professional-service-best-practices/terraform-strongswan-deployment
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

multiple networks in sna
All checks were successful
CI / TruffleHog Secrets Scan (push) Successful in 6s
Details
CI / Terraform Format & Validate (push) Successful in 7s
Details

Browse source
This commit is contained in:
Mauritz_Uphoff 2025-07-07 10:39:42 +02:00
parent 1e2990f9b2
commit 52ed9a868a
4 changed files with 100 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
03-sw-appliances.tf
View file

@ -66,7 +66,7 @@ locals {
appliance_ips = { appliance_ips = {
appliance01 = { appliance01 = {
local_ip = "10.1.1.10" local_ip = "10.1.1.10"
local_subnet = "10.1.1.0/24" local_subnet = "10.1.0.0/16" # Allow both 10.1.1.0 and 10.1.2.0 via VPN
} }
appliance02 = { appliance02 = {
local_ip = "192.168.1.10" local_ip = "192.168.1.10"
@ -136,10 +136,10 @@ resource "stackit_server" "appliances" {
] ]
} }
output "appliance01_public_ip" { output "appliance01_cloud01_public_ip" {
value = stackit_public_ip.wan_ips_appliances["appliance01"].ip value = stackit_public_ip.wan_ips_appliances["appliance01"].ip
} }
output "appliance02_public_ip" { output "appliance02_onprem01_public_ip" {
value = stackit_public_ip.wan_ips_appliances["appliance02"].ip value = stackit_public_ip.wan_ips_appliances["appliance02"].ip
} }

52
04-vms.tf
View file

@ -6,16 +6,43 @@ resource "stackit_network_area_route" "vpn" {
next_hop = "10.1.1.10" next_hop = "10.1.1.10"
} }
resource "stackit_network_interface" "machine01_cloud02" { resource "stackit_network_interface" "machine01_cloud01" {
project_id = stackit_resourcemanager_project.cloud.project_id project_id = stackit_resourcemanager_project.cloud.project_id
network_id = stackit_network.cloud_network02.network_id network_id = stackit_network.cloud_network01.network_id
ipv4 = "10.1.2.10" ipv4 = "10.1.1.11"
security = false security = false
} }
resource "stackit_server" "machine01_cloud" { resource "stackit_server" "machine01_cloud01" {
project_id = stackit_resourcemanager_project.cloud.project_id project_id = stackit_resourcemanager_project.cloud.project_id
name = "machine01" name = "machine01cloud01"
availability_zone = "eu01-3"
machine_type = "c1.4"
keypair_name = stackit_key_pair.admin_keypair.name
boot_volume = {
size = 64
source_type = "image"
source_id = var.debian_image_id
performance_class = "storage_premium_perf6"
delete_on_termination = true
}
network_interfaces = [
stackit_network_interface.machine01_cloud01.network_interface_id
]
}
resource "stackit_network_interface" "machine01_cloud02" {
project_id = stackit_resourcemanager_project.cloud.project_id
network_id = stackit_network.cloud_network02.network_id
ipv4 = "10.1.2.11"
security = false
}
resource "stackit_server" "machine01_cloud02" {
project_id = stackit_resourcemanager_project.cloud.project_id
name = "machine01cloud02"
availability_zone = "eu01-3" availability_zone = "eu01-3"
machine_type = "c1.4" machine_type = "c1.4"
keypair_name = stackit_key_pair.admin_keypair.name keypair_name = stackit_key_pair.admin_keypair.name
@ -33,11 +60,20 @@ resource "stackit_server" "machine01_cloud" {
] ]
} }
resource "stackit_public_ip" "wan_ip_machine01" { resource "stackit_public_ip" "wan_ip_machine01_cloud01" {
project_id = stackit_resourcemanager_project.cloud.project_id
network_interface_id = stackit_network_interface.machine01_cloud01.network_interface_id
}
resource "stackit_public_ip" "wan_ip_machine01_cloud02" {
project_id = stackit_resourcemanager_project.cloud.project_id project_id = stackit_resourcemanager_project.cloud.project_id
network_interface_id = stackit_network_interface.machine01_cloud02.network_interface_id network_interface_id = stackit_network_interface.machine01_cloud02.network_interface_id
} }
output "machine01_public_ip" { output "machine01_cloud01_public_ip" {
value = stackit_public_ip.wan_ip_machine01.ip value = stackit_public_ip.wan_ip_machine01_cloud01.ip
}
output "machine01_cloud02_public_ip" {
value = stackit_public_ip.wan_ip_machine01_cloud02.ip
} }

