Initial data
I am learning networking based things and strongSwan proper configuration.
Using my own wildcard ssl certificate.
All tunnels are successfully lifted and authorized among themselves, respond in any of sides designated in configurations.
Remote devices cconnect successfully to master host, but their traffic remains within this master host without further forwarding. Authorization of remote users is carried out through radius plugin.
Problem to be solved
Organisation of the VPN network with a common entry point and multiple exit points (dynamic IP)
The following Ubuntu 20.04 dedicated hosts are available:
- Host A (master) - x.x.110.138
- Host B (slave1) - x.x.166.115
- Host C (slave2) - x.x.178.214
- Host D (slave3) - x.x.140.120
RoadWarrior client (macOS, iPhone, Android, Win10/11) connects to the master host.
Next, client traffic is routed randomly (in the near future I would like to implement this moment through load balancing, but first i need to figure out the basic settings) to one of the slave hosts. If any of the GRE tunnels to the slave host is dead, then exclude it from the general routing system.
When accessing the network through the slave host, client is given an IP address from the host to which he was routed.
Dedicated hosts configurations
Master-host (x.x.110.138)
/etc/sysctl.conf
net.ipv4.ip_forward = 1
/etc/netplan/01-grecfg.yaml
network:
version: 2
tunnels:
tunToSlave1:
mode: gre
local: x.x.110.138
remote: x.x.166.115
addresses: [10.0.2.1/24]
mtu: 1442
ttl: 255
tunToSlave2:
mode: gre
local: x.x.110.138
remote: x.x.178.214
addresses: [10.0.3.1/24]
mtu: 1442
ttl: 255
tunToSlave3:
mode: gre
local: x.x.110.138
remote: x.x.140.120
addresses: [10.0.4.1/24]
mtu: 1442
ttl: 255
/etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
strictcrlpolicy = yes
conn %default
reauth = yes
rekey = yes
keyingtries = %forever
keyexchange = ikev2
dpdaction = restart
dpddelay = 5s
mobike = yes
conn tun-slave1
left = %defaultroute
right = x.x.166.115
authby = pubkey
leftcert = cert.pem
leftsendcert = always
leftauth = pubkey
rightauth = pubkey
leftid = @mydomain.com
rightid = @mydomain.com
rightrsasigkey = /etc/central/rsa.cert.pem
leftsubnet = %dynamic[gre]
rightsubnet = %dynamic[gre]
type = transport
ike = aes256gcm16-sha384-x25519!
esp = aes256gcm16-sha384-x25519!
auto = start
conn tun-slave2
left = %defaultroute
right = x.x.178.214
authby = pubkey
leftcert = cert.pem
leftsendcert = always
leftauth = pubkey
rightauth = pubkey
leftid = @mydomain.com
rightid = @mydomain.com
rightrsasigkey = /etc/central/rsa.cert.pem
leftsubnet = %dynamic[gre]
rightsubnet = %dynamic[gre]
type = transport
ike = aes256gcm16-sha384-x25519!
esp = aes256gcm16-sha384-x25519!
auto = start
conn tun-slave3
left = %defaultroute
right = x.x.140.120
authby = pubkey
leftcert = cert.pem
leftsendcert = always
leftauth = pubkey
rightauth = pubkey
leftid = @mydomain.com
rightid = @mydomain.com
rightrsasigkey = /etc/central/rsa.cert.pem
leftsubnet = %dynamic[gre]
rightsubnet = %dynamic[gre]
type = transport
ike = aes256gcm16-sha384-x25519!
esp = aes256gcm16-sha384-x25519!
auto = start
conn remote-mobile
dpddelay = 30s
left = %any
leftid = @mydomain.com
leftcert = cert.pem
leftsendcert = always
leftsubnet = 0.0.0.0/0,::/0
right = %any
rightid = %any
rightauth = eap-radius
rightsendcert = never
eap_identity = %identity
rightsourceip = 10.10.10.0/24
rightdns = 8.8.8.8
type = tunnel
ike=aes128gcm16-sha2_256-prfsha256-ecp256!
esp=aes128gcm16-sha2_256-ecp256!
