IPsec Site To Site

For an overview over all existing Virtual private network (VPN)-related articles in the OpenWrt wiki, please visit vpn.overview

:!: This page is about racoon. The new strongwang documentation can be found here.

This article assumes you have enabled IPSec on your OpenWrt router as described in the basics guide and the firewall guide. Now we want to build the first site to site tunnel.

Topology

The task to achive is the connectivity of our home (W)LAN with our company's networks. To make it not too easy we also want to access the company's DMZ through the tunnel. Here the (more or less) big picture.

Additionally we sum up the facts in text mode to explain the infrastructure in detail.

  • The interest of our efforts is to get from a computer in the home W(LAN) into the ACME DMZ and internal networks.
  • All traffic should be securely tunneled between our OpenWrt based router and the company's firewall.
  • We do not care about our routers external IP. So we name it x.x.x.x.
  • The external IP of the ACME firewall is 7.7.7.7. At least this should be a fixed access point throughout the internet.
  • Our home (W)LAN uses IP adresses 192.168.2.64/26. That is the subnet from 192.168.2.64 to 192.168.2.127.
  • ACMEs internal LAN is 10.1.2.0/24 (IP range between 10.1.2.3.0 and 10.1.2.3.255)
  • The ACME DMZ has official IP addresses in the range 66.77.88.192/26.

This may not be the most basic setup but it is the simplest to show some facts. You can access multiple subnets through one remote IPsec gateway, you can tunnel official IP adresses and you do not need a fixed external IP address.

Racoon Configuration

To reach the ACME infrastructure we have to tell racoon all the details about the tunnel and the remote networks. We provide all informations in the central /etc/config/racoon file. The required informations for Phase 1 (initial handshake) are:

  • IP of the remote gateway: 7.7.7.7
  • Aggressive Negotiation: Always a good idea if our router has a changing outside IP.
  • The local identfier. "bratwurst" was choosen in this case. Also needed with a changing outside IP.
  • Proposal: The most common standard for medium security level. A preshared key with Diffie Hellman group 2 and AES 128 Bit encryption.

For the tunnels we need security policies. There are two different subnets we want to reach so two sainfo blocks have to be created in our file. These define the so called Phase 2 proposals. We provide:

  • Definiton of the connected local and remote subnets
  • Security parameters (similar to phase 1)

#/etc/config/racoon
...
config 'tunnel' 'acme'
  option 'enabled' '1'
  option 'remote' '7.7.7.7'
  option 'pre_shared_key' 'yourpasswordhere'
  option 'exchange_mode' 'aggressive'
  option 'my_identifier' 'bratwurst'
  list   'p1_proposal' 'pre_g2_aes_sha1'
  list   'sainfo' 'acme_dmz'
  list   'sainfo' 'acme_lan'

config 'p1_proposal' 'pre_g2_aes_sha1'
  option 'encryption_algorithm' 'aes 128'
  option 'hash_algorithm' 'sha1'
  option 'authentication_method' 'pre_shared_key'
  option 'dh_group' '2'

config 'sainfo' 'acme_lan'
  option 'local_subnet' '192.168.2.64/26'
  option 'remote_subnet' '10.1.2.0/24'
  option 'p2_proposal' 'g2_aes_sha1'

config 'sainfo' 'acme_dmz'
  option 'local_subnet' '192.168.2.64/26'
  option 'remote_subnet' '66.77.88.192/26'
  option 'p2_proposal' 'g2_aes_sha1'

config 'p2_proposal' 'g2_aes_sha1'
  option 'pfs_group' '2'
  option 'encryption_algorithm' 'aes 128'
  option 'authentication_algorithm' 'hmac_sha1'
...

Restart racoon and firewall afterwards. If everything was setup correctly according to the basics and firewall guide you should be able to see the new configuration.

… pictures with checks …

Central Side Gateway

ACME corporation uses a Juniper firewall. They kindly provided us some configuration pictures. Take them as a sample for your individual implementation.

Phase 1 settings

Phase 2 settings

Firewall

To reach the remote subnets the last thing we need are two firewall rules. Simply allow all traffic from the local lan 192.168.2.64/26 to the ACME subnets. If you join multiple tunnels in the one zone called VPN you have to use explicit destination adresses to separate traffic. An ALL→ALL rule would allow traffic to all destination networks. And do not forget to contact the ACME firewall admin to add those access rules too.

DNS

Connecting two private networks opens an interesting DNS challenge. The ACME DNS server does not only resolve official server names to IP addresses but also those of ACME internal servers. E.g. hobbit.acme.inc and its IP 10.1.2.42. As we have established a VPN connection we already can reach this host by its address. To get it by its name too we have to offer a name resolution in our home domain. With OpenWrt being very powerful we assume that our router has an active Dnsmasq DNS server. So we have two possibilities to resolve acme.inc addresses.

  • Manually: Each acme.inc server and its IP address is put into the OpenWrt local hosts file. Dnsmasq will read this list and answer DNS requests for those ACME machines correctly. This should only be an option if we have a very restrictive VPN connection.
  • Automatically: Dnsmasq forwards requests for acme.inc through the tunnel to the ACME DNS server. This avoids double work.

DNS fowarding through VPN tunnels is almost the same as normal DNS forwarding with one exception. Dnsmasq must use the correct source interface. By default it will use the OpenWrt internet IP for it's requests but this cannot be tunneled. So just expand the Dnsmasq forward settings in LuCI with the OpenWrt internal IP address. In our scenario we wan't to reach ACME DNS at 10.1.2.250 by using our internal IP 192.168.2.82. Don't forget to add this domain on the whitelist otherwise Dnsmasq will detect rebind attacks and discard requests.

What's next

Building IPsec VPNs with certificates.

Credits

Special thanks go to trambroid.com

Back to top

doc/howto/vpn.ipsec.site2site.racoon.txt · Last modified: 2013/10/28 08:30 by lorema