Site 2 Site tunnel with multiple identical subnets on remote sites - without virtual hosts ( Route Based VPN )
The goal: connect to multiple the same subnets on clients side using vpns.
topology:
As you see on the left side are clients with diffirent subnets 10.213.222.0/24 and 10.213.223.0/24, but on the right side all of them have the same 10.240.0.0/24
To make this work we need to route traffic to the specific VPN due to source IP.
So if the source subnet is 10.213.222.0/24 route it into VPN1 and if source subnet is 10.213.223.0/24 route it into VPN2
Address scheme:
- VPN HUB
external eth192 WAN: 172.16.160.254
internal eth224 LAN1: 10.213.222.1/24
internal eth256 LAN2: 10.213.223.1/24
- ClientA
external eth192 WAN: 172.16.160.1
internal eth224 LAN: 10.240.0.1/24
- ClientB
external eth192 WAN: 172.16.160.2
internal eth224 LAN: 10.240.0.1/24
HUB ipsec.conf
nano /etc/ipsec.conf
conn %defult
ikelifetime=28800s
lifetime=3600s
keyingtries=1
keyexchange=ikev1
conn clientA
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=172.16.160.254
leftid=172.16.160.254
leftsubnet=10.213.222.0/24
leftfirewall=no
right=172.16.160.1
rightid=172.16.160.1
rightsubnet=10.240.0.0/24
auto=route
#THIS IS IMPORTANT
mark=42
conn clientB
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=172.16.160.254
leftid=172.16.160.254
leftsubnet=10.213.223.0/24
leftfirewall=no
right=172.16.160.2
rightid=172.16.160.2
rightsubnet=10.240.0.0/24
auto=route
#THIS IS IMPORTANT
mark=43
Add secrets:
nano /etc/ipsec.secrets
172.16.160.1 : PSK "supersecret"
172.16.160.2 : PSK "supersecret2"
What we do here is we mark packets for this vpn's by 42 and 43 and we turn off firewall so strongswan doesn't put automatic rules into iptables.
now we need to create 2 VTI and set marks according to ipsec vpn's:
ip tunnel add vti0 local 172.16.160.254 remote 172.16.160.1 mode vti key 42
ip tunnel add vti1 local 172.16.160.254 remote 172.16.160.2 mode vti key 43
ip link set vti0 up
ip link set vti1 up
To avoid that routes installed by the IKE daemon cause conflicts disable route installation with charon.install_routes=0 in strongswan.conf.
Because on the right side we have the same subnets its impossible to make "ip route" command with diffirent devices and the same subnet.
That is why we use multiple routing tables.
Open /etc/iproute2/rt_tables and add our new tables:
1 rt1
2 rt2
save
now add routes:
ip route add 10.240.0.0/24 dev vti0 table rt1
ip route add 10.213.222.0/24 dev ens224 table rt1
ip route add 10.240.0.0/24 dev vti1 table rt2
ip route add 10.213.223.0/24 dev ens256 table rt2
and rules:
ip rule add from 10.213.222.0/24 to 10.240.0.0/24 tab rt1
ip rule add from 10.240.0.0/24 to 10.213.222.0/24 tab rt1
ip rule add from 10.213.223.0/24 to 10.240.0.0/24 tab rt2
ip rule add from 10.240.0.0/24 to 10.213.223.0/24 tab rt2
turn on routing
sysctl -w net.ipv4.ip_forward=1
run vpn:
service ipsec start
ClientA:
sysctl -w net.ipv4.ip_forward=1
nano /etc/ipsec.conf
config setup
conn %defult
ikelifetime=28800s
lifetime=3600s
keyingtries=1
keyexchange=ikev1
conn hub
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=172.16.160.1
leftid=172.16.160.1
leftsubnet=10.240.0.0/24
leftfirewall=yes
right=172.16.160.254
rightid=172.16.160.254
rightsubnet=10.213.222.0/24
auto=route
nano /etc/ipsec.secrets
172.16.160.254 : PSK "supersecret"
ClientB
nano /etc/ipsec.conf
config setup
conn %defult
ikelifetime=28800s
lifetime=3600s
keyingtries=1
keyexchange=ike
conn hub
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=172.16.160.2
leftid=172.16.160.2
leftsubnet=10.240.0.0/24
leftfirewall=yes
right=172.16.160.254
rightid=172.16.160.254
rightsubnet=10.213.223.0/24
auto=route
nano /etc/ipsec.secrets
172.16.160.254 : PSK "supersecret2"
HOW DOES IT WORK:
packet from lan goes into hub. Ip rules match traffic and use appropriate routing table. Packets are routed to indicated tunnel interface and marked. Because of this mark they are forwarded into VPN with the same mark.
