update code
This commit is contained in:
		
							parent
							
								
									440c4de5ab
								
							
						
					
					
						commit
						9007bbcc08
					
				
					 4 changed files with 173 additions and 27 deletions
				
			
		|  | @ -1,7 +1,13 @@ | ||||||
| variable "stackit_project_id" { | variable "stackit_project_id_machine01" { | ||||||
|   type = string |   description = "Project ID for machine01" | ||||||
|   /*default = "XXXXX-XXXX-XXXX-XXXX-XXXXXXX"*/ |  | ||||||
|   default     = "d75e6aab-b616-4b42-ae3b-aaf161ad626d" |   default     = "d75e6aab-b616-4b42-ae3b-aaf161ad626d" | ||||||
|  |   type        = string | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | variable "stackit_project_id_machine02" { | ||||||
|  |   description = "Project ID for machine02" | ||||||
|  |   default     = "c30f0bc4-1b8c-430e-adff-9e862d3b2cd0" | ||||||
|  |   type        = string | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| variable "stackit_region" { | variable "stackit_region" { | ||||||
|  |  | ||||||
							
								
								
									
										64
									
								
								02-main.tf
									
									
									
									
									
								
							
							
						
						
									
										64
									
								
								02-main.tf
									
									
									
									
									
								
							|  | @ -6,14 +6,14 @@ resource "stackit_key_pair" "admin_keypair" { | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| resource "stackit_network" "machine01" { | resource "stackit_network" "machine01" { | ||||||
|   project_id       = var.stackit_project_id |   project_id       = var.stackit_project_id_machine01 | ||||||
|   ipv4_prefix      = "10.1.1.0/24" |   ipv4_prefix      = "10.1.1.0/24" | ||||||
|   name             = "network-machine01" |   name             = "network-machine01" | ||||||
|   ipv4_nameservers = ["9.9.9.9", "1.1.1.1"] |   ipv4_nameservers = ["9.9.9.9", "1.1.1.1"] | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| resource "stackit_network" "machine02" { | resource "stackit_network" "machine02" { | ||||||
|   project_id       = var.stackit_project_id |   project_id       = var.stackit_project_id_machine02 | ||||||
|   ipv4_prefix      = "10.2.2.0/24" |   ipv4_prefix      = "10.2.2.0/24" | ||||||
|   name             = "network-machine02" |   name             = "network-machine02" | ||||||
|   ipv4_nameservers = ["9.9.9.9", "1.1.1.1"] |   ipv4_nameservers = ["9.9.9.9", "1.1.1.1"] | ||||||
|  | @ -24,39 +24,65 @@ resource "stackit_network_interface" "machines" { | ||||||
|     machine01 = { |     machine01 = { | ||||||
|       network_id = stackit_network.machine01.network_id |       network_id = stackit_network.machine01.network_id | ||||||
|       ipv4       = "10.1.1.10" |       ipv4       = "10.1.1.10" | ||||||
|  |       project_id = var.stackit_project_id_machine01 | ||||||
|     } |     } | ||||||
|     machine02 = { |     machine02 = { | ||||||
|       network_id = stackit_network.machine02.network_id |       network_id = stackit_network.machine02.network_id | ||||||
|       ipv4       = "10.2.2.10" |       ipv4       = "10.2.2.10" | ||||||
|  |       project_id = var.stackit_project_id_machine02 | ||||||
|     } |     } | ||||||
|   } |   } | ||||||
| 
 | 
 | ||||||
|   project_id = var.stackit_project_id |   project_id = each.value.project_id | ||||||
|   network_id = each.value.network_id |   network_id = each.value.network_id | ||||||
|   ipv4       = each.value.ipv4 |   ipv4       = each.value.ipv4 | ||||||
|   security   = false |   security   = false | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| resource "stackit_public_ip" "wan_ips" { | resource "stackit_public_ip" "wan_ips" { | ||||||
|   for_each = stackit_network_interface.machines |   for_each = { | ||||||
|  |     machine01 = { | ||||||
|  |       network_interface_id = stackit_network_interface.machines["machine01"].network_interface_id | ||||||
