Hi all,
I'm trying to setup a (temporary) over-the-internet database replication
process. I am using libreswan in two distinct ways:
"Mesh": The first method uses opportunistic IPSec to create a mesh of
tunnels between hosts within an AWS VPC. I have this working well and each host
can talk to each over over tunnels currently.
"S2S": The second method uses a subnet-to-subnet tunnel to connect a host in
a data center to a host in the AWS VPC. The data center host is on a private
subnet and talks through a firewall out to the internet. The AWS host has two
interfaces, one public and one private. The private NIC is connected to the
mesh network. The tunnel comes up and I can route traffic via my "VPN"
gateways from other hosts in the subnets.
Problem: The issue I have is that I want the traffic coming out of the S2S
tunnel to be forward through the mesh tunnel(s) to the remote endpoint(s);
likewise I want traffic coming from members in the mesh subnet to use the mesh
tunnels when trying to connect hosts on the other side of the S2S tunnel. This
does not seem to happen either automatically or via best feeble attempts at
forcing it via routing rules.
Questions:
* Is this actually a feasible/reasonable solution?
* Am I missing something critical in my configurations to make this happen?
* Any hints on magic routing settings or some term I can google for?
Thanks for looking.
======== ASCII Art of the Setup ========
|---------|
|10.1.1.10| DB host(s) A, B, C, etc
|---------|
|
|
|
|---------|
|10.1.0.20| "VPN" host X
|---------|
[|]
<router/firewall/public ip 1>
[|]
[|] Internet
[|] Encrypted via site-to-site (S2S) connection
[|]
<public ip 2>
|---------| "VPN" host Y
|10.2.0.30| <-- eth0
| |
|10.2.1.30| <-- eth1
|---------|
[|]
[|] AWS VPC
[|] Encrypted via opportunistic "mesh" connection
[|]
|---------|
|10.2.1.40| DB host(s) D, E, F, etc
|---------|
======== S2S Configuration on data center side ========
conn vpn
left=10.1.0.20
leftid=<public ip 1>
leftsubnet=10.1.0.0/16
leftrsasigkey=<a key>
right=<public ip 2>
rightsubnet=10.2.0.0/16
rightrsasigkey=<another key>
auto=start
======== S2S Configuration on AWS side ========
conn vpn
left=<public ip 1>
leftsubnet=10.1.0.0/16
leftrsasigkey=<a key>
right=10.2.0.30
rightid=<public ip 2>
rightsubnet=10.2.0.0/16
rightrsasigkey=<another key>
auto=start
======== Mesh Configuration ========
conn private
leftauth=rsasig
left=10.2.1.30
leftid=%fromcert
leftcert=<certificate name>
rightauth=rsasig
right=%opportunisticgroup
rightid=%fromcert
rightca=%same
rightrsasigkey=%cert
ikelifetime=30m
salifetime=1h
sha2-truncbug=no
aggrmode=no
type=tunnel
ikev2=insist
negotiationshunt=hold
failureshunt=drop
keyingtries=0
retransmit-timeout=3s
auto=ondemand
priority=65535
conn clear
type=passthrough
left=%defaultroute
right=%group
auto=ondemand
priority=100
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
