multiple networks in sna
This commit is contained in:
		
							parent
							
								
									1e2990f9b2
								
							
						
					
					
						commit
						52ed9a868a
					
				
					 4 changed files with 100 additions and 70 deletions
				
			
		|  | @ -66,7 +66,7 @@ locals { | ||||||
|   appliance_ips = { |   appliance_ips = { | ||||||
|     appliance01 = { |     appliance01 = { | ||||||
|       local_ip     = "10.1.1.10" |       local_ip     = "10.1.1.10" | ||||||
|       local_subnet = "10.1.1.0/24" |       local_subnet = "10.1.0.0/16" # Allow both 10.1.1.0 and 10.1.2.0 via VPN | ||||||
|     } |     } | ||||||
|     appliance02 = { |     appliance02 = { | ||||||
|       local_ip     = "192.168.1.10" |       local_ip     = "192.168.1.10" | ||||||
|  | @ -136,10 +136,10 @@ resource "stackit_server" "appliances" { | ||||||
|   ] |   ] | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| output "appliance01_public_ip" { | output "appliance01_cloud01_public_ip" { | ||||||
|   value = stackit_public_ip.wan_ips_appliances["appliance01"].ip |   value = stackit_public_ip.wan_ips_appliances["appliance01"].ip | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| output "appliance02_public_ip" { | output "appliance02_onprem01_public_ip" { | ||||||
|   value = stackit_public_ip.wan_ips_appliances["appliance02"].ip |   value = stackit_public_ip.wan_ips_appliances["appliance02"].ip | ||||||
| } | } | ||||||
							
								
								
									
										52
									
								
								04-vms.tf
									
									
									
									
									
								
							
							
						
						
									
										52
									
								
								04-vms.tf
									
									
									
									
									
								
							|  | @ -6,16 +6,43 @@ resource "stackit_network_area_route" "vpn" { | ||||||
|   next_hop = "10.1.1.10" |   next_hop = "10.1.1.10" | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| resource "stackit_network_interface" "machine01_cloud02" { | resource "stackit_network_interface" "machine01_cloud01" { | ||||||
|   project_id = stackit_resourcemanager_project.cloud.project_id |   project_id = stackit_resourcemanager_project.cloud.project_id | ||||||
|   network_id = stackit_network.cloud_network02.network_id |   network_id = stackit_network.cloud_network01.network_id | ||||||
|   ipv4       = "10.1.2.10" |   ipv4       = "10.1.1.11" | ||||||
|   security   = false |   security   = false | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| resource "stackit_server" "machine01_cloud" { | resource "stackit_server" "machine01_cloud01" { | ||||||
|   project_id        = stackit_resourcemanager_project.cloud.project_id |   project_id        = stackit_resourcemanager_project.cloud.project_id | ||||||
|   name              = "machine01" |   name              = "machine01cloud01" | ||||||
|  |   availability_zone = "eu01-3" | ||||||
|  |   machine_type      = "c1.4" | ||||||
|  |   keypair_name      = stackit_key_pair.admin_keypair.name | ||||||
|  | 
 | ||||||
|  |   boot_volume = { | ||||||
|  |     size                  = 64 | ||||||
|  |     source_type           = "image" | ||||||
|  |     source_id             = var.debian_image_id | ||||||
|  |     performance_class     = "storage_premium_perf6" | ||||||
|  |     delete_on_termination = true | ||||||
|  |   } | ||||||
|  | 
 | ||||||
|  |   network_interfaces = [ | ||||||
|  |     stackit_network_interface.machine01_cloud01.network_interface_id | ||||||
|  |   ] | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | resource "stackit_network_interface" "machine01_cloud02" { | ||||||
|  |   project_id = stackit_resourcemanager_project.cloud.project_id | ||||||
|  |   network_id = stackit_network.cloud_network02.network_id | ||||||
|  |   ipv4       = "10.1.2.11" | ||||||
|  |   security   = false | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | resource "stackit_server" "machine01_cloud02" { | ||||||
|  |   project_id        = stackit_resourcemanager_project.cloud.project_id | ||||||
|  |   name              = "machine01cloud02" | ||||||
|   availability_zone = "eu01-3" |   availability_zone = "eu01-3" | ||||||
|   machine_type      = "c1.4" |   machine_type      = "c1.4" | ||||||
|   keypair_name      = stackit_key_pair.admin_keypair.name |   keypair_name      = stackit_key_pair.admin_keypair.name | ||||||
|  | @ -33,11 +60,20 @@ resource "stackit_server" "machine01_cloud" { | ||||||
|   ] |   ] | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| resource "stackit_public_ip" "wan_ip_machine01" { | resource "stackit_public_ip" "wan_ip_machine01_cloud01" { | ||||||
|  |   project_id           = stackit_resourcemanager_project.cloud.project_id | ||||||
|  |   network_interface_id = stackit_network_interface.machine01_cloud01.network_interface_id | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | resource "stackit_public_ip" "wan_ip_machine01_cloud02" { | ||||||
|   project_id           = stackit_resourcemanager_project.cloud.project_id |   project_id           = stackit_resourcemanager_project.cloud.project_id | ||||||
|   network_interface_id = stackit_network_interface.machine01_cloud02.network_interface_id |   network_interface_id = stackit_network_interface.machine01_cloud02.network_interface_id | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| output "machine01_public_ip" { | output "machine01_cloud01_public_ip" { | ||||||
|   value = stackit_public_ip.wan_ip_machine01.ip |   value = stackit_public_ip.wan_ip_machine01_cloud01.ip | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | output "machine01_cloud02_public_ip" { | ||||||
|  |   value = stackit_public_ip.wan_ip_machine01_cloud02.ip | ||||||
| } | } | ||||||
							