auto = add
dpdaction = restart
ikelifetime = 240m
keylife = 60m
conn remote-pc
ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
ikelifetime=720m
keylife=60m
Slave1-host (x.x.166.115)
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
/etc/netplan/01-grecfg.yaml
network:
version: 2
tunnels:
tunToMaster:
mode: gre
local: x.x.166.115
remote: x.x.110.138
addresses: [10.0.2.2/24]
mtu: 1442
ttl: 255
/etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
strictcrlpolicy = yes
conn %default
reauth = yes
rekey = yes
keyingtries = %forever
keyexchange = ikev2
dpdaction = restart
dpddelay = 5s
mobike = yes
conn gre-master
left = %defaultroute
right = x.x.110.138 <- slave1 local ip
authby = pubkey
leftcert = cert.pem
leftsendcert = always
leftauth = pubkey
rightauth = pubkey
leftid = @mydomain.com
rightid = @mydomain.com
rightrsasigkey = /etc/central/rsa.cert.pem
leftsubnet = %dynamic[gre]
rightsubnet = %dynamic[gre]
type = transport
ike = aes256gcm16-sha384-x25519!
esp = aes256gcm16-sha384-x25519!
auto = add
Slave2-host (x.x.178.214)
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
/etc/netplan/01-grecfg.yaml
network:
version: 2
tunnels:
tunToMaster:
mode: gre
local: x.x.178.214
remote: x.x.110.138
addresses: [10.0.3.3/24]
mtu: 1442
ttl: 255
/etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
strictcrlpolicy = yes
conn %default
reauth = yes
rekey = yes
keyingtries = %forever
keyexchange = ikev2
dpdaction = restart
dpddelay = 5s
mobike = yes
conn gre-master
left = %defaultroute
right = <- slave2 local ip
authby = pubkey
leftcert = cert.pem
leftsendcert = always
leftauth = pubkey
rightauth = pubkey
leftid = @mydomain.com
rightid = @mydomain.com
rightrsasigkey = /etc/central/rsa.cert.pem
leftsubnet = %dynamic[gre]
rightsubnet = %dynamic[gre]
type = transport
ike = aes256gcm16-sha384-x25519!
esp = aes256gcm16-sha384-x25519!
auto = add
Slave3-host (x.x.140.120)
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
/etc/netplan/01-grecfg.yaml
network:
version: 2
tunnels:
tunToMaster:
mode: gre
local: x.x.140.120
remote: x.x.110.138
addresses: [10.0.4.4/24]
mtu: 1442
ttl: 255
/etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
strictcrlpolicy = yes
conn %default
reauth = yes
rekey = yes
keyingtries = %forever
keyexchange = ikev2
dpdaction = restart
dpddelay = 5s
mobike = yes
conn gre-master
left = %defaultroute
right = x.x.110.138 <- slave3 local ip
authby = pubkey
leftcert = cert.pem
leftsendcert = always
leftauth = pubkey
rightauth = pubkey
leftid = @mydomain.com
rightid = @mydomain.com
rightrsasigkey = /etc/central/rsa.cert.pem
leftsubnet = %dynamic[gre]
rightsubnet = %dynamic[gre]
type = transport
ike = aes256gcm16-sha384-x25519!
esp = aes256gcm16-sha384-x25519!
auto = add
Questions
How to correctly determine interface parameters for dynamic routing?
In particular, I'm having trouble getting networks/subnets set up
correctly at the localhost level. I was able to achieve working
master->slave1 scheme with this guide, but with many hosts, I
experience difficulties in understanding :(
The issue of correct definition of networks/subnets is also opened for
listed ipsec configurations - how to correctly define
leftsubnet/rightsubnet parameters for each host in this
interaction scheme or can i leave just %dynamic value?
Is it redundant to use quagga for dynamic routing in this case?
Is interaction scheme of a set of hosts (master-> slaves) to
previosly described task correctly defined? BTW I tried to raise tunnels from
slave hosts to the master host, but each subsequent tunnel overrides
the previous one :\
Are there any errors in the parameters of interfaces and general
ipsec configs?
What rules i should set for iptables within each host? I guess, that
on each of the three slave hosts it is necessary at least to
designate the nat table rule for masquerading. Not so long ago, I
raised only 1 server with strongSwan on board and set up the
following general rules:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -A INPUT -p icmp -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
I would really appreciate any help, explanations and useful information.
Cheers <3
