dev-multiple-machines (#2)

Reviewed-on: #2
Co-authored-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>
Co-committed-by: Mauritz Uphoff <mauritz.uphoff@stackit.cloud>

03-sw-appliances.tf

@@ -8,14 +8,21 @@ resource "stackit_key_pair" "admin_keypair" {
 resource "stackit_network" "cloud_network01" {
   project_id       = stackit_resourcemanager_project.cloud.project_id
   ipv4_prefix      = "10.1.1.0/24"
-  name             = "network-01"
+  name             = "cloud-network-01"
+  ipv4_nameservers = ["9.9.9.9", "1.1.1.1"]
+}
+
+resource "stackit_network" "cloud_network02" {
+  project_id       = stackit_resourcemanager_project.cloud.project_id
+  ipv4_prefix      = "10.1.2.0/24"
+  name             = "cloud-network-02"
   ipv4_nameservers = ["9.9.9.9", "1.1.1.1"]
 }
 
 resource "stackit_network" "onprem_network01" {
   project_id       = stackit_resourcemanager_project.onprem.project_id
   ipv4_prefix      = "192.168.1.0/24"
-  name             = "network-02"
+  name             = "onprem-network-02"
   ipv4_nameservers = ["9.9.9.9", "1.1.1.1"]
 }
 
@@ -59,7 +66,7 @@ locals {
   appliance_ips = {
     appliance01 = {
       local_ip     = "10.1.1.10"
-      local_subnet = "10.1.1.0/24"
+      local_subnet = "10.1.0.0/16" # Allow both 10.1.1.0 and 10.1.2.0 via VPN
     }
     appliance02 = {
       local_ip     = "192.168.1.10"
@@ -129,10 +136,10 @@ resource "stackit_server" "appliances" {
   ]
 }
 
-output "appliance01_public_ip" {
+output "appliance01_cloud01_public_ip" {
   value = stackit_public_ip.wan_ips_appliances["appliance01"].ip
 }
 
-output "appliance02_public_ip" {
+output "appliance02_onprem01_public_ip" {
   value = stackit_public_ip.wan_ips_appliances["appliance02"].ip
 }

04-vms.tf

@@ -6,16 +6,16 @@ resource "stackit_network_area_route" "vpn" {
   next_hop = "10.1.1.10"
 }
 
-resource "stackit_network_interface" "machine01_cloud" {
+resource "stackit_network_interface" "machine01_cloud01" {
   project_id = stackit_resourcemanager_project.cloud.project_id
   network_id = stackit_network.cloud_network01.network_id
   ipv4       = "10.1.1.11"
   security   = false
 }
 
-resource "stackit_server" "machine01_cloud" {
+resource "stackit_server" "machine01_cloud01" {
   project_id        = stackit_resourcemanager_project.cloud.project_id
-  name              = "machine01"
+  name              = "machine01cloud01"
   availability_zone = "eu01-3"
   machine_type      = "c1.4"
   keypair_name      = stackit_key_pair.admin_keypair.name
@@ -29,15 +29,51 @@ resource "stackit_server" "machine01_cloud" {
   }
 
   network_interfaces = [
-    stackit_network_interface.machine01_cloud.network_interface_id
+    stackit_network_interface.machine01_cloud01.network_interface_id
   ]
 }
 
-resource "stackit_public_ip" "wan_ip_machine01" {
-  project_id           = stackit_resourcemanager_project.cloud.project_id
-  network_interface_id = stackit_network_interface.machine01_cloud.network_interface_id
+resource "stackit_network_interface" "machine01_cloud02" {
+  project_id = stackit_resourcemanager_project.cloud.project_id
+  network_id = stackit_network.cloud_network02.network_id
+  ipv4       = "10.1.2.11"
+  security   = false
 }
 
-output "machine01_public_ip" {
-  value = stackit_public_ip.wan_ip_machine01.ip
+resource "stackit_server" "machine01_cloud02" {
+  project_id        = stackit_resourcemanager_project.cloud.project_id
+  name              = "machine01cloud02"
+  availability_zone = "eu01-3"
+  machine_type      = "c1.4"
+  keypair_name      = stackit_key_pair.admin_keypair.name
+
+  boot_volume = {
+    size                  = 64
+    source_type           = "image"
+    source_id             = var.debian_image_id
+    performance_class     = "storage_premium_perf6"
+    delete_on_termination = true
+  }
+
+  network_interfaces = [
+    stackit_network_interface.machine01_cloud02.network_interface_id
+  ]
+}
+
+resource "stackit_public_ip" "wan_ip_machine01_cloud01" {
+  project_id           = stackit_resourcemanager_project.cloud.project_id
+  network_interface_id = stackit_network_interface.machine01_cloud01.network_interface_id
+}
+
+resource "stackit_public_ip" "wan_ip_machine01_cloud02" {
+  project_id           = stackit_resourcemanager_project.cloud.project_id
+  network_interface_id = stackit_network_interface.machine01_cloud02.network_interface_id
+}
+
+output "machine01_cloud01_public_ip" {
+  value = stackit_public_ip.wan_ip_machine01_cloud01.ip
+}
+
+output "machine01_cloud02_public_ip" {
+  value = stackit_public_ip.wan_ip_machine01_cloud02.ip
 }

README.md

@@ -1,89 +1,67 @@
 # StrongSwan VPN Verification Guide
 
-This guide helps you verify that a site-to-site IPsec VPN tunnel using StrongSwan has been successfully established between virtual machines provisioned via Terraform and configured with cloud-init.
-
-## Hosts Overview
-
-The tunnel uses IKEv2 with a Pre-Shared Key (PSK) and is automatically established at boot.
-
-| Host        | IP Address   | Role                   |
-|-------------|--------------|------------------------|
-| appliance01 | 10.1.1.10    | Cloud VPN Appliance    |
-| machine01   | 10.1.1.11    | Cloud Internal Machine |
-| appliance02 | 192.168.1.10 | On-Prem VPN Appliance  |
+This document helps verify the successful setup of a site-to-site IPsec VPN tunnel using StrongSwan. The environment is provisioned with Terraform and initialized with cloud-init. The VPN configuration uses IKEv2 with a pre-shared key (PSK) and automatically starts during system boot.
 