								
								
									
										84
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										84
									
								
								README.md
									
									
									
									
									
								
							|  | @ -1,89 +1,67 @@ | ||||||
| # StrongSwan VPN Verification Guide | # StrongSwan VPN Verification Guide | ||||||
| 
 | 
 | ||||||
| This guide helps you verify that a site-to-site IPsec VPN tunnel using StrongSwan has been successfully established between virtual machines provisioned via Terraform and configured with cloud-init. | This document helps verify the successful setup of a site-to-site IPsec VPN tunnel using StrongSwan. The environment is provisioned with Terraform and initialized with cloud-init. The VPN configuration uses IKEv2 with a pre-shared key (PSK) and automatically starts during system boot. | ||||||
| 
 |  | ||||||
| ## Hosts Overview |  | ||||||
| 
 |  | ||||||
| The tunnel uses IKEv2 with a Pre-Shared Key (PSK) and is automatically established at boot. |  | ||||||
| 
 |  | ||||||
| | Host        | IP Address   | Role                   | |  | ||||||
| |-------------|--------------|------------------------| |  | ||||||
| | appliance01 | 10.1.1.10    | Cloud VPN Appliance    | |  | ||||||
| | machine01   | 10.1.1.11    | Cloud Internal Machine | |  | ||||||
| | appliance02 | 192.168.1.10 | On-Prem VPN Appliance  | |  | ||||||
| 
 | 
 | ||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| ## 🔧 Architecture | ## Network Overview | ||||||
|  | 
 | ||||||
|  | The VPN connects a cloud network with an on-premises network, enabling secure, encrypted traffic between them. | ||||||
|  | 
 | ||||||
|  | | Host             | IP Address   | Subnet         | Role                   | | ||||||
|  | |------------------|--------------|----------------|------------------------| | ||||||
|  | | appliance01      | 10.1.1.10    | 10.1.1.0/24    | Cloud VPN Appliance    | | ||||||
|  | | machine01cloud01 | 10.1.1.11    | 10.1.1.0/24    | Cloud Internal Machine | | ||||||
|  | | machine01cloud02 | 10.2.1.11    | 10.2.1.0/24    | Cloud Internal Machine | | ||||||
|  | | appliance02      | 192.168.1.10 | 192.168.1.0/24 | On-Prem VPN Appliance  | | ||||||
|  | 
 | ||||||
|  | --- | ||||||
|  | 
 | ||||||
|  | ## Architecture | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
| 
 | 
 | ||||||
|  | This diagram illustrates the VPN tunnel between `appliance01` (cloud) and `appliance02` (on-prem), supporting encrypted traffic between the routed subnets. | ||||||
|  | 
 | ||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| ## 1. Check StrongSwan Service Status | ## 1. Verify StrongSwan Service | ||||||
| 
 | 
 | ||||||
| SSH into each machine using its public IP: | To confirm the IPsec service is running and properly configured, SSH into each VPN appliance using the appropriate public IP address: | ||||||
