Site 2 Site tunnel with multiple identical subnets on remote sites - without virtual hosts ( Route Based VPN )

The goal: connect to multiple the same subnets on clients side using vpns.

topology:


As you see on the left side are clients with diffirent subnets 10.213.222.0/24 and 10.213.223.0/24, but on the right side all of them have the same 10.240.0.0/24
To make this work we need to route traffic to the specific VPN due to source IP.
So if the source subnet is 10.213.222.0/24 route it into VPN1 and if source subnet is 10.213.223.0/24 route it into VPN2

Address scheme:

- VPN HUB
external eth192 WAN: 172.16.160.254
internal eth224 LAN1: 10.213.222.1/24
internal eth256 LAN2: 10.213.223.1/24

- ClientA
external eth192 WAN: 172.16.160.1
internal eth224 LAN: 10.240.0.1/24

- ClientB
external eth192 WAN: 172.16.160.2
internal eth224 LAN: 10.240.0.1/24

HUB ipsec.conf
nano /etc/ipsec.conf

conn %defult
        ikelifetime=28800s
        lifetime=3600s
        keyingtries=1
        keyexchange=ikev1

conn clientA
        authby=secret
        ike=3des-sha1-modp1024
        esp=3des-sha1
        left=172.16.160.254
        leftid=172.16.160.254
        leftsubnet=10.213.222.0/24
        leftfirewall=no
        right=172.16.160.1
        rightid=172.16.160.1
        rightsubnet=10.240.0.0/24
        auto=route
#THIS IS IMPORTANT         
        mark=42 

conn clientB
        authby=secret
        ike=3des-sha1-modp1024
        esp=3des-sha1
        left=172.16.160.254
        leftid=172.16.160.254
        leftsubnet=10.213.223.0/24
        leftfirewall=no
        right=172.16.160.2
        rightid=172.16.160.2
        rightsubnet=10.240.0.0/24
        auto=route
#THIS IS IMPORTANT
        mark=43


Add secrets:
nano /etc/ipsec.secrets

172.16.160.1 : PSK "supersecret"
172.16.160.2 : PSK "supersecret2"



What we do here is we mark packets for this vpn's by 42 and 43 and we turn off firewall so strongswan doesn't put automatic rules into iptables.
now we need to create 2 VTI and set marks according to ipsec vpn's:

ip tunnel add vti0 local 172.16.160.254 remote 172.16.160.1 mode vti key 42
ip tunnel add vti1 local 172.16.160.254 remote 172.16.160.2 mode vti key 43
ip link set vti0 up
ip link set vti1 up

To avoid that routes installed by the IKE daemon cause conflicts disable route installation with charon.install_routes=0 in strongswan.conf.

Because on the right side we have the same subnets its impossible to make  "ip route" command with diffirent devices and the same subnet.
That is why we use multiple routing tables.
Open /etc/iproute2/rt_tables and add our new tables:

1 rt1
2 rt2

save

now add routes:

ip route add 10.240.0.0/24 dev vti0 table rt1
ip route add 10.213.222.0/24 dev ens224 table rt1
ip route add 10.240.0.0/24 dev vti1 table rt2
ip route add 10.213.223.0/24 dev ens256 table rt2

and rules:

ip rule add from 10.213.222.0/24 to 10.240.0.0/24 tab rt1
ip rule add from 10.240.0.0/24 to 10.213.222.0/24 tab rt1

ip rule add from 10.213.223.0/24 to 10.240.0.0/24 tab rt2
ip rule add from 10.240.0.0/24 to 10.213.223.0/24 tab rt2

turn on routing
sysctl -w net.ipv4.ip_forward=1


run vpn:
service ipsec start


ClientA:
sysctl -w net.ipv4.ip_forward=1

nano /etc/ipsec.conf

config setup

conn %defult
        ikelifetime=28800s
        lifetime=3600s
        keyingtries=1
        keyexchange=ikev1

conn hub
        authby=secret
        ike=3des-sha1-modp1024
        esp=3des-sha1
        left=172.16.160.1
        leftid=172.16.160.1
        leftsubnet=10.240.0.0/24
        leftfirewall=yes
        right=172.16.160.254
        rightid=172.16.160.254
        rightsubnet=10.213.222.0/24
        auto=route

nano /etc/ipsec.secrets
172.16.160.254 : PSK "supersecret"


ClientB

nano /etc/ipsec.conf

config setup

conn %defult
        ikelifetime=28800s
        lifetime=3600s
        keyingtries=1
        keyexchange=ike

conn hub
        authby=secret
        ike=3des-sha1-modp1024
        esp=3des-sha1
        left=172.16.160.2
        leftid=172.16.160.2
        leftsubnet=10.240.0.0/24
        leftfirewall=yes
        right=172.16.160.254
        rightid=172.16.160.254
        rightsubnet=10.213.223.0/24
        auto=route

nano /etc/ipsec.secrets
172.16.160.254 : PSK "supersecret2"


HOW DOES IT WORK:

packet from lan goes into hub. Ip rules match traffic and use appropriate routing table. Packets are routed to indicated tunnel interface and marked. Because of this mark they are forwarded into VPN with the same mark.

So this is VPN tunnel where source ip describes it's destination :)























Komentarze

Popularne posty z tego bloga

PROXMOX & GlusterFS - HA Cluster with shared redundant storage