnet(s). You can also view, modify, and delete existing connections from this screen.

After configuring the details of the VPN connection, you can see Connection Debug options in System Configuration > Network Setup > Route Based VPN. In this section, you can:

  • Stop and start the IPsec daemon on the LoadMaster.

  • Display the connection status.

  • Display routes.

  • Show logs.

You can create up to two policy-based VPNs and up to two route-based VPNs.

You should not configure two different types of VPN (policy-based and route-based) on the same interface (because they both listen on the same port so this will not work correctly).

RESTful Application Programming Interface (API) Details

To add the route-based VPN add-on to the LoadMaster, run the addaddon command. For example:

curl -X POST --data-binary "@./RouteVPN-7.2.53.0" -k -u bal:<Password> "https://<LoadMasterIPAddress>/access/addaddon"

To remove the route-based VPN add-on from the LoadMaster, run the deladdon command. For example:

/access/deladdon?name=RouteVPN

To create a new route-based VPN connection, use the createvpnconn command. For example:

/access/routevpn/createvpnconn?name=<ConnectionName>

To delete an existing route-based VPN connection, use the deletevpnconn command. For example:

/access/routevpn/deletevpnconn?name=<ConnectionName>

To upload the IPsec connection configuration file, run the setipsecconf command. For example:

curl -k -u bal:<Password> https://<LoadMasterIPAddress>/access/routevpn/setipsecconf?name=<ConnectionName> -T ~/Downloads/<FolderName>/<Filename>.conf -X POST

To upload the route configuration file, run the setrouteconf command. For example:

curl -k -u bal:<Password> https://<LoadMasterIPAddress>/access/routevpn/setrouteconf?name=<ConnectionName> -T ~/Downloads/<FolderName>/<Filename>.conf -X POST

To upload the IPsec secrets file, run the setsecretsconf command. For example:

curl -k -u bal:<Password> https://<LoadMasterIPAddress>/access/routevpn/setsecretsconf?name=<ConnectionName> -T ~/Downloads/<FolderName>/<Filename>.secrets -X POST

To start the IPsec daemon, run the startdaemon command. For example:

/access/routevpn/startdaemon

To stop the IPsec daemon, run the stopdaemon command. For example:

/access/routevpn/stopdaemon

To start a VPN connection, run the startvpnconn command. For example:

/access/routevpn/startvpnconn?name=<ConnectionName>

To stop a VPN connection, run the stopvpnconn command. For example:

/access/routevpn/stopvpnconn?name=<ConnectionName>

To retrieve details about a VPN connection, run the getvpnconn command. For example:

/access/routevpn/getvpnconn?name=<ConnectionName>

To list the details of all VPN connections, run the listvpns command. For example:

/access/routevpn/listvpns

To retrieve the status of a VPN connection, run the getvpnstatus command. For example:

/access/routevpn/getvpnstatus

If you run the getvpnstatus with no parameters, the status of all VPN connections are shown. Specifying the connection name using the name parameter will show the status of the specified VPN connection. For example:

/access/routevpn/getvpnstatus?name=<ConnectionName>

To view the logs, run the viewlogs command. For example:

/access/routevpn/viewlogs

To view the route table and interface configuration, run the viewroutes command. For example:

/access/routevpn/viewroutes

Was this article helpful?

0 out of 0 found this helpful

Comments