Netplan and Ipsec - tell netplan to leave interface alone?

networking netplan tunnel ipsec

I'm trying to use Strongswan to create an Ipsec tunnel on a server with Netplan. Netplan has currently no configuration for the tunnel1 and tunnel2 interfaces that Ipsec brings up when the tunnels are created. This seems (almost) correct to me.

The ipsec services run a script which creates the tunnel[1,2] interfaces (these could possibly called vti[1,2] if needs be). If a tunnel fails, ipsec will "down" the interface associated with it (using this script). This script also sets a route for the network the other side of the VPN. This route only persists until Netplan runs, whereupon it is removed. The tunnel interfaces look like this:

25: tunnel2@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ipip 1.2.3.4 peer 2.3.4.5
    inet 169.254.9.238 peer 169.254.9.237/30 scope global tunnel2
       valid_lft forever preferred_lft forever
    inet6 fe80::200:5efe:c6f4:8f78/64 scope link
       valid_lft forever preferred_lft forever
26: tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ipip 1.2.3.4 peer 3.4.5.6
    inet 169.254.199.162 peer 169.254.199.161/30 scope global tunnel1
       valid_lft forever preferred_lft forever
    inet6 fe80::200:5efe:c6f4:8f78/64 scope link
       valid_lft forever preferred_lft forever

The route I'd like to add via netplan is can be added manually like this:

ip route add 10.1.0.0/16 dev tunnel1 scope link src 10.0.16.170/24 metric 100

Is there a way to tell netplan any of these:

  • to leave the routes for specific interfaces/destinations alone?
  • To tell netplan to ignore anything to do with the tunnel[1,2] interfaces?
  • to tell netplan to create routes for interfaces that don't exist and aren't under its control?

...or any other way to make Netplan play nicely with ipsec. I'd rather not have to go the "heavy" route of disabling netplan just to make my ipsec VPNs work.

What's the right way to make all this stuff hang together?


Solution 1:

The problem is caused by systemd-networkd. It will remove routes that it doesn't know about at some later date. I had previously answered that making devices "unmanaged" would solve the problem, but sadly it does not:

[Match]
Name=tunnel1

[Link]
Unmanaged=yes

This solution seems to stop systemd-networkd from creating any config for the unmanaged device, but doesn't stop it removing all that config when it stops all network devices (which it does during restarts).

Configuring the devices and routes fully in networkd (or netplan) doesn't work because of configuration ordering problems.

So far, the only viable solution I have found is to completely disable and stop systemd-networkd (and uninstall Netplan as it's no longer needed). This seems a rather drastic solution and does mean some functionality is lost. In my case I don't think that's a problem, but it may be for some.

Related

How to add space between value and unit in Conky
How do I recover Joplin notes if they were never exported?
How to call a number from command-line with Skype?
Which FFMPEG option is correct, to fix Corrupted video stream (MPEG-2 TS)?
Bash Script Rotation Cipher
Can't uninstall docker from ubuntu 20.04
Nordic Theme on Ubuntu
using unison to copy files across a LAN
I am having this issue while running 'sudo apt-get update', "Problem with MergeList" or "status file could not be parsed or opened."
How to install qmake compiler on Ubuntu
Fresh Debian 11 netinstall fails:"apt-get install "task-gnome-desktop" unable to locate package
Why is Excel rounding this calculation?