Route-based VPN with the API

Creating a route based VPN is simple with the VNS3 API. The following script details the steps:

  1. Create a route based IPsec endpoint and tunnel
  2. Create a route to your tunnel
  3. Repeat for the other side of the VPN!

Create route based IPsec Endpoint and Tunnel

POST /ipsec/endpoints:

  • ipaddress - the IP address for the other end of the tunnel
  • secret - preshared key used by both sides of the tunnel
  • pfs - enable/disable Perfect Forward Secrecy
  • ike_version - Version for IKE
  • nat_t_enabled - enable/disable NAT-T
  • vpn_type - vti or gre
  • route_based_int_address - IP/Cidr for VTI
  • route_based_local - SA cidr, typically

# Some variables to be used by the API calls.
Payload=`echo "{
    \"name\": \"$DataCenterNetworkCidr\", 
    \"ipaddress\": \"\", 
    \"secret\": \"mypresharedkey\", 
    \"pfs\": false,
    \"ike_version\": \"2\",
    \"nat_t_enabled\": true,
    \"vpn_type\": \"vti\",
    \"route_based_int_address\": \"\",
    \"route_based_local\": \"\"

tunnelResponse=`curl -k -X POST -u "api:$vns3_api_password" \
    -d "$Payload" \
    -H "Content-Type:application/json" \

cURL Explanation:

  • -k : this is required to turn off SSL verification, you can remove this if you have SSL installed on your VNS3 controller
  • -X POST : POST request
  • -u : Basic user:password credentialing
  • -d : POST payload (Json)
  • -H : Header indicating payload type is Json

Parse the tunnel ID from the response

tunnelId="$(echo "$tunnelResponse" | grep -w '^id\:' | cut -d " " -f2 | head -1)"

Create a route to the tunnel

POST /routes:

Payload=`echo "{
    \"cidr\": \"$DataCenterNetworkCidr\",
    \"description\": \"Tunnel to VPN\",
    \"advertise\": true,
    \"gateway\": \"_notset\",
    \"interface\": \"_notset\",
    \"tunnel\": \"$tunnelId\"
curl -k -X POST -u "api:$vns3_api_password" \
    -d "$Payload" \
    -H "Content-Type:application/json" \

Now repeat your configuration for the other side of the tunnel. Read more on Route-Based VPNS here.