| 
 | 
 | ||||||
| ```bash | ```bash | ||||||
| ssh -i ~/.ssh/id_rsa debian@<machine-public-ip> | ssh -i ~/.ssh/id_rsa debian@<appliance-public-ip> | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| Once logged in, verify the StrongSwan service: | Then run: | ||||||
| 
 | 
 | ||||||
| ```bash | ```bash | ||||||
| sudo ipsec statusall | sudo ipsec statusall | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| Expected output should resemble: | Sample expected output: | ||||||
| 
 | 
 | ||||||
| ``` | ``` | ||||||
| Status of IKE charon daemon (strongSwan 5.9.8, Linux ...): | Status of IKE charon daemon (strongSwan 5.x.x, Linux x.x.x): | ||||||
|   uptime: ... |   uptime: ... | ||||||
|   worker threads: ... |   worker threads: ... | ||||||
| Connections: | Connections: | ||||||
|      net-net:  10.1.1.10...192.168.1.10  IKEv2, dpddelay=30s |      net-net:  10.1.1.10...192.168.1.10  IKEv2, dpddelay=30s | ||||||
|      net-net:    local:  [10.1.1.10] uses pre-shared key authentication |      net-net:    local:  [10.1.1.10] uses pre-shared key authentication | ||||||
|      net-net:    remote: [192.168.1.10] uses pre-shared key authentication |      net-net:    remote: [192.168.1.10] uses pre-shared key authentication | ||||||
|      net-net:   child:  10.1.1.0/24 === 192.168.1.0/24 TUNNEL |      net-net:    child:  10.1.0.0/16 === 192.168.1.0/24 TUNNEL | ||||||
| Security Associations (SAs) (0 up, 0 connecting): | Security Associations (SAs): | ||||||
|   none |      net-net[1]: ESTABLISHED ... | ||||||
| ``` | ``` | ||||||
| 
 | 
 | ||||||
| This output confirms the configuration is loaded, but the tunnel may not yet be active. | What to check: | ||||||
|  | 
 | ||||||
|  | - The connection is listed as `ESTABLISHED` | ||||||
|  | - Subnets listed under the child SA should match your intended VPN traffic (e.g., `10.1.0.0/16 === 192.168.1.0/24`) | ||||||
| 
 | 
 | ||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| ## 2. Bring Up the VPN Tunnel | ## 2. Verify VPN Network Connectivity | ||||||
| 
 |  | ||||||
| If the tunnel didn’t start automatically, initiate it manually from either VPN appliance: |  | ||||||
| 
 |  | ||||||
| ```bash |  | ||||||
| sudo ipsec up net-net |  | ||||||
| ``` |  | ||||||
| 
 |  | ||||||
| Then re-check the connection: |  | ||||||
| 
 |  | ||||||
| ```bash |  | ||||||
| sudo ipsec statusall |  | ||||||
| ``` |  | ||||||
| 
 |  | ||||||
| You should now see an established connection: |  | ||||||
| 
 |  | ||||||
| ``` |  | ||||||
| Connections: |  | ||||||
|      net-net[1]: ESTABLISHED 15s ago, 10.1.1.10...192.168.1.10 |  | ||||||
|      net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: ... |  | ||||||
|      net-net{1}:  10.1.1.0/24 === 192.168.1.0/24 |  | ||||||
| ``` |  | ||||||
| 
 |  | ||||||
| Key indicators: |  | ||||||
| 
 |  | ||||||
| - ESTABLISHED: Tunnel is active |  | ||||||
