Good morning everyone,
the goal I'm trying to achieve is to connect an Openshift cluster, via IPsec VPN with preshared key, to an on premise network (the img attached is a simplification of the infrastructure to be achieved).
I tried following this guide provided by IBM: https://cloud.ibm.com/docs/openshift?topic=openshift-vpn
The advice they give is to use Strongswan's helm chart.
I was able to establish a connection with the VPN terminator, but the routing of requests does not seem to follow the correct path on Openshift.
Through the chart I also configured source natting.
My values.yaml conf is:
connectUsingLoadBalancerIP: "true"
enablePodSNAT: "false"
enableRBAC: true
enableServiceSourceIP: false
enableSingleSourceIP: false
helmTestsToRun: ALL
ipsec:
additionalOptions: {}
auto: start
closeaction: auto
dpdaction: none
esp: aes256-sha256-modp2048!
ike: aes256-sha256-modp2048!
ikelifetime: 24h
keyexchange: ikev2
keyingtries: "%forever"
lifetime: 8h
margintime: 9m
loadBalancerIP: null
local:
id: <local_vpn_ip>
subnet: 172.31.249.40/29
zoneSubnet: null
localNonClusterSubnet: null
localSubnetNAT: 172.30.0.0/16=172.31.249.42/32,172.21.0.0/16=172.31.249.43/32
monitoring:
clusterName: ""
delay: 120
enable: false
httpEndpoints: ""
privateIPs: ""
slackChannel: ""
slackIcon: ":swan:"
slackUsername: IBM strongSwan VPN
slackWebhook: ""
timeout: 5
nodeSelector: {}
overRideIpsecConf: {}
overRideIpsecSecrets: {}
preshared:
secret: <secret>
privilegedVpnPod: false
remote:
gateway: <remote_ip>
id: <remote_ip>
privateIPtoPing: null
subnet: <remote_subnet>
remoteSubnetNAT: null
strongswanLogging: |-
default = 1
cfg = 2
dmn = 2
ike = 2
net = 2
tolerations: []
validate: strict
zoneLoadBalancer: <local_vpn_ip>
zoneSelector: <cluster_zone>
zoneSpecificRoutes: true
In case you encountered the same problem as me, how did you solve it?
Are there any other possible solutions to have an IPsec VPN released on Openshift?
