Score:0

site-to-site VPN route traffic through VPN tunnel

ru flag
Cal

Short version: in a site-to-site VPN setup with Strongswan on both sides, how to route particular traffic via the VPN tunnel?

Long version:

We have two Linux (ubuntu 20.04) in AWS, both installed with Strongswan VPN, and a VPN tunnel has been established.

IP 172.31.0.151                      IP 10.0.0.14 
Server 1        <===VPN tunnel===>   Server 2

As expected, they can ping each other, tcpdump will display correct private IP addresses for the ping.

The content of /etc/ipsec.conf of Server 2 (Server 1 ipsec.conf is almost identical, just swapping left/right values):

# basic configuration
config setup
# Add connections here.
conn %default
 ikelifetime=28800s
 lifetime=3600s
#rekeymargin= You choose; must match other side
 keyingtries=%forever
 keyexchange=ikev2
 authby=secret
 mobike=no


conn vpn-test
# private ip
 left=10.0.0.14

# vpc cidr
 leftsubnet=10.0.0.0/24

# elastic ip
 leftid=18.999.999.999

# private ip
 leftsourceip=10.0.0.14

# public/elastic ip
 right=18.888.888.888

# subnet/VPC cidr
 rightsubnet=172.31.0.0/16,2.2.2.2/32

 auto=start
 type=tunnel
 ike=aes256-sha1-modp1024!
 esp=aes256-sha1!
 dpddelay=30s
 dpdtimeout=120s
 dpdaction=restart
# Add connections here.

Goal: if from Server 2 we need to access a "dummy" IP address in Server 1's network, for example, we want to ping 2.2.2.2 and send the ping request over the VPN tunnel, instead of going out of the Server 2's actual network interface and into the internet.

With the 2.2.2.2/32 in both configuration, left/rightsubnet respectively, it still doesn't work.

Mehod 1 we tried: ip route add

The Strongswan does not create a VPN network interface, an ip a command gives the two default network interfaces in the Ubuntu:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host
      valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 0e:ac:45:e9:76:60 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.14/28 brd 10.0.0.15 scope global dynamic ens5
       valid_lft 3576sec preferred_lft 3576sec
    inet6 fe80::cac:45ff:fee9:7660/64 scope link
       valid_lft forever preferred_lft forever

So to use ip route add command to route traffic will not work here.

Method 2: iptables

The other method we tried is to use iptables to do DNAT, when destination is 2.2.2.2, route it to Server 1's ip address of 172.31.0.151, however DNAT will change the destination, therefore on Server 1 we will observe packets with destination of 172.31.0.151, instead of 2.2.2.2, and unable to NAT it accordingly. So iptables doesn't solve this problem either.

Being new to this field I don't know if it should be in Strongswan configuration or Linux routing or something else. How can we approach the issue?

Thank you for your time.

Score:0
ru flag
Cal

To answer my own question, when I replace this line

 rightsubnet=172.31.0.0/16,2.2.2.2/32

With

 rightsubnet=2.2.2.2

It works. From Serer 2 I can ping 2.2.2.2 and Server 1 will receive it.

Both servers need to be modified accordingly.

Thank you.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.