Configure IPSec VPN Gateway to Connect to External Systems using Strongswan

Create a new Virtual Machine on the same network as the rest of the cluster nodes. This machine will be used as a gateway to access the external IPs. This machine will need a public IP. The preferred OS is Ubuntu Server 20.04 or higher.
The rest of this guide will assume the following:
1. 10.10.0.0/24 - the local network subnet.
2. 192.168.0.0/24 - the external network subnet which we are trying to reach over VPN.
3. 10.10.0.15 - the internal IP of the VPN gateway machine from Step 1.
4. 3.10.x.x - Public IP of the VPN gateway machine from Step 1.
5. 4.10.y.y - Public IP of VPN tunnel of the external Network.

VPN Gateway Setup:

Enable IP Forwarding on the node.
1. Create a file /etc/sysctl.d/60-ip-forward.conf with the following contents:
  net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1
2. Run this to apply the above config:
  sudo systctl --system

Install and configure Strongswan.

Install Strongswan, run:

sudo apt install strongswan libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins

Take backup of ipsec.conf, run:

sudo cp /etc/ipsec.conf /etc/ipsec.conf.orig

Edit the /etc/ipsec.conf with the following contents:

config setup
        charondebug="all"
        uniqueids=yes
conn openg2p-to-external-vpn
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=psk
        # Phase 1
        ike=aes256-sha256-ecp521
        ikelifetime=28800s
        # Phase 2
        esp=aes256-sha256-ecp256
        lifetime=3600s
        aggressive=no
        keyingtries=%forever
        rekeymargin=3m
        left=10.10.0.15
        leftsubnet=10.10.0.15/32
        leftid=3.10.x.x
        right=4.10.y.y
        rightsubnet=192.168.0.0/24
        rightid=4.10.y.y
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart

Create /etc/ipsec.secrets with the following content:
```
10.10.0.15 4.10.y.y : PSK "<PSK Value>"
```

Start strongswan tunnel, run:

sudo systemctl enable ipsec
sudo systemctl start ipsec

Check status by running:
```
sudo ipsec statusall
```

Configure iptables (firewall).

Install iptables-persistent , run:
```
sudo apt install iptables-persistent
```
Set default forward policy as DROP, run:
```
sudo iptables -P FORWARD DROP
```

For each node that is allowed to access the external network, run the following: (The following is only an example, change it according to your system. To get the network interface names run: ip link )

sudo iptables -A FORWARD -o <primary_network_interface_name> -s <10.10.node1.internalip> -j ACCEPT
sudo iptables -A FORWARD -i <primary_network_interface_name> -d <10.10.node1.internalip> -j ACCEPT

sudo iptables -A FORWARD -o <primary_network_interface_name> -s <10.10.node2.internalip> -j ACCEPT
sudo iptables -A FORWARD -i <primary_network_interface_name> -d <10.10.node2.internalip> -j ACCEPT

Enable NAT forwarding; run

sudo iptables -A POSTROUTING -t nat -o <primary_network_interface_name> -j MASQUERADE

Save the iptables changes for the next boot, run: (Make sure to run this whenever you change something on iptables)
```
sudo bash -c 'iptables-save > /etc/iptables/rules.v4'
```

Add an IP Route on all the other nodes that need to access the VPN, to hop over the VPN Gateway node. (If a global routing table exists on the network, this rule can be added there instead.)
```
sudo ip route add 192.168.0.0/24 via 10.10.0.15
```

PreviousConfigure External Database to Connect OpenG2P Environment NextTroubleshooting

Last updated 1 month ago