0

I've recently deployed a Strongswan IKEv2 Remote Access VPN in two different sited with two different ubuntu servers. It all works great, but now i want to "merge" the two sites with a site-to-site vpn, so that i can leave only one Remote Access VPN and access both subnets. The issue is how to do it? My idea was an IPSec Tunnel using strongswan between the two sites and static routing on both sites routers to manage the traffic.

The sites are configured as follows:

A) 
Only One Public IP : x.x.x.x
Subnet : 10.5.5.0/24

B)
One Usable Public IP : x.x.x.x
Subnet : 192.168.5.0/24

The questions are:

  1. Can I run the two services (IKEv2 Remote access and IPSec Tunnel) on the same strongswan instance? My answer to this would be NO, and if this is the case I'm ready to add a new instance of strongswan using another two ubuntu servers as gateway.
  2. But if I'm using two different server in the sites another issue comes up, the sites only have one public IP each, how do i deconflict IPSec and IKEv2 as both should be using the same ports? Can i change the ports used by the IPSec Tunnel? Or maybe i don't need port forwarding for the IPSec Tunnel?

This is my reference for the IPSec Tunnel. https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-debian-ubuntu/

Any ideas on how to make this mess work? Do i ALWAYS need two different ip addresses for running two vpn servers? Could OpenSource DMVPN help?

Thanks in advance.

P1r4nh4
  • 1
  • 1
  • The answer to your first question is actually YES. Just configure appropriate traffic selectors (subnets) for the IPsec connection between the two servers (e.g. so virtual IPs from remote access clients are included) and possibly adjust the firewall rules (e.g. to avoid any NAT for traffic to the remote subnet). So with that out of the way, you might want to update your question if you still feel there are issues. – ecdsa Apr 06 '22 at 07:49

0 Answers0