[Swan] Routing between two different tunnels

Matt Hilt matt.hilt at numerica.us
Thu Nov 15 23:04:46 UTC 2018


Hi all,


I'm trying to setup a (temporary) over-the-internet database replication process. I am using libreswan in two distinct ways:

  "Mesh":  The first method uses opportunistic IPSec to create a mesh of tunnels between hosts within an AWS VPC. I have this working well and each host can talk to each over over tunnels currently.

  "S2S": The second method uses a subnet-to-subnet tunnel to connect a host in a data center to a host in the AWS VPC.  The data center host is on a private subnet and talks through a firewall out to the internet.  The AWS host has two interfaces, one public and one private.  The private NIC is connected to the mesh network.  The tunnel comes up and I can route traffic via my "VPN" gateways from other hosts in the subnets.

Problem: The issue I have is that I want the traffic coming out of the S2S tunnel to be forward through the mesh tunnel(s) to the remote endpoint(s); likewise I want traffic coming from members in the mesh subnet to use the mesh tunnels when trying to connect hosts on the other side of the S2S tunnel. This does not seem to happen either automatically or via  best feeble attempts at forcing it via routing rules.

Questions:
  * Is this actually a feasible/reasonable solution?
  * Am I missing something critical in my configurations to make this happen?
  * Any hints on magic routing settings or some term I can google for?

Thanks for looking.


======== ASCII Art of the Setup ========

|---------|
|10.1.1.10|  DB host(s) A, B, C, etc
|---------|
     |
     |
     |
|---------|
|10.1.0.20|  "VPN" host X
|---------|
    [|]
<router/firewall/public ip 1>
    [|]
    [|]   Internet
    [|]   Encrypted via site-to-site (S2S) connection
    [|]
<public ip 2>
|---------| "VPN" host Y
|10.2.0.30| <-- eth0
|         |
|10.2.1.30| <-- eth1
|---------|
    [|]
    [|]   AWS VPC
    [|]   Encrypted via opportunistic "mesh" connection
    [|]
|---------|
|10.2.1.40|  DB host(s) D, E, F, etc
|---------|


======== S2S Configuration on data center side ========
conn vpn
     left=10.1.0.20
     leftid=<public ip 1>
     leftsubnet=10.1.0.0/16
     leftrsasigkey=<a key>
     right=<public ip 2>
     rightsubnet=10.2.0.0/16
     rightrsasigkey=<another key>
     auto=start

======== S2S Configuration on AWS side ========
conn vpn
     left=<public ip 1>
     leftsubnet=10.1.0.0/16
     leftrsasigkey=<a key>
     right=10.2.0.30
     rightid=<public ip 2>
     rightsubnet=10.2.0.0/16
     rightrsasigkey=<another key>
     auto=start

======== Mesh Configuration ========
conn private
    leftauth=rsasig
    left=10.2.1.30
    leftid=%fromcert
    leftcert=<certificate name>
    rightauth=rsasig
    right=%opportunisticgroup
    rightid=%fromcert
    rightca=%same
    rightrsasigkey=%cert
    ikelifetime=30m
    salifetime=1h
    sha2-truncbug=no
    aggrmode=no
    type=tunnel
    ikev2=insist
    negotiationshunt=hold
    failureshunt=drop
    keyingtries=0
    retransmit-timeout=3s
    auto=ondemand
    priority=65535

conn clear
    type=passthrough
    left=%defaultroute
    right=%group
    auto=ondemand
    priority=100



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181115/6ba1c3e0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5455 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181115/6ba1c3e0/attachment.p7s>


More information about the Swan mailing list