88
README.md
View file

@ -1,89 +1,67 @@
# StrongSwan VPN Verification Guide # StrongSwan VPN Verification Guide
This guide helps you verify that a site-to-site IPsec VPN tunnel using StrongSwan has been successfully established between virtual machines provisioned via Terraform and configured with cloud-init. This document helps verify the successful setup of a site-to-site IPsec VPN tunnel using StrongSwan. The environment is provisioned with Terraform and initialized with cloud-init. The VPN configuration uses IKEv2 with a pre-shared key (PSK) and automatically starts during system boot.
## Hosts Overview
The tunnel uses IKEv2 with a Pre-Shared Key (PSK) and is automatically established at boot.
| Host | IP Address | Role |
|-------------|--------------|------------------------|
| appliance01 | 10.1.1.10 | Cloud VPN Appliance |
| machine01 | 10.1.1.11 | Cloud Internal Machine |
| appliance02 | 192.168.1.10 | On-Prem VPN Appliance |
--- ---
## 🔧 Architecture ## Network Overview
The VPN connects a cloud network with an on-premises network, enabling secure, encrypted traffic between them.
| Host | IP Address | Subnet | Role |
|------------------|--------------|----------------|------------------------|
| appliance01 | 10.1.1.10 | 10.1.1.0/24 | Cloud VPN Appliance |
| machine01cloud01 | 10.1.1.11 | 10.1.1.0/24 | Cloud Internal Machine |
| machine01cloud02 | 10.2.1.11 | 10.2.1.0/24 | Cloud Internal Machine |
| appliance02 | 192.168.1.10 | 192.168.1.0/24 | On-Prem VPN Appliance |
---
## Architecture
![Architecture Diagram](docs/network-architecture.png) ![Architecture Diagram](docs/network-architecture.png)
This diagram illustrates the VPN tunnel between `appliance01` (cloud) and `appliance02` (on-prem), supporting encrypted traffic between the routed subnets.
--- ---
## 1. Check StrongSwan Service Status ## 1. Verify StrongSwan Service
SSH into each machine using its public IP: To confirm the IPsec service is running and properly configured, SSH into each VPN appliance using the appropriate public IP address:
```bash ```bash
ssh -i ~/.ssh/id_rsa debian@<machine-public-ip> ssh -i ~/.ssh/id_rsa debian@<appliance-public-ip>
``` ```
Once logged in, verify the StrongSwan service: Then run:
```bash ```bash
sudo ipsec statusall sudo ipsec statusall
``` ```
Expected output should resemble: Sample expected output:
``` ```
Status of IKE charon daemon (strongSwan 5.9.8, Linux ...): Status of IKE charon daemon (strongSwan 5.x.x, Linux x.x.x):
uptime: ... uptime: ...
worker threads: ... worker threads: ...
Connections: Connections:
net-net: 10.1.1.10...192.168.1.10 IKEv2, dpddelay=30s net-net: 10.1.1.10...192.168.1.10 IKEv2, dpddelay=30s
net-net: local: [10.1.1.10] uses pre-shared key authentication net-net: local: [10.1.1.10] uses pre-shared key authentication
net-net: remote: [192.168.1.10] uses pre-shared key authentication net-net: remote: [192.168.1.10] uses pre-shared key authentication
net-net: child: 10.1.1.0/24 === 192.168.1.0/24 TUNNEL net-net: child: 10.1.0.0/16 === 192.168.1.0/24 TUNNEL
Security Associations (SAs) (0 up, 0 connecting): Security Associations (SAs):
none net-net[1]: ESTABLISHED ...
``` ```
This output confirms the configuration is loaded, but the tunnel may not yet be active. What to check:
- The connection is listed as `ESTABLISHED`
- Subnets listed under the child SA should match your intended VPN traffic (e.g., `10.1.0.0/16 === 192.168.1.0/24`)
--- ---
## 2. Bring Up the VPN Tunnel ## 2. Verify VPN Network Connectivity
If the tunnel didnt start automatically, initiate it manually from either VPN appliance:
```bash
sudo ipsec up net-net
```
Then re-check the connection:
```bash
sudo ipsec statusall
```
You should now see an established connection:
```
Connections:
net-net[1]: ESTABLISHED 15s ago, 10.1.1.10...192.168.1.10
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: ...
net-net{1}: 10.1.1.0/24 === 192.168.1.0/24
```
Key indicators:
- ESTABLISHED: Tunnel is active
- Subnet-to-subnet routing: 10.1.1.0/24===192.168.1.0/24
---
## 3. Verify VPN-Backed Network Connectivity
Ping between hosts to validate that routing is working through the VPN tunnel: Ping between hosts to validate that routing is working through the VPN tunnel:

24
cloud-init.yaml
View file

@ -4,6 +4,7 @@ packages:
- strongswan - strongswan
- iptables - iptables
- net-tools - net-tools
- procps # Needed for sysctl
write_files: write_files:
- path: /etc/ipsec.conf - path: /etc/ipsec.conf
@ -13,7 +14,7 @@ write_files:
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn net-net conn net-net
auto=add auto=start
keyexchange=ikev2 keyexchange=ikev2
authby=psk authby=psk
left=${local_ip} left=${local_ip}
@ -34,8 +35,23 @@ write_files:
${leftid} ${rightid} : PSK "${psk}" ${leftid} ${rightid} : PSK "${psk}"
runcmd: runcmd:
# Enable IP forwarding
- sysctl -w net.ipv4.ip_forward=1 - sysctl -w net.ipv4.ip_forward=1
- sed -i '/^#net.ipv4.ip_forward=1/c\net.ipv4.ip_forward=1' /etc/sysctl.conf - sed -i '/^#\?net.ipv4.ip_forward\s*=/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
- sysctl -p - sysctl -p
- ipsec start
- ipsec up net-net # Set up iptables rules
# - iptables -t nat -A POSTROUTING -s ${local_subnet} -d ${remote_subnet} -j ACCEPT
# - iptables -t nat -A POSTROUTING -s ${remote_subnet} -d ${local_subnet} -j ACCEPT
# - iptables -t nat -A POSTROUTING -s ${local_subnet} ! -d ${local_subnet} -j MASQUERADE
# Accept IPsec traffic
# - iptables -A INPUT -p udp --dport 500 -j ACCEPT
# - iptables -A INPUT -p udp --dport 4500 -j ACCEPT
# - iptables -A INPUT -p esp -j ACCEPT
# - iptables -A FORWARD -s ${local_subnet} -d ${remote_subnet} -m policy --pol ipsec --dir out -j ACCEPT
# - iptables -A FORWARD -s ${remote_subnet} -d ${local_subnet} -m policy --pol ipsec --dir in -j ACCEPT
# Enable and start strongSwan
# - systemctl enable strongswan-starter
# - systemctl start strongswan-starter