| - Subnet-to-subnet routing: 10.1.1.0/24===192.168.1.0/24 |  | ||||||
| 
 |  | ||||||
| --- |  | ||||||
| 
 |  | ||||||
| ## 3. Verify VPN-Backed Network Connectivity |  | ||||||
| 
 | 
 | ||||||
| Ping between hosts to validate that routing is working through the VPN tunnel: | Ping between hosts to validate that routing is working through the VPN tunnel: | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -4,6 +4,7 @@ packages: | ||||||
|   - strongswan |   - strongswan | ||||||
|   - iptables |   - iptables | ||||||
|   - net-tools |   - net-tools | ||||||
|  |   - procps  # Needed for sysctl | ||||||
| 
 | 
 | ||||||
| write_files: | write_files: | ||||||
|   - path: /etc/ipsec.conf |   - path: /etc/ipsec.conf | ||||||
|  | @ -13,7 +14,7 @@ write_files: | ||||||
|         charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" |         charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" | ||||||
| 
 | 
 | ||||||
|       conn net-net |       conn net-net | ||||||
|         auto=add |         auto=start | ||||||
|         keyexchange=ikev2 |         keyexchange=ikev2 | ||||||
|         authby=psk |         authby=psk | ||||||
|         left=${local_ip} |         left=${local_ip} | ||||||
|  | @ -34,8 +35,23 @@ write_files: | ||||||
|       ${leftid} ${rightid} : PSK "${psk}" |       ${leftid} ${rightid} : PSK "${psk}" | ||||||
| 
 | 
 | ||||||
| runcmd: | runcmd: | ||||||
|  |   # Enable IP forwarding | ||||||
|   - sysctl -w net.ipv4.ip_forward=1 |   - sysctl -w net.ipv4.ip_forward=1 | ||||||
|   - sed -i '/^#net.ipv4.ip_forward=1/c\net.ipv4.ip_forward=1' /etc/sysctl.conf |   - sed -i '/^#\?net.ipv4.ip_forward\s*=/c\net.ipv4.ip_forward=1' /etc/sysctl.conf | ||||||
|   - sysctl -p |   - sysctl -p | ||||||
|   - ipsec start | 
 | ||||||
|   - ipsec up net-net |   # Set up iptables rules | ||||||
|  |   # - iptables -t nat -A POSTROUTING -s ${local_subnet} -d ${remote_subnet} -j ACCEPT | ||||||
|  |   # - iptables -t nat -A POSTROUTING -s ${remote_subnet} -d ${local_subnet} -j ACCEPT | ||||||
|  |   # - iptables -t nat -A POSTROUTING -s ${local_subnet} ! -d ${local_subnet} -j MASQUERADE | ||||||
|  | 
 | ||||||
|  |   # Accept IPsec traffic | ||||||
|  |   # - iptables -A INPUT -p udp --dport 500 -j ACCEPT | ||||||
|  |   # - iptables -A INPUT -p udp --dport 4500 -j ACCEPT | ||||||
|  |   # - iptables -A INPUT -p esp -j ACCEPT | ||||||
|  |   # - iptables -A FORWARD -s ${local_subnet} -d ${remote_subnet} -m policy --pol ipsec --dir out -j ACCEPT | ||||||
|  |   # - iptables -A FORWARD -s ${remote_subnet} -d ${local_subnet} -m policy --pol ipsec --dir in -j ACCEPT | ||||||
|  | 
 | ||||||
|  |   # Enable and start strongSwan | ||||||
|  |   # - systemctl enable strongswan-starter | ||||||
|  |   # - systemctl start strongswan-starter | ||||||
		Loading…
	
		Reference in a new issue