From 52ed9a868a56dafbd363120e02ae3e8cb40c44d7 Mon Sep 17 00:00:00 2001 From: Mauritz Uphoff Date: Mon, 7 Jul 2025 10:39:42 +0200 Subject: [PATCH] multiple networks in sna --- 03-sw-appliances.tf | 6 ++-- 04-vms.tf | 52 ++++++++++++++++++++++----- README.md | 88 +++++++++++++++++---------------------------- cloud-init.yaml | 24 ++++++++++--- 4 files changed, 100 insertions(+), 70 deletions(-) diff --git a/03-sw-appliances.tf b/03-sw-appliances.tf index 581cd73..3636694 100644 --- a/03-sw-appliances.tf +++ b/03-sw-appliances.tf @@ -66,7 +66,7 @@ locals { appliance_ips = { appliance01 = { local_ip = "10.1.1.10" - local_subnet = "10.1.1.0/24" + local_subnet = "10.1.0.0/16" # Allow both 10.1.1.0 and 10.1.2.0 via VPN } appliance02 = { local_ip = "192.168.1.10" @@ -136,10 +136,10 @@ resource "stackit_server" "appliances" { ] } -output "appliance01_public_ip" { +output "appliance01_cloud01_public_ip" { value = stackit_public_ip.wan_ips_appliances["appliance01"].ip } -output "appliance02_public_ip" { +output "appliance02_onprem01_public_ip" { value = stackit_public_ip.wan_ips_appliances["appliance02"].ip } \ No newline at end of file diff --git a/04-vms.tf b/04-vms.tf index a7cd35f..a0460eb 100644 --- a/04-vms.tf +++ b/04-vms.tf @@ -6,16 +6,43 @@ resource "stackit_network_area_route" "vpn" { next_hop = "10.1.1.10" } -resource "stackit_network_interface" "machine01_cloud02" { +resource "stackit_network_interface" "machine01_cloud01" { project_id = stackit_resourcemanager_project.cloud.project_id - network_id = stackit_network.cloud_network02.network_id - ipv4 = "10.1.2.10" + network_id = stackit_network.cloud_network01.network_id + ipv4 = "10.1.1.11" security = false } -resource "stackit_server" "machine01_cloud" { +resource "stackit_server" "machine01_cloud01" { project_id = stackit_resourcemanager_project.cloud.project_id - name = "machine01" + name = "machine01cloud01" + availability_zone = "eu01-3" + machine_type = "c1.4" + keypair_name = stackit_key_pair.admin_keypair.name + + boot_volume = { + size = 64 + source_type = "image" + source_id = var.debian_image_id + performance_class = "storage_premium_perf6" + delete_on_termination = true + } + + network_interfaces = [ + stackit_network_interface.machine01_cloud01.network_interface_id + ] +} + +resource "stackit_network_interface" "machine01_cloud02" { + project_id = stackit_resourcemanager_project.cloud.project_id + network_id = stackit_network.cloud_network02.network_id + ipv4 = "10.1.2.11" + security = false +} + +resource "stackit_server" "machine01_cloud02" { + project_id = stackit_resourcemanager_project.cloud.project_id + name = "machine01cloud02" availability_zone = "eu01-3" machine_type = "c1.4" keypair_name = stackit_key_pair.admin_keypair.name @@ -33,11 +60,20 @@ resource "stackit_server" "machine01_cloud" { ] } -resource "stackit_public_ip" "wan_ip_machine01" { +resource "stackit_public_ip" "wan_ip_machine01_cloud01" { + project_id = stackit_resourcemanager_project.cloud.project_id + network_interface_id = stackit_network_interface.machine01_cloud01.network_interface_id +} + +resource "stackit_public_ip" "wan_ip_machine01_cloud02" { project_id = stackit_resourcemanager_project.cloud.project_id network_interface_id = stackit_network_interface.machine01_cloud02.network_interface_id } -output "machine01_public_ip" { - value = stackit_public_ip.wan_ip_machine01.ip +output "machine01_cloud01_public_ip" { + value = stackit_public_ip.wan_ip_machine01_cloud01.ip +} + +output "machine01_cloud02_public_ip" { + value = stackit_public_ip.wan_ip_machine01_cloud02.ip } \ No newline at end of file diff --git a/README.md b/README.md index 00a3cc8..45485b6 100644 --- a/README.md +++ b/README.md @@ -1,89 +1,67 @@ # StrongSwan VPN Verification Guide -This guide helps you verify that a site-to-site IPsec VPN tunnel using StrongSwan has been successfully established between virtual machines provisioned via Terraform and configured with cloud-init. - -## Hosts Overview - -The tunnel uses IKEv2 with a Pre-Shared Key (PSK) and is automatically established at boot. - -| Host | IP Address | Role | -|-------------|--------------|------------------------| -| appliance01 | 10.1.1.10 | Cloud VPN Appliance | -| machine01 | 10.1.1.11 | Cloud Internal Machine | -| appliance02 | 192.168.1.10 | On-Prem VPN Appliance | +This document helps verify the successful setup of a site-to-site IPsec VPN tunnel using StrongSwan. The environment is provisioned with Terraform and initialized with cloud-init. The VPN configuration uses IKEv2 with a pre-shared key (PSK) and automatically starts during system boot. --- -## 