Tuesday, August 21, 2012

Setting up an IPsec VPN

Posted here mostly for my own reference, but mayhap this will prove useful for someone else.

The setup: a remote network at the TV transmitter, with Internet access both through a commercial provider and a dedicated, but increasingly unreliable, microwave T-1 link to the studio.

The goal: mimic the behavior of the microwave T-1 (though not the unreliability, of course) using the commercial provider's service.  Set up a "virtual wire" between the network at the transmitter and the transmitter at the studio.

I've chosen an IPsec VPN to do this, and I've set things up largely as in Ch. 35 of Linux Home Networking. At the present time I've managed to achieve bidirectional communication between hosts (but not the routers/firewalls) on each network, but to do that I had to set up a private test network as shown below.


So as you can see here, I have a couple of virtual machines set up on the 172.16.1.0/24 network, which is accessible only to those VM's.  The IPsec tunnel is established between Router VM and Transmitter Firewall.  Note that I have replaced Transmitter Firewall's public IP address with "X.X.X.10" for security.

With this setup, I can achieve bidrectional communication between both networks.  Host A can reach Client VM, and Client VM can reach Host A.

Here is the relevant ipsec.conf on Router VM:

#
# File: /etc/ipsec.conf
#
# VPN Test Router VM side
config setup
        protostack=netkey
        oe=off
        nat_traversal=yes

# LEFT: Studio
# RIGHT: Transmitter
conn nettonet
  left=192.168.152.188            # Public Internet IP address of the
                                  # LEFT VPN device
  leftsubnet=172.16.1.0/24        # Subnet protected by the LEFT VPN device
  leftrsasigkey=*removed*

  right=X.X.X.10                  # Public Internet IP address of
                                  # the RIGHT VPN device
  rightsubnet=10.1.1.0/24         # Subnet protected by the RIGHT VPN device
  rightrsasigkey=*removed*
  rightnexthop=%defaultroute
  auto=start


Note here that I'm using RSA keys, rather than PSK's.  The key signatures have been removed for security.

The ipsec.conf on Transmitter Firewall is slightly different:


#
# File: /etc/ipsec.conf
#

# Transmitter Firewall Side

config setup
    oe=off
    protostack=netkey
    nat_traversal=yes

# LEFT: Studio
# RIGHT: Transmitter
conn nettonet
  left=10.1.0.2                   # Public Internet IP address of the
                                  # LEFT VPN device
  leftsubnet=172.16.1.0/24        # Subnet protected by the LEFT VPN device
  leftid=192.168.152.188
  leftrsasigkey=*removed*
  right=X.X.X.10                  # Public Internet IP address of
                                  # the RIGHT VPN device
  rightsubnet=10.1.1.0/24         # Subnet protected by the RIGHT VPN device
  rightrsasigkey=*removed*
  auto=start                      # authorizes and starts this connection
                                  # on booting

Here you'll notice that the argument to left= is 10.1.0.2, which is the public (again, these IP's have been obfuscated for security's sake) address of Studio Firewall. This is because Router VM's ultimate path to the Internet is through Studio Firewall via NAT.

Speaking of NAT, I should point out that there is no NAT of any kind being performed (currently) on Router VM or Transmitter Firewall.  Instead, the entire 172.16.1.0/24 network is visible to the 10.1.1.0/24 network at the transmitter, just as any other public network would be.

I'll note that this does not accomplish the stated goal at the beginning of this post: set up a "virtual wire" between the 10.1.1.0/24 network at the studio and the 10.1.1.0/24 network at the transmitter.  It may turn out to be the case that this "virtual wire" is extremely complicated with regard to routing and suchlike (since we would be using the same IP block on both ends) .  What this does give us, however, is a place to work from.