|  |       project_id           = var.stackit_project_id_machine01 | ||||||
|  |     } | ||||||
|  |     machine02 = { | ||||||
|  |       network_interface_id = stackit_network_interface.machines["machine02"].network_interface_id | ||||||
|  |       project_id           = var.stackit_project_id_machine02 | ||||||
|  |     } | ||||||
|  |   } | ||||||
| 
 | 
 | ||||||
|   project_id           = var.stackit_project_id |   project_id           = each.value.project_id | ||||||
|   network_interface_id = each.value.network_interface_id |   network_interface_id = each.value.network_interface_id | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| locals { | locals { | ||||||
|   vpn_config = { |   machine_ips = { | ||||||
|     machine01 = { |     machine01 = { | ||||||
|       local_ip     = "10.1.1.10" |       local_ip     = "10.1.1.10" | ||||||
|       remote_ip     = stackit_public_ip.wan_ips["machine02"].ip |  | ||||||
|       local_subnet = "10.1.1.0/24" |       local_subnet = "10.1.1.0/24" | ||||||
|       remote_subnet = "10.2.2.0/24" |  | ||||||
|     } |     } | ||||||
|     machine02 = { |     machine02 = { | ||||||
|       local_ip     = "10.2.2.10" |       local_ip     = "10.2.2.10" | ||||||
|       remote_ip     = stackit_public_ip.wan_ips["machine01"].ip |  | ||||||
|       local_subnet = "10.2.2.0/24" |       local_subnet = "10.2.2.0/24" | ||||||
|       remote_subnet = "10.1.1.0/24" |     } | ||||||
|  |   } | ||||||
|  | 
 | ||||||
|  |   vpn_config = { | ||||||
|  |     machine01 = { | ||||||
|  |       local_ip      = local.machine_ips.machine01.local_ip | ||||||
|  |       remote_ip     = stackit_public_ip.wan_ips["machine02"].ip | ||||||
|  |       local_subnet  = local.machine_ips.machine01.local_subnet | ||||||
|  |       remote_subnet = local.machine_ips.machine02.local_subnet | ||||||
|  |       leftid        = stackit_public_ip.wan_ips["machine01"].ip | ||||||
|  |       rightid       = stackit_public_ip.wan_ips["machine02"].ip | ||||||
|  |     } | ||||||
|  |     machine02 = { | ||||||
|  |       local_ip      = local.machine_ips.machine02.local_ip | ||||||
|  |       remote_ip     = stackit_public_ip.wan_ips["machine01"].ip | ||||||
|  |       local_subnet  = local.machine_ips.machine02.local_subnet | ||||||
|  |       remote_subnet = local.machine_ips.machine01.local_subnet | ||||||
|  |       leftid        = stackit_public_ip.wan_ips["machine02"].ip | ||||||
|  |       rightid       = stackit_public_ip.wan_ips["machine01"].ip | ||||||
|     } |     } | ||||||
|   } |   } | ||||||
| 
 | 
 | ||||||
|  | @ -71,13 +97,23 @@ locals { | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| resource "stackit_server" "machines" { | resource "stackit_server" "machines" { | ||||||
|   for_each = toset(["machine01", "machine02"]) |   for_each = { | ||||||
| 
 |     machine01 = { | ||||||
|   project_id        = var.stackit_project_id |       project_id        = var.stackit_project_id_machine01 | ||||||
|   name              = each.key |  | ||||||
|       availability_zone = "eu01-1" |       availability_zone = "eu01-1" | ||||||
|  |     } | ||||||
|  |     machine02 = { | ||||||
|  |       project_id        = var.stackit_project_id_machine02 | ||||||
|  |       availability_zone = "eu01-2" | ||||||
|  |     } | ||||||
|  |   } | ||||||
|  | 
 | ||||||
|  |   project_id        = each.value.project_id | ||||||
|  |   name              = each.key | ||||||
|  |   availability_zone = each.value.availability_zone | ||||||
|   machine_type      = "c1.4" |   machine_type      = "c1.4" | ||||||
|   keypair_name      = stackit_key_pair.admin_keypair.name |   keypair_name      = stackit_key_pair.admin_keypair.name | ||||||
|  | 
 | ||||||
|   user_data = local.init_config[each.key] |   user_data = local.init_config[each.key] | ||||||
| 
 | 
 | ||||||
|   boot_volume = { |   boot_volume = { | ||||||
|  |  | ||||||
							
