37
edits
Changes
Overlapping subnets with IPsec solution (view source)
Revision as of 13:54, 10 January 2022
, 13:54, 10 January 2022no edit summary
First of, lets configure a simple connection between two IPsec instances, i.e., RUT1 and RUT2.
First of, lets configure a simple connection between two IPsec instances, i.e., RUT1 and RUT2.
===RUT1 configuration===
====RUT1 configuration====
----
----
[[File:IPsec1 config.png]]
[[File:IPsec1 config.png|border|class=tlt-border|700x700px]]
[[File:Ipsec2_config.png]]
[[File:Ipsec2_config.png|border|class=tlt-border|700x700px]]
#Enable - Enables IPsec instance
#'''Enable''' instance.
#Remote endpoint - IP address or hostname of remote IPsec instance, only one side of IPsec needs to have it configured
#'''Remote endpoint''' (Only one side of IPsec needs to have it configured)
#Pre-shared key - Shared password used for authentication between the peers. The value of this field must match the other instance
#Write '''Pre shared key'''(a shared password used for authentication between the peers. The value of this field must match on both instances).
#Type - select tunnel
#Select '''Type''' to tunnel
#Local subnet - Virtual local IP address used to install IPsec tunnel
#Write '''Local subnet '''(an IP address/Subnet mask of the router on which the IPsec instance is configured).
#Remote subnet - Virtual remote IP address used to install IPsec tunnel
#Write '''Remote subnet '''
===RUT2 configuration===
====RUT2 configuration====
----
----
[[File:Ipsec3 config Overlapping subnets solution example .png]]
[[File:Ipsec3 config Overlapping subnets solution example .png|border|class=tlt-border|700x700px]]
[[File:Ipsec4 config Overlapping subnets solution example .png]]
[[File:Ipsec4 config Overlapping subnets solution example .png|border|class=tlt-border|700x700px]]
#Enable - Enables IPsec instance
#'''Enable''' instance.
#Remote endpoint - IP address or hostname of remote IPsec instance, only one side of IPsec needs to have it configured
#Add '''Remote endpoint'''
#Pre-shared key - Shared password used for authentication between the peers. The value of this field must match the other instance
#Write '''Pre shared key''' (a shared password used for authentication between the peers. The value of this field must match on both instances).
#Type - select tunnel
#Select '''Type''' to tunnel
#Local subnet - Virtual local IP address used to install IPsec tunnel
#Write '''Local subnet '''(an IP address/Subnet mask of the router on which the IPsec instance is configured).
#Remote subnet - Virtual remote IP address used to install IPsec tunnel
#Write '''Remote subnet '''
====Check IPsec tunnel status====
----
If you've followed all the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly. This can be verified by running '''ipsec status''' command in RUT CLI, you should see tunnel being installed between virtual networks:
<pre>root@Teltonika-RUTX12:~# ipsec status
Security Associations (1 up, 0 connecting):
ipsec-ipsec_c[1]: ESTABLISHED 32 MINUTES AGO, 192.168.2.124[192.168.2.124]...192.168.2.145[192.168.2.145]
ipsec-ipsec_c{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca6d4767_i c3f5534b_o
ipsec-ipsec_c{1}: 192.168.3.0/24 === 192.168.4.0/24</pre>
===Firewall configuration===
After establishing IPsec tunnel it's necessary to map LAN network IP addresses to virtual IPsec network addresses, for this we'll use iptables NETMAP target. Insert these '''IPtables rules into WebUI -> Network -> Firewall -> Custom rules'''.
[[File:Custom rules for overlapping subnets.png|border|class=tlt-border|1100x1100px]]
====RUT1 Firewall configuration====
----
<pre>iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.4.0/24 -j NETMAP --to 192.168.3.0/24
iptables -t nat -I PREROUTING -s 192.168.4.0/24 -j NETMAP --to 192.168.1.0/24</pre>
====RUT2 Firewall configuration====
----
<pre>iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.3.0/24 -j NETMAP --to 192.168.4.0/24
iptables -t nat -I PREROUTING -s 192.168.3.0/24 -j NETMAP --to 192.168.1.0/24</pre>
'''POSTROUTING''' rule checks if outgoing packet destination IP belongs to remote IPsec virtual IP range, if yes, it will change packet source IP from LAN IP to virtual IPsec IP.
'''PREROUTING''' rule checks if incoming packet source IP belongs to remote IPsec virtual IP range, if yes, it will change incoming packet destination IP from virtual IPsec IP to LAN IP.
Now LAN to LAN communication should be possible between end devices but to enable RUT to RUT communication additionally it'll be needed to install route on each device.
===Routing update===
----
To have permanent static route navigate to '''WebUI -> Network -> Routing -> Advanced static routes'''.
Add new routing table and insert static route where:
* '''Interface''' is LAN
* '''Target''' is remote IPsec virtual network
* '''Gateway''' is LAN IP
[[File:Table route overlapping subnets solution example.png|border|class=tlt-border|1100x1100px]]
Then create IP rule and specify lookup table.
[[File:Routing rule overlapping subnets solution example.png|border|class=tlt-border|700x700px]]
