How can I route traffic over IPSec tunnel?

Question

I have two sites: MAIN (local subnet 192.168.0.0/24, external IP: M.M.M.M) and CLIENT (10.0.0.0/24, external IP: C.C.C.C). I created an IPSec tunnel between the sites and both sites can ping computers in both subnets. So far so good.

# ipsec status
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 7 minutes ago, 10.0.0.15[C.C.C.C]...M.M.M.M[M.M.M.M]
tunnel{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7e6cd30_i ca170c58_o
tunnel{1}:   10.0.0.0/24 === 192.168.0.0/24

MAIN's external IP address is whitelisted by some resources on the internet (they can only be accessed from MAIN's address). I would like to configure the routing in a way that these resources are accessed by CLIENT's site through that tunnel and MAIN's gateway.

I would normally try doing this by configuring static routing and NAT. The problem here is that I do not have an interfacethat I can use for defining the routes. If I had a VPN server at the MAIN site and VPN client and the CLIENT site, then the VPN client would have some tun interface that I could use to configure what I need.

Can I achieve the same by having an IPSec tunnel between the two sites?

EDIT

More details follow:

So the connection looks like this:

192.168.0.0/24 --- 192.168.0.1/M.M.M.M --- C.C.C.C/10.0.0.1 --- 10.0.0.0/24
(Main subnet)         (Main router)        (Client router)      (Client subnet)

192.168.0.1/M.M.M.M - Ubiquity router

C.C.C.C/10.0.0.1 - simple router with some ports forwarded to 10.0.0.15

10.0.0.15 - Ubuntu machine in client subnet with IPSec tunnel to 192.168.0.1

The tunnel works. Both sites can ping each other`s gateways and other machines in the network.

What I now want to achieve is routing packets to particular external IP addresses from 10.0.0.15 through 192.168.0.1.

Can you list "exactly" what is there between a host in CLIENT site and a host in MAIN site? This is to determine how to write the route. Also what is the OS you are using? Basically I'm thinking of using static routes inside the host in CLIENT site. Another potential solution may be using a NAT gateway with IP forwarding inside MAIN site. — Notauser, Aug 06 '19 at 18:47
@Notauser: I added more details. I hope I am clear now. If you still have any questions, do not hesitate to ask. — Michal B., Aug 07 '19 at 05:55
Seems to me you would need a custom updown script for strongswan to establish the necessary rules. The client router needs to designate the main router as nexthop for packets from client 10.0.0.15 destined for said external addresses and the main router would need to forward/masquerade for source 10.0.0.15. https://wiki.strongswan.org/projects/strongswan/wiki/Updown — Gerrit, Aug 09 '19 at 09:07
If tweaking the routers is not an option, but you can use an ip-address on the main network with a client with some router functionality, then you could destination NAT a specific external address on the 10.0.0.15 to the client in the main network and from there masquerade it to the external address. — Gerrit, Aug 09 '19 at 10:52
Hey @MichalB. did you find a solution to this? I'm having a similar problem where I would need to route all traffic on a certain local interface through the gateway on the other side of the tunnel. — ojrask, Apr 21 '20 at 12:08
Hi @ojrask. No, I have not found a way to do it with using IPSec tunnel. I reverted to VPN client-server solution that has virtual interfaces that can be used to route the traffic through... — Michal B., Apr 22 '20 at 10:14

Notauser · Answer 1 · 2019-08-08T17:39:31.040

1

So considering the topology I would pick the first option, simply adding a static route in client machines into 10.0.0.0/24. If the remote resources aren't in the same IP range, you would need to add one route per resource.

For example on a Windows machine: Resource 1 (say 10.11.12.13) :

route add 10.11.12.13 mask 255.255.255.255 10.0.0.15 -p

Resource 2 (say 24.25.26.27) :

route add 24.25.26.27 mask 255.255.255.255 10.0.0.15 -p

Then repeat the same thing into 10.0.0.15, but this time targeting 192.168.0.1.

See here for adding persistent routes in Linux (ubuntu).

I understand this approach is pretty granular and not suitable for high scale networks but it should work pretty well for small home/office use.

As an alternative, considering a dedicated NAT gateway would be more effective if you want to proxy all the traffic. Not only to whitelisting resources.

A last alternative as far as I know would be to build an OpenVPN server (instead of IPSec) in 192.168.0.0/24 which will proxy all traffic by default. Excellent tutorial here.

Let me know if you have any question.

edited Aug 08 '19 at 17:39

answered Aug 08 '19 at 17:16

Notauser

295
1
9

This is the obvious answer. However, I cannot route through 192.168.0.1: `ip route add 8.8.8.8/32 via 192.168.0.1` gives `Error: Nexthop has invalid gateway`. This is because 192.168.0.1 is not a local IP address. This is due to the nature of IPSec. It would work with OpenVPN, because then I would have a tunnel interface with an interface and IP address from the other subnet. Actually, I had that configured, but it was not stable and I liked the idea of site-to-site tunnel, so that's what I am trying now... – Michal B. Aug 11 '19 at 07:32
To workaround that, can you try : `ip route add 8.8.8.8/32 dev tun0` assuming tun0 is your ipsec interface ? – Notauser Aug 13 '19 at 15:09
ipsec does not create an interface. If it did, this post would not exist. – Michal B. Aug 14 '19 at 06:20

score 0 · Answer 2 · answered Aug 08 '19 at 08:01

I am by no means a network specialist, but this sounds like a forced tunneling scenario relating to enterprises wanting to control internet user traffic on managed remote clients via their proxy. In a general approach you might add a static/default route for all internet bound traffic on the client router to be forwarded through the tunnel to your main router, which implies a Site-to-Site VPN tunnel. In your Point-to-Site VPN case I don't see another way than adding a specific route into local client routing table with the public IP as destination with the next hop being the internal IP of the main router.

score 0 · Answer 3 · answered Aug 08 '19 at 11:26

0

So it sounds like what's left is to do Source NAT translation since you are able to control your side of the network interface vs theirs. But there is a new extension I didn't really know about till now called NETMAP that I believe is a better fit for what you want:

For Reference: https://netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html#ss6.1 is the SNAT https://netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-4.html#ss4.4 - is the NETMAP extension

109569 is relatable.

answered Aug 08 '19 at 11:26

jfalcon aka Don Fanning

346
1
8

NETMAP target allows you to statically map a whole network of addresses onto another network of addresses. It can only be used from rules in the nat table. I do not understand how this can help me route packets to X.X.X.X through the gateway on the other side of the tunnel. Could you elaborate? Possibly list the commands that you would execute, so I could understand your train of thought? – Michal B. Aug 08 '19 at 11:50

How can I route traffic over IPSec tunnel?

3 Answers3