								
								
									
										97
									
								
								README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										97
									
								
								README.md
									
									
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,97 @@ | ||||||
|  | # StrongSwan VPN Verification Guide | ||||||
|  | 
 | ||||||
|  | This guide helps verify that an IPsec VPN tunnel using StrongSwan is properly established between the following machines  | ||||||
|  | provisioned via Terraform and configured with cloud-init: | ||||||
|  | 
 | ||||||
|  | - `machine01` → IP: `10.1.1.10` | ||||||
|  | - `machine02` → IP: `10.2.2.10` | ||||||
|  | 
 | ||||||
|  | The VPN uses IKEv2 and a Pre-Shared Key (PSK) to create a site-to-site tunnel automatically on boot. | ||||||
|  | 
 | ||||||
|  | --- | ||||||
|  | 
 | ||||||
|  | ## 1. Check the StrongSwan Service | ||||||
|  | 
 | ||||||
|  | SSH into both machines: | ||||||
|  | 
 | ||||||
|  | ```sh | ||||||
|  | ssh -i ~/.ssh/id_rsa debian@<machine-public-ip> | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | Once logged in on each peer, run: | ||||||
|  | 
 | ||||||
|  | ```sh | ||||||
|  | sudo ipsec statusall | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | You should see output like the following: | ||||||
|  | 
 | ||||||
|  | ``` | ||||||
|  | Status of IKE charon daemon (strongSwan 5.9.8, Linux ...): | ||||||
|  |   uptime: ... | ||||||
|  |   worker threads: ... | ||||||
|  | Connections: | ||||||
|  |      net-net:  10.1.1.10...10.2.2.10  IKEv2, dpddelay=30s | ||||||
|  |      net-net:   local:  [10.1.1.10] uses pre-shared key authentication | ||||||
|  |      net-net:   remote: [10.2.2.10] uses pre-shared key authentication | ||||||
|  |      net-net:   child:  10.1.1.0/24 === 10.2.2.0/24 TUNNEL | ||||||
|  | Security Associations (SAs) (0 up, 0 connecting): | ||||||
|  |   none | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | At this point, the configuration is loaded but the tunnel might not be up yet. | ||||||
|  | 
 | ||||||
|  | --- | ||||||
|  | 
 | ||||||
|  | ## 2. Bring Up and Verify the VPN Tunnel | ||||||
|  | 
 | ||||||
|  | If the VPN does not connect automatically, you can initiate it manually from either peer: | ||||||
|  | 
 | ||||||
|  | ```sh | ||||||
|  | sudo ipsec up net-net | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | Then recheck the status: | ||||||
|  | 
 | ||||||
|  | ```sh | ||||||
|  | sudo ipsec statusall | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | You should see something like: | ||||||
|  | 
 | ||||||
|  | ``` | ||||||
|  | Connections: | ||||||
|  |      net-net[1]: ESTABLISHED 15s ago, 10.1.1.10...10.2.2.10 | ||||||
|  |      net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: ... | ||||||
|  |      net-net{1}:  10.1.1.0/24 === 10.2.2.0/24 | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | ✅ Look for the following: | ||||||
|  | - `ESTABLISHED` — the tunnel is active. | ||||||
|  | - Correct subnets in `===`, e.g., `10.1.1.0/24 === 10.2.2.0/24`. | ||||||
|  | 
 | ||||||
|  | --- | ||||||
|  | 
 | ||||||
|  | ## 🧪 3. Test Connectivity Through the VPN | ||||||
|  | 
 | ||||||
|  | Ping from one internal IP to the other (inside each VM): | ||||||
|  | 
 | ||||||
|  | ```sh | ||||||
|  | # On machine01 | ||||||
|  | ping 10.2.2.10 | ||||||
|  | 
 | ||||||
|  | # On machine02 | ||||||
|  | ping 10.1.1.10 | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | Expect responses showing that packets are routed through the tunnel. | ||||||
|  | 
 | ||||||
|  | --- | ||||||
|  | 
 | ||||||
|  | ## 4. Optional: Check Routing Table | ||||||
|  | 
 | ||||||
|  | Although not strictly necessary, you can confirm local routing with: | ||||||
|  | 
 | ||||||
|  | ```sh | ||||||
|  | ip route | ||||||
|  | ``` | ||||||
|  | @ -3,21 +3,24 @@ package_update: true | ||||||
| packages: | packages: | ||||||
|   - strongswan |   - strongswan | ||||||
|   - iptables |   - iptables | ||||||
|  |   - net-tools | ||||||
| 
 | 
 | ||||||
| write_files: | write_files: | ||||||
|   - path: /etc/ipsec.conf |   - path: /etc/ipsec.conf | ||||||
|  |     permissions: '0644' | ||||||
|     content: | |     content: | | ||||||
|       config setup |       config setup | ||||||
|         charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" |         charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" | ||||||
| 
 | 
 | ||||||
|       conn net-net |       conn net-net | ||||||
|         auto=start |         auto=add | ||||||
|         keyexchange=ikev2 |         keyexchange=ikev2 | ||||||
|         authby=psk |         authby=psk | ||||||
|         left=%any |         left=${local_ip} | ||||||
|         leftid=${local_ip} |         leftid=${leftid} | ||||||
|         leftsubnet=${local_subnet} |         leftsubnet=${local_subnet} | ||||||
|         right=${remote_ip} |         right=${remote_ip} | ||||||
|  |         rightid=${rightid} | ||||||
|         rightsubnet=${remote_subnet} |         rightsubnet=${remote_subnet} | ||||||
|         ike=aes256-sha1-modp1024! |         ike=aes256-sha1-modp1024! | ||||||
|         esp=aes256-sha1! |         esp=aes256-sha1! | ||||||
|  | @ -26,9 +29,13 @@ write_files: | ||||||
|         dpdtimeout=120s |         dpdtimeout=120s | ||||||
| 
 | 
 | ||||||
|   - path: /etc/ipsec.secrets |   - path: /etc/ipsec.secrets | ||||||
|  |     permissions: '0600' | ||||||
|     content: | |     content: | | ||||||
|       ${local_ip} ${remote_ip} : PSK "${psk}" |       ${leftid} ${rightid} : PSK "${psk}" | ||||||
| 
 | 
 | ||||||
| runcmd: | runcmd: | ||||||
|   - sysctl -w net.ipv4.ip_forward=1 |   - sysctl -w net.ipv4.ip_forward=1 | ||||||
|   - systemctl enable --now strongswan |   - sed -i '/^#net.ipv4.ip_forward=1/c\net.ipv4.ip_forward=1' /etc/sysctl.conf | ||||||
|  |   - sysctl -p | ||||||
|  |   - ipsec start | ||||||
|  |   - ipsec up net-net | ||||||
|  |  | ||||||
		Loading…
	
		Reference in a new issue