IPSec Tunnel to 2 different locations

Issues related to configuring your network
Post Reply
afcelie
Posts: 3
Joined: 2020/11/04 15:39:35

IPSec Tunnel to 2 different locations

Post by afcelie » 2020/11/04 15:47:44

I want to create an IP Sec tunnel to 2 different sites, I do have a configuration for a site to site IP-Sec tunnel, bu how to setup a second one on 1 server?

ServerA 1.2.3.4 --> ServerB 1.2.2.3
ServerA 1.2.3.4 --> ServerB 1.2.3.3

My Current Config for one location
#/etc/ipsec.conf
config setup
protostack=netkey
nat_traversal=no

conn mysubnet
also=mytunnel
leftsubnet=4.4.4.0/24
rightsubnet=14.14.14.0/24
auto=start

conn mytunnel
left=1.2.2.3
right=1.2.3.4
authby=secret
ikelifetime=24h
ike=aes-sha256;modp2048
# esp=aes-sha256;modp2048
pfs=yes
phase2alg=aes256-sha1;modp2048

And there is a ipsec.secrets file
#/etc/ipsec.secrets
#include /etc/ipsec.d/*.secrets
1.2.2.3 1.2.3.4: PSK "<secret>"
1.2.3.4 1.2.2.3: PSK "<secret>"
Last edited by afcelie on 2020/11/07 13:47:54, edited 1 time in total.

aks
Posts: 3045
Joined: 2014/09/20 11:22:14

Re: IPSec Tunnel to 2 different locations

Post by aks » 2020/11/06 18:19:51

1.2.3.4 --> ServerB 1.2.2.3
1.2.3.4 --> ServerB 1.2.3.3

Eh? So ones routed (/24) the other bridged (or I can't be arsed to read the whole thing)?

afcelie
Posts: 3
Joined: 2020/11/04 15:39:35

Re: IPSec Tunnel to 2 different locations

Post by afcelie » 2020/11/07 13:51:57

I have one location and need to get 2 ipsec connections one to each locatio, for the networks there was a fault, it should have been /24.
I changed the settings.
The confgiration is based on one ip sec connection,
But I need to have 2 if possible in one file, but if needed I can make 2 separate files. For each connection with specific settings.
One connection is active and the other is the backup with the same external anycast addresses.

Hopefully this is a bit more clear.

afcelie
Posts: 3
Joined: 2020/11/04 15:39:35

Re: IPSec Tunnel to 2 different locations

Post by afcelie » 2020/11/07 14:01:34

Graphical Setup
Attachments
IpSecSetup.png
IpSecSetup.png (66.32 KiB) Viewed 68 times

User avatar
jlehtone
Posts: 3172
Joined: 2007/12/11 08:17:33
Location: Finland

Re: IPSec Tunnel to 2 different locations

Post by jlehtone » 2020/11/07 19:49:33

I have not used IPSec in years, so cannot comment on that.

In that picture I see four logical subnets.
* lanA is "behind" Server1
* lanB is behind Server2
* lanC is behind Server3
* All three servers are members of the fourth subnet. Lets call it "WAN"

The Server1 has two specific routes:
* to lanB via WAN-address of Server2
* to lanC via WAN-address of Server3

The two other servers have one specific route:
* to lanA via WAN-address of Server1

Members of each LAN probably use the server as gateway and hence need not need to know about routes.

The Server1-Server2 and Server1-Server3 communications are encrypted with IPSec. The "men-in-the-middle-of-WAN" can't see that packets are from lanA addresses to lan[BC] and back.


In other words, there are two tasks: (1) encryption and (2) routing that directs appropriate traffic to the encrypted path.
IIRC, there was once a vision that IPSec could encrypt every connection between all machines.
afcelie wrote:
2020/11/07 13:51:57
One connection is active and the other is the backup with the same external anycast addresses.
No idea what that means.

aks
Posts: 3045
Joined: 2014/09/20 11:22:14

Re: IPSec Tunnel to 2 different locations

Post by aks » 2020/11/08 19:29:27

I count 5 networks:

1. Network 1: VPNserver3Primary
2. Network 2: IPSec1
3. Network 3: VPNServer2Backup
4. Network 4: IPSec2
5. Network 5: VPNServer1 (destination I guess)

Usually, IPSec is it's "own network" - well actually a tunnel.

Apparently you have no NAT (as in nat_traversal=no from your posted configuration). Kind of interesting as the 1.2.3.0/24 was/used to be the APNIC Debogon Project. Maybe that's who you are, I don't know (and may remove the need for the "tunnel" above).

So your endpoint is "anycast", which means the destination changes depending (on "stuff" not in the immediate network view).

So which one "works" (either 4.4.4.0/23 - owned by Level3, USA or 1.2.2.3/24 owned by KNET, China) and which one doesn't?

Do you achieve peering on both ends (i.e.: we agree on cryptographic settings on both ends)? Or is this a reachability issue?

I note (with some disdain) a circular in that:
1.2.2.3 1.2.3.4: PSK
1.2.3.4 1.2.2.3: PSK
Kind of feels like a loop - as in "I'm next door"!

Not an answer, just some food for thought.

Post Reply

Return to “CentOS 7 - Networking Support”