🔧 Architecture +## Network Overview + +The VPN connects a cloud network with an on-premises network, enabling secure, encrypted traffic between them. + +| Host | IP Address | Subnet | Role | +|------------------|--------------|----------------|------------------------| +| appliance01 | 10.1.1.10 | 10.1.1.0/24 | Cloud VPN Appliance | +| machine01cloud01 | 10.1.1.11 | 10.1.1.0/24 | Cloud Internal Machine | +| machine01cloud02 | 10.2.1.11 | 10.2.1.0/24 | Cloud Internal Machine | +| appliance02 | 192.168.1.10 | 192.168.1.0/24 | On-Prem VPN Appliance | + +--- + +## Architecture ![Architecture Diagram](docs/network-architecture.png) +This diagram illustrates the VPN tunnel between `appliance01` (cloud) and `appliance02` (on-prem), supporting encrypted traffic between the routed subnets. + --- -## 1. Check StrongSwan Service Status +## 1. Verify StrongSwan Service -SSH into each machine using its public IP: +To confirm the IPsec service is running and properly configured, SSH into each VPN appliance using the appropriate public IP address: ```bash -ssh -i ~/.ssh/id_rsa debian@ +ssh -i ~/.ssh/id_rsa debian@ ``` -Once logged in, verify the StrongSwan service: +Then run: ```bash sudo ipsec statusall ``` -Expected output should resemble: +Sample expected output: ``` -Status of IKE charon daemon (strongSwan 5.9.8, Linux ...): +Status of IKE charon daemon (strongSwan 5.x.x, Linux x.x.x): uptime: ... worker threads: ... Connections: net-net: 10.1.1.10...192.168.1.10 IKEv2, dpddelay=30s - net-net: local: [10.1.1.10] uses pre-shared key authentication - net-net: remote: [192.168.1.10] uses pre-shared key authentication - net-net: child: 10.1.1.0/24 === 192.168.1.0/24 TUNNEL -Security Associations (SAs) (0 up, 0 connecting): - none + net-net: local: [10.1.1.10] uses pre-shared key authentication + net-net: remote: [192.168.1.10] uses pre-shared key authentication + net-net: child: 10.1.0.0/16 === 192.168.1.0/24 TUNNEL +Security Associations (SAs): + net-net[1]: ESTABLISHED ... ``` -This output confirms the configuration is loaded, but the tunnel may not yet be active. +What to check: + +- The connection is listed as `ESTABLISHED` +- Subnets listed under the child SA should match your intended VPN traffic (e.g., `10.1.0.0/16 === 192.168.1.0/24`) --- -## 2. Bring Up the VPN Tunnel - -If the tunnel didn’t start automatically, initiate it manually from either VPN appliance: - -```bash -sudo ipsec up net-net -``` - -Then re-check the connection: - -```bash -sudo ipsec statusall -``` - -You should now see an established connection: - -``` -Connections: - net-net[1]: ESTABLISHED 15s ago, 10.1.1.10...192.168.1.10 - net-net{1}: INSTALLED, TUNNEL, ESP SPIs: ... - net-net{1}: 10.1.1.0/24 === 192.168.1.0/24 -``` - -Key indicators: - -- ESTABLISHED: Tunnel is active -- Subnet-to-subnet routing: 10.1.1.0/24===192.168.1.0/24 - ---- - -## 3. Verify VPN-Backed Network Connectivity +## 2. Verify VPN Network Connectivity Ping between hosts to validate that routing is working through the VPN tunnel: diff --git a/cloud-init.yaml b/cloud-init.yaml index 56fe93f..91f918d 100644 --- a/cloud-init.yaml +++ b/cloud-init.yaml @@ -4,6 +4,7 @@ packages: - strongswan - iptables - net-tools + - procps # Needed for sysctl write_files: - path: /etc/ipsec.conf @@ -13,7 +14,7 @@ write_files: charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" conn net-net - auto=add + auto=start keyexchange=ikev2 authby=psk left=${local_ip} @@ -34,8 +35,23 @@ write_files: ${leftid} ${rightid} : PSK "${psk}" runcmd: + # Enable IP forwarding - sysctl -w net.ipv4.ip_forward=1 - - sed -i '/^#net.ipv4.ip_forward=1/c\net.ipv4.ip_forward=1' /etc/sysctl.conf + - sed -i '/^#\?net.ipv4.ip_forward\s*=/c\net.ipv4.ip_forward=1' /etc/sysctl.conf - sysctl -p - - ipsec start - - ipsec up net-net + + # Set up iptables rules + # - iptables -t nat -A POSTROUTING -s ${local_subnet} -d ${remote_subnet} -j ACCEPT + # - iptables -t nat -A POSTROUTING -s ${remote_subnet} -d ${local_subnet} -j ACCEPT + # - iptables -t nat -A POSTROUTING -s ${local_subnet} ! -d ${local_subnet} -j MASQUERADE + + # Accept IPsec traffic + # - iptables -A INPUT -p udp --dport 500 -j ACCEPT + # - iptables -A INPUT -p udp --dport 4500 -j ACCEPT + # - iptables -A INPUT -p esp -j ACCEPT + # - iptables -A FORWARD -s ${local_subnet} -d ${remote_subnet} -m policy --pol ipsec --dir out -j ACCEPT + # - iptables -A FORWARD -s ${remote_subnet} -d ${local_subnet} -m policy --pol ipsec --dir in -j ACCEPT + + # Enable and start strongSwan + # - systemctl enable strongswan-starter + # - systemctl start strongswan-starter \ No newline at end of file