multiple networks in sna

2025-07-07 10:39:42 +02:00 · 2025-07-07 10:39:42 +02:00 · 52ed9a868a
commit 52ed9a868a
parent 1e2990f9b2
4 changed files with 100 additions and 70 deletions
--- a/03-sw-appliances.tf
+++ b/03-sw-appliances.tf
@ -66,7 +66,7 @@ locals {
  appliance_ips = {
    appliance01 = {
      local_ip     = "10.1.1.10"
-      local_subnet = "10.1.1.0/24"
+      local_subnet = "10.1.0.0/16" # Allow both 10.1.1.0 and 10.1.2.0 via VPN
    }
    appliance02 = {
      local_ip     = "192.168.1.10"
@ -136,10 +136,10 @@ resource "stackit_server" "appliances" {
  ]
 }

-output "appliance01_public_ip" {
+output "appliance01_cloud01_public_ip" {
  value = stackit_public_ip.wan_ips_appliances["appliance01"].ip
 }

-output "appliance02_public_ip" {
+output "appliance02_onprem01_public_ip" {
  value = stackit_public_ip.wan_ips_appliances["appliance02"].ip
 }
--- a/04-vms.tf
+++ b/04-vms.tf
@ -6,16 +6,43 @@ resource "stackit_network_area_route" "vpn" {
  next_hop = "10.1.1.10"
 }

-resource "stackit_network_interface" "machine01_cloud02" {
+resource "stackit_network_interface" "machine01_cloud01" {
  project_id = stackit_resourcemanager_project.cloud.project_id
-  network_id = stackit_network.cloud_network02.network_id
-  ipv4       = "10.1.2.10"
+  network_id = stackit_network.cloud_network01.network_id
+  ipv4       = "10.1.1.11"
  security   = false
 }

-resource "stackit_server" "machine01_cloud" {
+resource "stackit_server" "machine01_cloud01" {
  project_id        = stackit_resourcemanager_project.cloud.project_id
-  name              = "machine01"
+  name              = "machine01cloud01"
+  availability_zone = "eu01-3"
+  machine_type      = "c1.4"
+  keypair_name      = stackit_key_pair.admin_keypair.name
+
+  boot_volume = {
+    size                  = 64
+    source_type           = "image"
+    source_id             = var.debian_image_id
+    performance_class     = "storage_premium_perf6"
+    delete_on_termination = true
+  }
+
+  network_interfaces = [
+    stackit_network_interface.machine01_cloud01.network_interface_id
+  ]
+}
+
+resource "stackit_network_interface" "machine01_cloud02" {
+  project_id = stackit_resourcemanager_project.cloud.project_id
+  network_id = stackit_network.cloud_network02.network_id
+  ipv4       = "10.1.2.11"
+  security   = false
+}
+
+resource "stackit_server" "machine01_cloud02" {
+  project_id        = stackit_resourcemanager_project.cloud.project_id
+  name              = "machine01cloud02"
  availability_zone = "eu01-3"
  machine_type      = "c1.4"
  keypair_name      = stackit_key_pair.admin_keypair.name
@ -33,11 +60,20 @@ resource "stackit_server" "machine01_cloud" {
  ]
 }

-resource "stackit_public_ip" "wan_ip_machine01" {
+resource "stackit_public_ip" "wan_ip_machine01_cloud01" {
+  project_id           = stackit_resourcemanager_project.cloud.project_id
+  network_interface_id = stackit_network_interface.machine01_cloud01.network_interface_id
+}
+
+resource "stackit_public_ip" "wan_ip_machine01_cloud02" {
  project_id           = stackit_resourcemanager_project.cloud.project_id
  network_interface_id = stackit_network_interface.machine01_cloud02.network_interface_id
 }

-output "machine01_public_ip" {
-  value = stackit_public_ip.wan_ip_machine01.ip
+output "machine01_cloud01_public_ip" {
+  value = stackit_public_ip.wan_ip_machine01_cloud01.ip
+}
+
+output "machine01_cloud02_public_ip" {
+  value = stackit_public_ip.wan_ip_machine01_cloud02.ip
 }
--- a/README.md
+++ b/README.md
@ -1,89 +1,67 @@
 # StrongSwan VPN Verification Guide

-This guide helps you verify that a site-to-site IPsec VPN tunnel using StrongSwan has been successfully established between virtual machines provisioned via Terraform and configured with cloud-init.
-
-## Hosts Overview
-
-The tunnel uses IKEv2 with a Pre-Shared Key (PSK) and is automatically established at boot.
-
-| Host        | IP Address   | Role                   |
-|-------------|--------------|------------------------|
-| appliance01 | 10.1.1.10    | Cloud VPN Appliance    |
-| machine01   | 10.1.1.11    | Cloud Internal Machine |
-| appliance02 | 192.168.1.10 | On-Prem VPN Appliance  |
+This document helps verify the successful setup of a site-to-site IPsec VPN tunnel using StrongSwan. The environment is provisioned with Terraform and initialized with cloud-init. The VPN configuration uses IKEv2 with a pre-shared key (PSK) and automatically starts during system boot.

