5

I have two sites: MAIN (local subnet 192.168.0.0/24, external IP: M.M.M.M) and CLIENT (10.0.0.0/24, external IP: C.C.C.C). I created an IPSec tunnel between the sites and both sites can ping computers in both subnets. So far so good.

# ipsec status
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 7 minutes ago, 10.0.0.15[C.C.C.C]...M.M.M.M[M.M.M.M]
tunnel{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7e6cd30_i ca170c58_o
tunnel{1}:   10.0.0.0/24 === 192.168.0.0/24

MAIN's external IP address is whitelisted by some resources on the internet (they can only be accessed from MAIN's address). I would like to configure the routing in a way that these resources are accessed by CLIENT's site through that tunnel and MAIN's gateway.

I would normally try doing this by configuring static routing and NAT. The problem here is that I do not have an interfacethat I can use for defining the routes. If I had a VPN server at the MAIN site and VPN client and the CLIENT site, then the VPN client would have some tun interface that I could use to configure what I need.

Can I achieve the same by having an IPSec tunnel between the two sites?

EDIT

More details follow:

So the connection looks like this:

192.168.0.0/24 --- 192.168.0.1/M.M.M.M --- C.C.C.C/10.0.0.1 --- 10.0.0.0/24
(Main subnet)         (Main router)        (Client router)      (Client subnet)

192.168.0.1/M.M.M.M - Ubiquity router

C.C.C.C/10.0.0.1 - simple router with some ports forwarded to 10.0.0.15

10.0.0.15 - Ubuntu machine in client subnet with IPSec tunnel to 192.168.0.1

The tunnel works. Both sites can ping each other`s gateways and other machines in the network.

What I now want to achieve is routing packets to particular external IP addresses from 10.0.0.15 through 192.168.0.1.

Michal B.
  • 107

4 Answers4

1

I up this intersting post. I have a similar problem. Normaly ipsec manage the main route via the file ipsec.conf and the directive leftsubnet=10.0.0.0/8 and rightsubnet=192.168.0.0/16. So for he main route it's simple. don't forget sysctl for making your linux kernel as router (ipforward) and to SNAT what you should or not (for services and wan access) Secondly effectivly, this main route doesn't appear with an "ip route" command because ipsec don't Up any interface like eth0 or enp1s0 etc. But the route well exist. Look at the route table whith this command: "ip route list table all" The route table n° 220 will show your ipsec route that simple "ip route" command don't show

nel23 FX
  • 11
1

So considering the topology I would pick the first option, simply adding a static route in client machines into 10.0.0.0/24. If the remote resources aren't in the same IP range, you would need to add one route per resource.

For example on a Windows machine: Resource 1 (say 10.11.12.13) :

route add 10.11.12.13 mask 255.255.255.255 10.0.0.15 -p

Resource 2 (say 24.25.26.27) :

route add 24.25.26.27 mask 255.255.255.255 10.0.0.15 -p

Then repeat the same thing into 10.0.0.15, but this time targeting 192.168.0.1.

See here for adding persistent routes in Linux (ubuntu).

I understand this approach is pretty granular and not suitable for high scale networks but it should work pretty well for small home/office use.

As an alternative, considering a dedicated NAT gateway would be more effective if you want to proxy all the traffic. Not only to whitelisting resources.

A last alternative as far as I know would be to build an OpenVPN server (instead of IPSec) in 192.168.0.0/24 which will proxy all traffic by default. Excellent tutorial here.

Let me know if you have any question.

Notauser
  • 305
0

I am by no means a network specialist, but this sounds like a forced tunneling scenario relating to enterprises wanting to control internet user traffic on managed remote clients via their proxy. In a general approach you might add a static/default route for all internet bound traffic on the client router to be forwarded through the tunnel to your main router, which implies a Site-to-Site VPN tunnel. In your Point-to-Site VPN case I don't see another way than adding a specific route into local client routing table with the public IP as destination with the next hop being the internal IP of the main router.

Lyndon678
  • 36
0

So it sounds like what's left is to do Source NAT translation since you are able to control your side of the network interface vs theirs. But there is a new extension I didn't really know about till now called NETMAP that I believe is a better fit for what you want:

For Reference: https://netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html#ss6.1 is the SNAT https://netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-4.html#ss4.4 - is the NETMAP extension

109569 is relatable.

jfalcon aka Don Fanning
  • 356