IPSec VPN LAN-LAN (Site-Site) for site with dynamic gray IP behind NAT

S

Selin

Hi
There is a case:
- HQ with fixed white IP
- Site with dynamic gray IP behind NAT (!!!)
Need to setup IPSec VNP LAN-LAN to connect site to HQ.
I've tried Racoon and succeded with establishing IPSec connection, but LAN-LAN connection wasn't established.
The same with StrongSwan - I can see the IPSec tunel connection established, but it has no IPs, etc.
Is there any mans, how-to, whatever to solve the case?

The solutions with PPTP and L2TP/IPSec worked properly (with MPD5 + IPSec/Racoon) until provider had blocked PPTP and L2TP (on site side).

Thanks for any help.
 
I maintain IPsec tunnels between a few sites. The VPN nodes are running FreeBSD 11.1-RELEASE and some are behind a NAT. I use security/strongswan for IPsec setup and establishing the tunnels. The sites behind NAT initiate the IPsec connection to those sites with a public IP. I use shared secrets.

strongSwan is quite easy to set up. On each site, three files need to be edited:

Site A (the initiator – may be behind NAT)
/usr/local/etc/ipsec.conf
Code: 
conn Example-PSK
   keyexchange = ikev2
   mobike = no

   leftauth = psk
   leftid = ipsec@siteA.example.com
   leftsubnet = 192.168.1.0/24

   rightauth = psk
   rightid = ipsec@siteB.example.com
   right = siteB.example.com
   rightsubnet = 192.168.0.0/24

   auto = start
/usr/local/etc/ipsec.secrets
Code: 
: PSK "f9PG04Z2FgxzTmqqKk0cdp7CNM2Mgww"
/etc/rc.conf
Code: 
...
strongswan_enable="YES"
...

Site B (the listener – if behind NAT, then UDP ports 500 and 4500 must be NAT redirected on the gateway)
/usr/local/etc/ipsec.conf
Code: 
conn Example-PSK
   keyexchange = ikev2
   mobike = no

   leftauth = psk
   left = %defaultroute
   leftid = ipsec@siteB.example.com
   leftsubnet = 192.168.0.0/24

   rightauth = psk
   rightid = ipsec@siteA.example.com
   right = %any
   rightsubnet = 192.168.1.0/24

   auto = add
/usr/local/etc/ipsec.secrets
Code: 
ipsec@siteA.example.com : PSK "f9PG04Z2FgxzTmqqKk0cdp7CNM2Mgww"
/etc/rc.conf
Code: 
...
strongswan_enable="YES"
static_routes="IPsecVPN"
route_IPsecVPN="-net 192.168.1.0/24 192.168.0.1"
...
Here 192.168.0.1 is the default router on site B.

There is one obstacle that I needed to address on the initiator sites. On site A when starting up the system, the strongSwan rc script /usr/local/etc/rc.d/strongswan would try to initiate an IPsec connection before DNS is ready. I modified the script on line 6, exchanging # BEFORE: LOGIN by # REQUIRE: LOGIN. Without this change, the remote server could be addressed by its IP only -- the right directive in the respective ipsec.conf(5) file.

Now start strongSwan on site A first – service strongswan start, then the same on site B. Provided the firewall settings do not block the tunnels, you can ping the LAN of site A from site B and vice versa.
 
I would use StronSwan to protect a GRE or IPIP tunnel with IPsec in transport mode and NAT-T as required. Use a leftupdown script to move the tunnel endpoints and a firewall (IPFW or PF) to prevent traffic leaks.
 
You must log in or register to reply here.
Back
Top