IPSec Tunnel to 2 different locations

[afcelie]

I want to create an IP Sec tunnel to 2 different sites, I do have a configuration for a site to site IP-Sec tunnel, bu how to setup a second one on 1 server?

ServerA 1.2.3.4 --> ServerB 1.2.2.3
ServerA 1.2.3.4 --> ServerB 1.2.3.3

My Current Config for one location
#/etc/ipsec.conf
config setup
protostack=netkey
nat_traversal=no

conn mysubnet
also=mytunnel
leftsubnet=4.4.4.0/24
rightsubnet=14.14.14.0/24
auto=start

conn mytunnel
left=1.2.2.3
right=1.2.3.4
authby=secret
ikelifetime=24h
ike=aes-sha256;modp2048
# esp=aes-sha256;modp2048
pfs=yes
phase2alg=aes256-sha1;modp2048

And there is a ipsec.secrets file
#/etc/ipsec.secrets
#include /etc/ipsec.d/*.secrets
1.2.2.3 1.2.3.4: PSK "<secret>"
1.2.3.4 1.2.2.3: PSK "<secret>"

[aks]

1.2.3.4 --> ServerB 1.2.2.3
1.2.3.4 --> ServerB 1.2.3.3

Eh? So ones routed (/24) the other bridged (or I can't be arsed to read the whole thing)?

[afcelie]

I have one location and need to get 2 ipsec connections one to each locatio, for the networks there was a fault, it should have been /24.
I changed the settings.
The confgiration is based on one ip sec connection,
But I need to have 2 if possible in one file, but if needed I can make 2 separate files. For each connection with specific settings.
One connection is active and the other is the backup with the same external anycast addresses.

Hopefully this is a bit more clear.

[afcelie]

Graphical Setup

[jlehtone]

I have not used IPSec in years, so cannot comment on that.

In that picture I see four logical subnets.
* lanA is "behind" Server1
* lanB is behind Server2
* lanC is behind Server3
* All three servers are members of the fourth subnet. Lets call it "WAN"

The Server1 has two specific routes:
* to lanB via WAN-address of Server2
* to lanC via WAN-address of Server3

The two other servers have one specific route:
* to lanA via WAN-address of Server1

Members of each LAN probably use the server as gateway and hence need not need to know about routes.

The Server1-Server2 and Server1-Server3 communications are encrypted with IPSec. The "men-in-the-middle-of-WAN" can't see that packets are from lanA addresses to lan[BC] and back.


In other words, there are two tasks: (1) encryption and (2) routing that directs appropriate traffic to the encrypted path.
IIRC, there was once a vision that IPSec could encrypt every connection between all machines.

One connection is active and the other is the backup with the same external anycast addresses.

No idea what that means.

[aks]

I count 5 networks:

1. Network 1: VPNserver3Primary
2. Network 2: IPSec1
3. Network 3: VPNServer2Backup
4. Network 4: IPSec2
5. Network 5: VPNServer1 (destination I guess)

Usually, IPSec is it's "own network" - well actually a tunnel.

Apparently you have no NAT (as in nat_traversal=no from your posted configuration). Kind of interesting as the 1.2.3.0/24 was/used to be the APNIC Debogon Project. Maybe that's who you are, I don't know (and may remove the need for the "tunnel" above).

So your endpoint is "anycast", which means the destination changes depending (on "stuff" not in the immediate network view).

So which one "works" (either 4.4.4.0/23 - owned by Level3, USA or 1.2.2.3/24 owned by KNET, China) and which one doesn't?

Do you achieve peering on both ends (i.e.: we agree on cryptographic settings on both ends)? Or is this a reachability issue?

I note (with some disdain) a circular in that:
1.2.2.3 1.2.3.4: PSK
1.2.3.4 1.2.2.3: PSK
Kind of feels like a loop - as in "I'm next door"!

Not an answer, just some food for thought.