Hi,
I need help with VPN configuration, I tried everything I found online but nothing seems to fit my scenario.
Let assume my network looks like below*:
On VPS I’m running strongSwan server with following config:
conn myvps
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=49.231.43.11
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=10.99.0.0/24
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsendcert=never
rightsubnet=192.168.0.0/16
eap_identity=%identity
ike=aes256-sha256-modp1024
esp=aes256-sha256
I also added dummy interface on VPS, because it only had public facing interface.
# /etc/systemd/network/10-dummy0.netdev
[NetDev]
Name=dummy0
Kind=dummy
.
# /etc/systemd/network/11-dummy0.network
[Match]
Name=dummy0
[Network]
Address=10.99.0.1/24
My home router (hAP ac^2) config:
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=myvps
/ip ipsec peer
add address=49.231.43.11/32 exchange-mode=ike2 name=myvps profile=myvps
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=myvps pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="myvps CA" eap-methods=eap-mschapv2 peer=myvps username=kblazewicz
/ip ipsec policy
add dst-address=10.99.0.0/24 peer=myvps proposal=myvps src-address=192.168.0.0/16 tunnel=yes
/ip firewall raw
add action=notrack chain=prerouting comment="disable tracking of packets from LAN to IPSEC" dst-address=10.99.0.0/24 src-address=192.168.0.0/16
add action=notrack chain=prerouting comment="disable tracking of packets from IPSEC to LAN" dst-address=192.168.0.0/16 src-address=10.99.0.0/24
/ip firewall nat
add action=accept chain=srcnat comment="passthrough packets to IPSEC tunnel" dst-address=10.99.0.0/24 src-address=192.168.0.0/16
I can access VPS at 10.99.0.1 from any computer in my network I also can reach any host in my home network from the VPS. I use it to expose local services to Internet because my ISP put me behind NAT.
What I’d like to have is:
- the 192.168.10.0/24 network has to be connected with VPS as site-to-site tunnel as it is now
- all Internet traffic from 192.168.20.0/24 must be routed via VPS
I it even possible without making two tunnels?
I tried marking packets and adding static route. It doesn’t work, because 10.99.0.1 is unreachable.
/ip firewall mangle
add action=mark-routing chain=prerouting comment="mark packets to be routed through IPSEC" new-routing-mark=myvps passthrough=yes src-address=192.168.20.0/24
/ip route
add disabled=yes distance=1 gateway=10.99.0.1 routing-mark=myvps
I imagine adding GRE or IP tunnel on top of the IPsec tunnel would allow routing, right? But could I omit the extra overhead? Also from what I understand IPsec in tunnel mode is actually using IP tunnel underneath, and I cannot use transport mode because I’m behind NAT, am I right? Wouldn’t VTI (requested since 2012: Feature Request: IPSEC Improvements) solve my issue?
- This is of course simplified view, I’ve also made up all public addresses, so please don’t bother verifying them.