1

Initial data

I am learning networking based things and strongSwan proper configuration.

Using my own wildcard ssl certificate. All tunnels are successfully lifted and authorized among themselves, respond in any of sides designated in configurations. Remote devices cconnect successfully to master host, but their traffic remains within this master host without further forwarding. Authorization of remote users is carried out through radius plugin.

Problem to be solved

Organisation of the VPN network with a common entry point and multiple exit points (dynamic IP)

The following Ubuntu 20.04 dedicated hosts are available:

  1. Host A (master) - x.x.110.138
  2. Host B (slave1) - x.x.166.115
  3. Host C (slave2) - x.x.178.214
  4. Host D (slave3) - x.x.140.120

RoadWarrior client (macOS, iPhone, Android, Win10/11) connects to the master host. Next, client traffic is routed randomly (in the near future I would like to implement this moment through load balancing, but first i need to figure out the basic settings) to one of the slave hosts. If any of the GRE tunnels to the slave host is dead, then exclude it from the general routing system. When accessing the network through the slave host, client is given an IP address from the host to which he was routed.

Dedicated hosts configurations

Master-host (x.x.110.138)

/etc/sysctl.conf

net.ipv4.ip_forward = 1

/etc/netplan/01-grecfg.yaml

network: version: 2 tunnels: tunToSlave1: mode: gre local: x.x.110.138 remote: x.x.166.115 addresses: [10.0.2.1/24] mtu: 1442 ttl: 255 tunToSlave2: mode: gre local: x.x.110.138 remote: x.x.178.214 addresses: [10.0.3.1/24] mtu: 1442 ttl: 255 tunToSlave3: mode: gre local: x.x.110.138 remote: x.x.140.120 addresses: [10.0.4.1/24] mtu: 1442 ttl: 255

/etc/ipsec.conf

config setup charondebug="cfg 2, dmn 2, ike 2, net 2" strictcrlpolicy = yes conn %default reauth = yes rekey = yes keyingtries = %forever keyexchange = ikev2 dpdaction = restart dpddelay = 5s mobike = yes conn tun-slave1 left = %defaultroute right = x.x.166.115 authby = pubkey leftcert = cert.pem leftsendcert = always leftauth = pubkey rightauth = pubkey leftid = @mydomain.com rightid = @mydomain.com rightrsasigkey = /etc/central/rsa.cert.pem leftsubnet = %dynamic[gre] rightsubnet = %dynamic[gre] type = transport ike = aes256gcm16-sha384-x25519! esp = aes256gcm16-sha384-x25519! auto = start conn tun-slave2 left = %defaultroute right = x.x.178.214 authby = pubkey leftcert = cert.pem leftsendcert = always leftauth = pubkey rightauth = pubkey leftid = @mydomain.com rightid = @mydomain.com rightrsasigkey = /etc/central/rsa.cert.pem leftsubnet = %dynamic[gre] rightsubnet = %dynamic[gre] type = transport ike = aes256gcm16-sha384-x25519! esp = aes256gcm16-sha384-x25519! auto = start conn tun-slave3 left = %defaultroute right = x.x.140.120 authby = pubkey leftcert = cert.pem leftsendcert = always leftauth = pubkey rightauth = pubkey leftid = @mydomain.com rightid = @mydomain.com rightrsasigkey = /etc/central/rsa.cert.pem leftsubnet = %dynamic[gre] rightsubnet = %dynamic[gre] type = transport ike = aes256gcm16-sha384-x25519! esp = aes256gcm16-sha384-x25519! auto = start conn remote-mobile dpddelay = 30s left = %any leftid = @mydomain.com leftcert = cert.pem leftsendcert = always leftsubnet = 0.0.0.0/0,::/0 right = %any rightid = %any rightauth = eap-radius rightsendcert = never eap_identity = %identity rightsourceip = 10.10.10.0/24 rightdns = 8.8.8.8 type = tunnel ike=aes128gcm16-sha2_256-prfsha256-ecp256! esp=aes128gcm16-sha2_256-ecp256! auto = add dpdaction = restart ikelifetime = 240m keylife = 60m conn remote-pc ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1! ikelifetime=720m keylife=60m

Slave1-host (x.x.166.115)

/etc/sysctl.conf

net.ipv4.ip_forward = 1 net.ipv4.ip_no_pmtu_disc = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv6.conf.all.disable_ipv6 = 1

/etc/netplan/01-grecfg.yaml

network: version: 2 tunnels: tunToMaster: mode: gre local: x.x.166.115 remote: x.x.110.138 addresses: [10.0.2.2/24] mtu: 1442 ttl: 255

