[Swan] Routing between two different tunnels
Matt Hilt
matt.hilt at numerica.us
Thu Nov 15 23:04:46 UTC 2018
Hi all,
I'm trying to setup a (temporary) over-the-internet database replication process. I am using libreswan in two distinct ways:
"Mesh": The first method uses opportunistic IPSec to create a mesh of tunnels between hosts within an AWS VPC. I have this working well and each host can talk to each over over tunnels currently.
"S2S": The second method uses a subnet-to-subnet tunnel to connect a host in a data center to a host in the AWS VPC. The data center host is on a private subnet and talks through a firewall out to the internet. The AWS host has two interfaces, one public and one private. The private NIC is connected to the mesh network. The tunnel comes up and I can route traffic via my "VPN" gateways from other hosts in the subnets.
Problem: The issue I have is that I want the traffic coming out of the S2S tunnel to be forward through the mesh tunnel(s) to the remote endpoint(s); likewise I want traffic coming from members in the mesh subnet to use the mesh tunnels when trying to connect hosts on the other side of the S2S tunnel. This does not seem to happen either automatically or via best feeble attempts at forcing it via routing rules.
Questions:
* Is this actually a feasible/reasonable solution?
* Am I missing something critical in my configurations to make this happen?
* Any hints on magic routing settings or some term I can google for?
Thanks for looking.
======== ASCII Art of the Setup ========
|---------|
|10.1.1.10| DB host(s) A, B, C, etc
|---------|
|
|
|
|---------|
|10.1.0.20| "VPN" host X
|---------|
[|]
<router/firewall/public ip 1>
[|]
[|] Internet
[|] Encrypted via site-to-site (S2S) connection
[|]
<public ip 2>
|---------| "VPN" host Y
|10.2.0.30| <-- eth0
| |
|10.2.1.30| <-- eth1
|---------|
[|]
[|] AWS VPC
[|] Encrypted via opportunistic "mesh" connection
[|]
|---------|
|10.2.1.40| DB host(s) D, E, F, etc
|---------|
======== S2S Configuration on data center side ========
conn vpn
left=10.1.0.20
leftid=<public ip 1>
leftsubnet=10.1.0.0/16
leftrsasigkey=<a key>
right=<public ip 2>
rightsubnet=10.2.0.0/16
rightrsasigkey=<another key>
auto=start
======== S2S Configuration on AWS side ========
conn vpn
left=<public ip 1>
leftsubnet=10.1.0.0/16
leftrsasigkey=<a key>
right=10.2.0.30
rightid=<public ip 2>
rightsubnet=10.2.0.0/16
rightrsasigkey=<another key>
auto=start
======== Mesh Configuration ========
conn private
leftauth=rsasig
left=10.2.1.30
leftid=%fromcert
leftcert=<certificate name>
rightauth=rsasig
right=%opportunisticgroup
rightid=%fromcert
rightca=%same
rightrsasigkey=%cert
ikelifetime=30m
salifetime=1h
sha2-truncbug=no
aggrmode=no
type=tunnel
ikev2=insist
negotiationshunt=hold
failureshunt=drop
keyingtries=0
retransmit-timeout=3s
auto=ondemand
priority=65535
conn clear
type=passthrough
left=%defaultroute
right=%group
auto=ondemand
priority=100
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181115/6ba1c3e0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5455 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181115/6ba1c3e0/attachment.p7s>
More information about the Swan
mailing list