How to configure routing between two ipsec connections?

T

trenikiVshtaniki2021-02-23 13:44:00

VPN

trenikiVshtaniki, 2021-02-23 13:44:00

There is a task - to make a vpn connection through an intermediate server (client -> server A -> server B -> internet).
I set up vpn according to the guide from here https://www.digitalocean.com/community/tutorials/h...

It turns out:

ipsec.conf server_A

config setup

conn client-tunnel
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]_A_DOMAIN_NAME
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=1.1.1.1
    rightsendcert=never
    eap_identity=%identity
    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

conn tunnel-to-second
    right=SERVER_B_DOMAIN_NAME
    rightid=SERVER_B_DOMAIN_NAME
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftid=twerker
    leftauth=eap-mschapv2
    eap_identity=%identity
    auto=start

/etc/ufw/before.rules server_A

*nat
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT

*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT

После *filter

-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT

ipsec.conf server_B

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]_B_DOMAIN_NAME
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=11.11.11.0/24
    rightdns=1.1.1.1
    rightsendcert=never
    eap_identity=%identity
    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

/etc/ufw/before.rules server_B

*nat
-A POSTROUTING -s 11.11.11.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 11.11.11.0/24 -o eth0 -j MASQUERADE
COMMIT

*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 11.11.11.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT

После *filter

-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 11.11.11.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 11.11.11.0/24 -j ACCEPT

As a result, the configuration works like this:
Server A normally connects to server B (ipsec up tunnel-to-second, then curl ident.me returns the IP of server B)
The client normally connects to server A, but curl displays server B's IP. enters the next vpn tunnel.

How correctly to organize routing of all traffic of the client between through server A on server B?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

C

CityCat4, 2021-02-24
@CityCat4

View which policies have been generated. Routing in IPSec is purely IPSec policies. What does it show ip xfrm policy list?