perfecto25/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Libreswan config example (Centos 7)

using libreswan 3.25

connecting A to B using IKEv2, AES-256 encryption with Diffe Hellman 14 group
A and C are on same subnet, B is on a different subnet. B cannot talk directly to A or C.

A = 172.31.23.167
C = 172.31.23.197
B = 172.31.31.17

B needs to talk to C via A
B > A > C
to make this work, enable IPSEC VPN, make sure you can netcat and ping B > A
# enable ipv4 forwarding
echo >> "net.ipv4.ip_forward = 1" /etc/sysctl.conf
sysctl -p /etc/sysctl.conf

add the connection configs to /etc/ipsec.d/"connection name>".conf
add the secrets file to /etc/ipsec.d/"connection name".secrets
# example of secrets

<pub IP of A>  <pub IP of B> : PSK "secretstring"

120.34.99.100  200.340.1.2 : PSK "bGWT7yc^5sB@q@TWCcTy$#yvBw"

once this works, you need to configure your iptables on A to forward traffic from B's subnet to A's subnet
on server A, add to /etc/sysconfig/iptables
-A POSTROUTING -s <subnet of B, aka 172.31.31.0/24> -j MASQUERADE

or to keep in memory without saving long term,
iptables -t nat -A POSTROUTING -s <subnet of B> -j MASQUERADE

use tcpdump on A and C to see if packets are coming in from B (B > A > C)
tcpdump -i any portrange <test port>


## ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        protostack=netkey
        nat_traversal=yes
        fragicmp=no
        oe=off

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

## siteA.conf
conn siteA
    type=tunnel
    authby=secret
    auto=start
    pfs=no
    salifetime=86400
    ikev2=insist
    ike=aes256-sha1;dh14
    esp=aes256-sha1
    aggrmode=no
    left=%defaultroute
    leftid=120.34.99.100  # public IP of A
    leftsourceip=172.31.23.167  # internal IP of A
    leftsubnets={172.31.23.197/32,172.31.23.167/32}  # example of allowing only 2 hosts for access, to add an entire subnet use /24

    right=200.340.1.2  # public IP of B
    rightsourceip=172.31.31.17  # internal IP of B
    rightsubnet=172.31.31.17/32  # internal IP  of B

## siteB.conf
conn siteB
    type=tunnel
    authby=secret
    auto=start
    pfs=no
    salifetime=86400
    ikev2=insist
    ike=aes256-sha1;dh14
    esp=aes256-sha1
    aggrmode=no
    left=%defaultroute
    leftid=200.340.1.2          # public IP of B
    leftsourceip=172.31.31.17   # internal IP of B
    leftsubnet=172.31.31.17/32

    right=120.34.99.100  # public IP of A
    rightsourceip=172.31.23.167  # internal IP of A
    rightsubnets={172.31.23.197/32,172.31.23.167/32}  # internal IP  of A
	version 2.0 # conforms to second version of ipsec.conf specification

	# basic configuration
	config setup
	plutodebug=all
	plutostderrlog=/var/log/pluto.log
	protostack=netkey
	nat_traversal=yes
	fragicmp=no
	oe=off

	#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
	include /etc/ipsec.d/*.conf
	conn siteA
	type=tunnel
	authby=secret
	auto=start
	pfs=no
	salifetime=86400
	ikev2=insist
	ike=aes256-sha1;dh14
	esp=aes256-sha1
	aggrmode=no
	left=%defaultroute
	leftid=120.34.99.100 # public IP of A
	leftsourceip=172.31.23.167 # internal IP of A
	leftsubnets={172.31.23.197/32,172.31.23.167/32} # example of allowing only 2 hosts for access, to add an entire subnet use /24

	right=200.340.1.2 # public IP of B
	rightsourceip=172.31.31.17 # internal IP of B
	rightsubnet=172.31.31.17/32 # internal IP of B
	conn siteB
	type=tunnel
	authby=secret
	auto=start
	pfs=no
	salifetime=86400
	ikev2=insist
	ike=aes256-sha1;dh14
	esp=aes256-sha1
	aggrmode=no
	left=%defaultroute
	leftid=200.340.1.2 # public IP of B
	leftsourceip=172.31.31.17 # internal IP of B
	leftsubnet=172.31.31.17/32

	right=120.34.99.100 # public IP of A
	rightsourceip=172.31.23.167 # internal IP of A
	rightsubnets={172.31.23.197/32,172.31.23.167/32} # internal IP of A