 ---

-## 🔧 Architecture
+## Network Overview
+
+The VPN connects a cloud network with an on-premises network, enabling secure, encrypted traffic between them.
+
+| Host             | IP Address   | Subnet         | Role                   |
+|------------------|--------------|----------------|------------------------|
+| appliance01      | 10.1.1.10    | 10.1.1.0/24    | Cloud VPN Appliance    |
+| machine01cloud01 | 10.1.1.11    | 10.1.1.0/24    | Cloud Internal Machine |
+| machine01cloud02 | 10.2.1.11    | 10.2.1.0/24    | Cloud Internal Machine |
+| appliance02      | 192.168.1.10 | 192.168.1.0/24 | On-Prem VPN Appliance  |
+
+---
+
+## Architecture

 ![Architecture Diagram](docs/network-architecture.png)

+This diagram illustrates the VPN tunnel between `appliance01` (cloud) and `appliance02` (on-prem), supporting encrypted traffic between the routed subnets.
+
 ---

-## 1. Check StrongSwan Service Status
+## 1. Verify StrongSwan Service

-SSH into each machine using its public IP:
+To confirm the IPsec service is running and properly configured, SSH into each VPN appliance using the appropriate public IP address:

 ```bash
-ssh -i ~/.ssh/id_rsa debian@<machine-public-ip>
+ssh -i ~/.ssh/id_rsa debian@<appliance-public-ip>
 ```

-Once logged in, verify the StrongSwan service:
+Then run:

 ```bash
 sudo ipsec statusall
 ```

-Expected output should resemble:
+Sample expected output:

 ```
-Status of IKE charon daemon (strongSwan 5.9.8, Linux ...):
+Status of IKE charon daemon (strongSwan 5.x.x, Linux x.x.x):
  uptime: ...
  worker threads: ...
 Connections:
     net-net:  10.1.1.10...192.168.1.10  IKEv2, dpddelay=30s
     net-net:    local:  [10.1.1.10] uses pre-shared key authentication
     net-net:    remote: [192.168.1.10] uses pre-shared key authentication
-     net-net:   child:  10.1.1.0/24 === 192.168.1.0/24 TUNNEL
-Security Associations (SAs) (0 up, 0 connecting):
-  none
+     net-net:    child:  10.1.0.0/16 === 192.168.1.0/24 TUNNEL
+Security Associations (SAs):
+     net-net[1]: ESTABLISHED ...
 ```

-This output confirms the configuration is loaded, but the tunnel may not yet be active.
+What to check:
+
+- The connection is listed as `ESTABLISHED`
+- Subnets listed under the child SA should match your intended VPN traffic (e.g., `10.1.0.0/16 === 192.168.1.0/24`)

 ---

-## 2. Bring Up the VPN Tunnel
-
-If the tunnel didn’t start automatically, initiate it manually from either VPN appliance:
-
-```bash
-sudo ipsec up net-net
-```
-
-Then re-check the connection:
-
-```bash
-sudo ipsec statusall
-```
-
-You should now see an established connection:
-
-```
-Connections:
-     net-net[1]: ESTABLISHED 15s ago, 10.1.1.10...192.168.1.10
-     net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: ...
-     net-net{1}:  10.1.1.0/24 === 192.168.1.0/24
-```
-
-Key indicators:
-
- ESTABLISHED: Tunnel is active
- Subnet-to-subnet routing: 10.1.1.0/24===192.168.1.0/24
-
---
-
-## 3. Verify VPN-Backed Network Connectivity
+## 2. Verify VPN Network Connectivity

 Ping between hosts to validate that routing is working through the VPN tunnel:

--- a/cloud-init.yaml
+++ b/cloud-init.yaml
@ -4,6 +4,7 @@ packages:
  - strongswan
  - iptables
  - net-tools
+  - procps  # Needed for sysctl

 write_files:
  - path: /etc/ipsec.conf
@ -13,7 +14,7 @@ write_files:
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"

      conn net-net
-        auto=add
+        auto=start
        keyexchange=ikev2
        authby=psk
        left=${local_ip}
@ -34,8 +35,23 @@ write_files:
      ${leftid} ${rightid} : PSK "${psk}"

 runcmd:
+  # Enable IP forwarding
  - sysctl -w net.ipv4.ip_forward=1
-  - sed -i '/^#net.ipv4.ip_forward=1/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
+  - sed -i '/^#\?net.ipv4.ip_forward\s*=/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
  - sysctl -p
-  - ipsec start
-  - ipsec up net-net
+
+  # Set up iptables rules
+  # - iptables -t nat -A POSTROUTING -s ${local_subnet} -d ${remote_subnet} -j ACCEPT
+  # - iptables -t nat -A POSTROUTING -s ${remote_subnet} -d ${local_subnet} -j ACCEPT
+  # - iptables -t nat -A POSTROUTING -s ${local_subnet} ! -d ${local_subnet} -j MASQUERADE
+
+  # Accept IPsec traffic
+  # - iptables -A INPUT -p udp --dport 500 -j ACCEPT
+  # - iptables -A INPUT -p udp --dport 4500 -j ACCEPT
+  # - iptables -A INPUT -p esp -j ACCEPT
+  # - iptables -A FORWARD -s ${local_subnet} -d ${remote_subnet} -m policy --pol ipsec --dir out -j ACCEPT
+  # - iptables -A FORWARD -s ${remote_subnet} -d ${local_subnet} -m policy --pol ipsec --dir in -j ACCEPT
+
+  # Enable and start strongSwan
+  # - systemctl enable strongswan-starter
+  # - systemctl start strongswan-starter