/etc/ipsec.conf

config setup charondebug="cfg 2, dmn 2, ike 2, net 2" strictcrlpolicy = yes conn %default reauth = yes rekey = yes keyingtries = %forever keyexchange = ikev2 dpdaction = restart dpddelay = 5s mobike = yes conn gre-master left = %defaultroute right = x.x.110.138 <- slave1 local ip authby = pubkey leftcert = cert.pem leftsendcert = always leftauth = pubkey rightauth = pubkey leftid = @mydomain.com rightid = @mydomain.com rightrsasigkey = /etc/central/rsa.cert.pem leftsubnet = %dynamic[gre] rightsubnet = %dynamic[gre] type = transport ike = aes256gcm16-sha384-x25519! esp = aes256gcm16-sha384-x25519! auto = add

Slave2-host (x.x.178.214)

/etc/sysctl.conf

net.ipv4.ip_forward = 1 net.ipv4.ip_no_pmtu_disc = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv6.conf.all.disable_ipv6 = 1

/etc/netplan/01-grecfg.yaml

network: version: 2 tunnels: tunToMaster: mode: gre local: x.x.178.214 remote: x.x.110.138 addresses: [10.0.3.3/24] mtu: 1442 ttl: 255

/etc/ipsec.conf

config setup charondebug="cfg 2, dmn 2, ike 2, net 2" strictcrlpolicy = yes conn %default reauth = yes rekey = yes keyingtries = %forever keyexchange = ikev2 dpdaction = restart dpddelay = 5s mobike = yes conn gre-master left = %defaultroute right = <- slave2 local ip authby = pubkey leftcert = cert.pem leftsendcert = always leftauth = pubkey rightauth = pubkey leftid = @mydomain.com rightid = @mydomain.com rightrsasigkey = /etc/central/rsa.cert.pem leftsubnet = %dynamic[gre] rightsubnet = %dynamic[gre] type = transport ike = aes256gcm16-sha384-x25519! esp = aes256gcm16-sha384-x25519! auto = add

Slave3-host (x.x.140.120)

/etc/sysctl.conf

net.ipv4.ip_forward = 1 net.ipv4.ip_no_pmtu_disc = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv6.conf.all.disable_ipv6 = 1

/etc/netplan/01-grecfg.yaml

network: version: 2 tunnels: tunToMaster: mode: gre local: x.x.140.120 remote: x.x.110.138 addresses: [10.0.4.4/24] mtu: 1442 ttl: 255

/etc/ipsec.conf

config setup charondebug="cfg 2, dmn 2, ike 2, net 2" strictcrlpolicy = yes conn %default reauth = yes rekey = yes keyingtries = %forever keyexchange = ikev2 dpdaction = restart dpddelay = 5s mobike = yes conn gre-master left = %defaultroute right = x.x.110.138 <- slave3 local ip authby = pubkey leftcert = cert.pem leftsendcert = always leftauth = pubkey rightauth = pubkey leftid = @mydomain.com rightid = @mydomain.com rightrsasigkey = /etc/central/rsa.cert.pem leftsubnet = %dynamic[gre] rightsubnet = %dynamic[gre] type = transport ike = aes256gcm16-sha384-x25519! esp = aes256gcm16-sha384-x25519! auto = add

Questions

  1. How to correctly determine interface parameters for dynamic routing? In particular, I'm having trouble getting networks/subnets set up correctly at the localhost level. I was able to achieve working master->slave1 scheme with this guide, but with many hosts, I experience difficulties in understanding :(

  2. The issue of correct definition of networks/subnets is also opened for listed ipsec configurations - how to correctly define leftsubnet/rightsubnet parameters for each host in this interaction scheme or can i leave just %dynamic value?

  3. Is it redundant to use quagga for dynamic routing in this case?

  4. Is interaction scheme of a set of hosts (master-> slaves) to previosly described task correctly defined? BTW I tried to raise tunnels from slave hosts to the master host, but each subsequent tunnel overrides the previous one :\

  5. Are there any errors in the parameters of interfaces and general ipsec configs?

  6. What rules i should set for iptables within each host? I guess, that on each of the three slave hosts it is necessary at least to designate the nat table rule for masquerading. Not so long ago, I raised only 1 server with strongSwan on board and set up the following general rules:

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 iptables -A INPUT -p icmp -j DROP iptables -A INPUT -j DROP iptables -A FORWARD -j DROP

I would really appreciate any help, explanations and useful information.

Cheers <3

Improve this question

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.