VPN between two offices using Strongswan, how to implement?

M

Maxim Legenchenko2018-11-20 07:19:45

VPN

Maxim Legenchenko, 2018-11-20 07:19:45

Hello.
There are two offices. I need to connect them via a VPN channel, but not directly. StrongSwan deployed on a VPS with Ubuntu Server should act as an intermediary.
- In office A we have OPNSense (the same PFSense) with white IP xxxx local network 192.168.0.0/24
- In office B we have mikrotik (latest firmware 6.43.4) with white IP yyyy local network 192.168.88.0/24
- And there is a VPS with a white IP zzzz and installed Ubuntu Server in which StrongSwan is deployed. Since the VPS has only one physical adapter eth0 on which the external IP address, I added the virtual network adapter eth0: 1 with IP 192.168.100.1/24 to the network config file.
The network diagram should be as follows:
OPNSense <======> VPS StrongSwan <========> Mikrotik
The networks behind OPNSense and Mikrotik need to see each other.
The essence of the problem is that the StronSwan <=> Mikrotik connection rose, SA was established, there was a ping from the VPS to the Mikrotik and the machines behind the Mikrotik, and in the opposite direction it did NOT go from the Mikrotik, but from the machines. After I added a route to the VPS network on Mikrotik, the pings went in both directions and the trace was successful. Why were the routes not created automatically?
But with the OPNSense <=> StronSwan connection, it's more complicated. The tunnel goes up in status and OPNSense and StronSwan shows that everything is fine, BUT the ping from StronSwan to OPNSense and the machines behind it goes, but there is no trace. There is no ping in the opposite direction, no tracing from OPNSense itself to StronSwan. But the machines behind OPNSense successfully both ping and trace to StrongSwan. As I know, routes should be created by themselves, why are they not created and what routes should I prescribe in order for everything to work?
Help I've been struggling for a week now and without success.
And the networks behind Micropotik and OPNSense do not see each other at all. What is tedious to register on StongSwane so that everything would work?
There are a lot of listings to throw, so ask what you need to see and I'll show you.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

athacker, 2018-11-20
@athacker

Strictly speaking, routes as such are not visible in IPsec. Everything is described in SA. That is, by calling ip route print on a micro or netstat -rn on opnSense, you will not see the routes.
For IPsec, the determination of what to wrap in the tunnel and what to simply route (past the tunnel) is based on the leftsubnet / rightsubnet settings (this is in terms of StrongSwan, it is called differently in other packages).
Well and apart from a question - would not recommend to you to build IPsec on mikrotah. Tunnels often hang.

M

Maxim Legenchenko, 2018-11-22
@MaksytL

Then it turns out that in order to route traffic normally, do I need to raise gre and encrypt it simply with IPSec? Right?

D

Dmitry, 2019-02-24
@hempy80

Why is it necessary to build a tunnel through an intermediate server? You have white addresses at all ends. It is easier, safer and more reliable to do "each with each". If you can’t do without an intermediate server, then GRE or IPIP tunnels + IPSec (in transport mode) are better - tunnel interfaces will appear, and therefore the ability to configure routing in the usual way