 ---
 
-## 🔧 Architecture
+## Network Overview
+
+The VPN connects a cloud network with an on-premises network, enabling secure, encrypted traffic between them.
+
+| Host             | IP Address   | Subnet         | Role                   |
+|------------------|--------------|----------------|------------------------|
+| appliance01      | 10.1.1.10    | 10.1.1.0/24    | Cloud VPN Appliance    |
+| machine01cloud01 | 10.1.1.11    | 10.1.1.0/24    | Cloud Internal Machine |
+| machine01cloud02 | 10.2.1.11    | 10.2.1.0/24    | Cloud Internal Machine |
+| appliance02      | 192.168.1.10 | 192.168.1.0/24 | On-Prem VPN Appliance  |
+
+---
+
+## Architecture
 
 ![Architecture Diagram](docs/network-architecture.png)
 
+This diagram illustrates the VPN tunnel between `appliance01` (cloud) and `appliance02` (on-prem), supporting encrypted traffic between the routed subnets.
+
 ---
 
-## 1. Check StrongSwan Service Status
+## 1. Verify StrongSwan Service
 
-SSH into each machine using its public IP:
+To confirm the IPsec service is running and properly configured, SSH into each VPN appliance using the appropriate public IP address:
 
 ```bash
-ssh -i ~/.ssh/id_rsa debian@<machine-public-ip>
+ssh -i ~/.ssh/id_rsa debian@<appliance-public-ip>
 ```
 
-Once logged in, verify the StrongSwan service:
+Then run:
 
 ```bash
 sudo ipsec statusall
 ```
 
-Expected output should resemble:
+Sample expected output:
 
 ```
-Status of IKE charon daemon (strongSwan 5.9.8, Linux ...):
+Status of IKE charon daemon (strongSwan 5.x.x, Linux x.x.x):
   uptime: ...
   worker threads: ...
 Connections:
      net-net:  10.1.1.10...192.168.1.10  IKEv2, dpddelay=30s
-     net-net:   local:  [10.1.1.10] uses pre-shared key authentication
-     net-net:   remote: [192.168.1.10] uses pre-shared key authentication
-     net-net:   child:  10.1.1.0/24 === 192.168.1.0/24 TUNNEL
-Security Associations (SAs) (0 up, 0 connecting):
-  none
+     net-net:    local:  [10.1.1.10] uses pre-shared key authentication
+     net-net:    remote: [192.168.1.10] uses pre-shared key authentication
+     net-net:    child:  10.1.0.0/16 === 192.168.1.0/24 TUNNEL
+Security Associations (SAs):
+     net-net[1]: ESTABLISHED ...
 ```
 
-This output confirms the configuration is loaded, but the tunnel may not yet be active.
+What to check:
+
+- The connection is listed as `ESTABLISHED`
+- Subnets listed under the child SA should match your intended VPN traffic (e.g., `10.1.0.0/16 === 192.168.1.0/24`)
 
 ---
 
-## 2. Bring Up the VPN Tunnel
-
-If the tunnel didn’t start automatically, initiate it manually from either VPN appliance:
-
-```bash
-sudo ipsec up net-net
-```
-
-Then re-check the connection:
-
-```bash
-sudo ipsec statusall
-```
-
-You should now see an established connection:
-
-```
-Connections:
-     net-net[1]: ESTABLISHED 15s ago, 10.1.1.10...192.168.1.10
-     net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: ...
-     net-net{1}:  10.1.1.0/24 === 192.168.1.0/24
-```
-
-Key indicators:
-
-- ESTABLISHED: Tunnel is active
-- Subnet-to-subnet routing: 10.1.1.0/24===192.168.1.0/24
-
----
-
-## 3. Verify VPN-Backed Network Connectivity
+## 2. Verify VPN Network Connectivity
 
 Ping between hosts to validate that routing is working through the VPN tunnel:
 
@@ -115,6 +93,13 @@ ping 10.1.1.11
 # ✅ Tests project-project routing via SNA transfer network
 ```
 
+### 💻 From appliance02 (on-prem) to machine02 (cloud internal)
+
+```bash
+ping 10.1.2.11
+# ✅ Tests project-project routing via SNA transfer network
+```
+
 ### ❌ From machine01 (cloud) to appliance02 (VPN-disconnected)
 
 If you remove the static route that directs 192.168.1.0/24 through appliance01:

cloud-init.yaml

@@ -4,6 +4,7 @@ packages:
   - strongswan
   - iptables
   - net-tools
+  - procps  # Needed for sysctl
 
 write_files:
   - path: /etc/ipsec.conf
@@ -13,7 +14,7 @@ write_files:
         charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
 
       conn net-net
-        auto=add
+        auto=start
         keyexchange=ikev2
         authby=psk
         left=${local_ip}
@@ -34,8 +35,10 @@ write_files:
       ${leftid} ${rightid} : PSK "${psk}"
 
 runcmd:
+  # Enable IP forwarding
   - sysctl -w net.ipv4.ip_forward=1
-  - sed -i '/^#net.ipv4.ip_forward=1/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
+  - sed -i '/^#\?net.ipv4.ip_forward\s*=/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
   - sysctl -p
+
   - ipsec start
-  - ipsec up net-net
+  - ipsec up net-net