So this is VPN tunnel where source ip describes it's destination :)
topology:
As you see on the left side are clients with diffirent subnets 10.213.222.0/24 and 10.213.223.0/24, but on the right side all of them have the same 10.240.0.0/24
To make this work we need to route traffic to the specific VPN due to source IP.
So if the source subnet is 10.213.222.0/24 route it into VPN1 and if source subnet is 10.213.223.0/24 route it into VPN2
Address scheme:
- VPN HUB
external eth192 WAN: 172.16.160.254
internal eth224 LAN1: 10.213.222.1/24
internal eth256 LAN2: 10.213.223.1/24
- ClientA
external eth192 WAN: 172.16.160.1
internal eth224 LAN: 10.240.0.1/24
- ClientB
external eth192 WAN: 172.16.160.2
internal eth224 LAN: 10.240.0.1/24
HUB ipsec.conf
nano /etc/ipsec.conf
conn %defult
ikelifetime=28800s
lifetime=3600s
keyingtries=1
keyexchange=ikev1
conn clientA
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=172.16.160.254
leftid=172.16.160.254
leftsubnet=10.213.222.0/24
leftfirewall=no
right=172.16.160.1
rightid=172.16.160.1
rightsubnet=10.240.0.0/24
auto=route
#THIS IS IMPORTANT
mark=42
conn clientB
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=172.16.160.254
leftid=172.16.160.254
leftsubnet=10.213.223.0/24
leftfirewall=no
right=172.16.160.2
rightid=172.16.160.2
rightsubnet=10.240.0.0/24
auto=route
#THIS IS IMPORTANT
mark=43
Add secrets:
nano /etc/ipsec.secrets
172.16.160.1 : PSK "supersecret"
172.16.160.2 : PSK "supersecret2"
What we do here is we mark packets for this vpn's by 42 and 43 and we turn off firewall so strongswan doesn't put automatic rules into iptables.
now we need to create 2 VTI and set marks according to ipsec vpn's:
ip tunnel add vti0 local 172.16.160.254 remote 172.16.160.1 mode vti key 42
ip tunnel add vti1 local 172.16.160.254 remote 172.16.160.2 mode vti key 43
ip link set vti0 up
ip link set vti1 up
To avoid that routes installed by the IKE daemon cause conflicts disable route installation with charon.install_routes=0 in strongswan.conf.
Because on the right side we have the same subnets its impossible to make "ip route" command with diffirent devices and the same subnet.
That is why we use multiple routing tables.
Open /etc/iproute2/rt_tables and add our new tables:
1 rt1
2 rt2
save
now add routes:
ip route add 10.240.0.0/24 dev vti0 table rt1
ip route add 10.213.222.0/24 dev ens224 table rt1
ip route add 10.240.0.0/24 dev vti1 table rt2
ip route add 10.213.223.0/24 dev ens256 table rt2
and rules:
ip rule add from 10.213.222.0/24 to 10.240.0.0/24 tab rt1
ip rule add from 10.240.0.0/24 to 10.213.222.0/24 tab rt1
ip rule add from 10.213.223.0/24 to 10.240.0.0/24 tab rt2
ip rule add from 10.240.0.0/24 to 10.213.223.0/24 tab rt2
turn on routing
sysctl -w net.ipv4.ip_forward=1
run vpn:
service ipsec start
ClientA:
sysctl -w net.ipv4.ip_forward=1
nano /etc/ipsec.conf
config setup
conn %defult
ikelifetime=28800s
lifetime=3600s
keyingtries=1
keyexchange=ikev1
conn hub
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=172.16.160.1
leftid=172.16.160.1
leftsubnet=10.240.0.0/24
leftfirewall=yes
right=172.16.160.254
rightid=172.16.160.254
rightsubnet=10.213.222.0/24
auto=route
nano /etc/ipsec.secrets
172.16.160.254 : PSK "supersecret"
ClientB
nano /etc/ipsec.conf
config setup
conn %defult
ikelifetime=28800s
lifetime=3600s
keyingtries=1
keyexchange=ike
conn hub
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
left=172.16.160.2
leftid=172.16.160.2
leftsubnet=10.240.0.0/24
leftfirewall=yes
right=172.16.160.254
rightid=172.16.160.254
rightsubnet=10.213.223.0/24
auto=route
nano /etc/ipsec.secrets
172.16.160.254 : PSK "supersecret2"
HOW DOES IT WORK:
packet from lan goes into hub. Ip rules match traffic and use appropriate routing table. Packets are routed to indicated tunnel interface and marked. Because of this mark they are forwarded into VPN with the same mark.
So this is VPN tunnel where source ip describes it's destination :)
Komentarze
Prześlij komentarz