Route one or multiple Public IPs via VTI over IPSec site-to-site tunnel

ipsecnetworkingtunneling

I successfully created VTI over IPSec Site-to-Site tunnel between my home router (UBNT Edgerouter) and dedicated server (Ubuntu 16.04) at OVH.
I can route internal private networks of each sides via VTI device and access it on the other site (I can access site B private range devices from NATed devices (for ex. from computer behind router) at Site A, and that's great), but I have a problem with routing a public network over it.

Site A: Home Router:

Public Main IP: 89.x.x.81

Private IPs (NATed home devices): 10.100.10.1/24

VTI: 10.255.12.1/30

~# ip r
default via 89.x.x.1 dev eth0  proto zebra 
10.100.10.0/24 dev eth1  proto kernel  scope link  src 10.100.10.1 
10.255.12.0/30 dev vti0  proto kernel  scope link  src 10.255.12.1 
89.x.x.0/22 dev eth0  proto kernel  scope link  src 89.x.x.81 
172.16.0.0/12 dev vti0  proto zebra 

~# ip tunnel
vti0: ip/ip remote 51.x.x.136 local 89.x.x.81 ttl inherit nopmtudisc ikey 0 okey 1234
ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0

Site B: Server at OVH:

Public IP: 51.x.x.136

Public IPs block assigned/routed to server: 51.x.x.128/28 (only .136 configured on server)

Private IPs (OVH vRack): 172.16.0.1/12

VTI : 10.255.12.2/30

~# ip r
10.100.10.0/24 dev vti0  scope link 
10.255.12.0/30 dev vti0  proto kernel  scope link  src 10.255.12.2 
51.x.x.142 dev eth0  scope link 
172.16.0.0/12 via 172.16.0.1 dev eth0  scope link 
172.16.0.0/12 dev eth0  proto kernel  scope link  src 172.16.0.1

~# ip tunnel
ip_vti0: ip/ip  remote any  local any  ttl inherit  nopmtudisc key 0
vti0: ip/ip  remote 89.x.x.81  local 51.x.x.136  ttl inherit  nopmtudisc key 1234

Goal:

Configure one or multiple Public IP(s) from OVH server block (51.x.x.128/28) via VTI device on home router (then I will make 1:1 NAT there for assigning the IP to server behind router) or directly on device behind home router if possible.

It is possible on VTI or should I consider a change from VTI to GRE and then follow this: https://serverfault.com/a/557949 ?

Best Answer

Ok, I solved it by myself few days ago.

Site A:

added the route for a public IP (which I want to route to home) via vti0 device

~# ip r
...
51.x.x.134 dev vti0  scope link

Site B (a choice between one of two options):

Route Public IP to Home Router

Add wanted Public IP to eth0(or vti0) device and create route table with mark and default gateway via vti0, then mark sourced output traffic by iptables.

or
Route Public IP to device behind Home Router

Create a DNAT: Public IP->NATed Device and then create route table for default gateway via vti0 for selected NATed device (all traffic from device to Internet is routed via VPN)

So, I got what I needed. The next step is to set the right output IP address from the server on the site A (now the traffic exits from the main A-sited server IP address).

If my solution is not the best practice, please let me know.

Are there any other ways to accomplish my assumption? Perhaps private BGP peering will be a solution??

Related Solutions

Linux – GRE Tunnel over IPsec with Loopback

Once again, I've managed to tinker through the problem (but not for too long as the original question and this answer supposes it to be :). I've been through almost a month researching the solution for the problem, and I'll leave it documented here just in case anyone happens to bump at the same problem.

Actually, the loopback interface is really what I knew it to be: an address assigned to a dummy, always up interface on a machine. The connectivity problem between the remote GRE router and my router was due to another problem: GRE keep-alive packets.

It turned out that the remote Cisco router was actually sending me odd GRE-encapsulated packets through the tunnel. These packets encapsulated another GRE packet, and these, on the other hand, carried a protocol number of zero. A quick browse indicated that these packets are GRE keep-alive packets, which are send periodically (in my case, every 10 seconds almost exactly) and, if properly deencapsulated and rerouted by the peer, should be echoed back to the sender, since the innermost destination address contained the sender's source address.

The fact is that the Linux kernel did not properly feed the deencapsulated keep-alive packet again into the routing chain. If it did, the packet would be rerouted back to the sender without further complications. Instead, it delivered the packet to userspace, so that it was possible to write a simple program that listened to such packets in raw mode, and echoed them back to the sender. Running this program and echoing back a couple of packets to the Cisco router, the GRE tunnel went 'up' on the remote side, the PIM routers exchanged hellos and I finally could listen to the multicast traffic that I expected to listen to.

I've learned a lot from this experience, specially the part that, when messing with obscure protocols (or, at least, obscure protocol features), you can't simply count at all on peer-knowledge. No single network analyst on the remote side could help me in any aspect in this regard, probably because this behavior was undocumented.

Linux – How to configure dual homed server in order for both network segments to communicate

There are two problems with this setup:

The hosts on LAN1 know nothing about the LAN2 segment. When you ping a host on LAN1 (let's call it host1) from SRV-02, the packet will be routed through SRV-01 and will reach host1. However, host1 will send the reply to it's default gateway (ISP router) as it doesn't have a specific route to LAN2. (The ISP router will either a) also send it to it's default gateway as it also doesn't know about LAN2, or b) drop the packet as it comes from an unknown source not it's local LAN.)
When trying to reach WAN from LAN2, the packets will be routed through SRV-02 to ISP router where two situations are possible:
- The router will not NAT translate the packet as the source of the packet (LAN2) is not it's local LAN (this is the more probable situation), or
- The router will NAT translate the packet and send it to the Internet. However, when the reply comes and the destination is translated back to the LAN2 address, the packet will not be delivered as the ISP router doesn't have a route for that network. The packet will be sent incorrectly to the default gateway (ISP).

These issues could be fixed by adding a static route to LAN2 to ISP router and adding a source NAT configuration for LAN2 on SRV-01. However, that is not possible due to no admin access to the ISP router.

There are two solutions that get around it:

A. Make SRV-01 a full router for LAN1 and LAN2 hosts

Add another network adapter to SRV-01 (making it 3 in total)
Change the topology as follows:

WAN -> ISP router -> LAN1 -> SRV-01 +-> LAN3 (for hosts originally in LAN1)
                                    +-> LAN2 -> SRV-02

Basically, we're making SRV-01 a router for both LAN segments.

This will require moving hosts originally in LAN1 to a new subnet LAN3 - let's say we use 10.0.1.0/24
The network configuration of SRV-01 will need to be changed as follows:

/etc/network/interfaces:

# LAN1 - to ISP router
auto eth0
iface eth0 inet dhcp
# we can even use dhcp as the IP address is not really important
# - there are no more hosts on LAN1 apart from ISP router and SRV-01

# LAN3 - for hosts originally in LAN1
iface eth1
    address 10.0.1.1
    netmask 255.255.255.0

# LAN2
iface eth2
    address 10.0.2.1
    netmask 255.255.255.0

iptables rules to make WAN access work:

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j MASQUERADE

Alternatively, if you choose to keep the static IP address on SRV-01 on eth0 the rules could be changed (although MASQUERADE would still work):

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.1.0/24 -j SNAT --to-source 192.168.5.8
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 -j SNAT --to-source 192.168.5.8

DHCP will need to be configured on SRV-01 on eth1 (LAN3, for hosts originally on LAN1), and possibly on eth2 (LAN2) as well if required. (In both cases the gateway will be the local address of eth1 or eth2 respectively, but that goes without saying :)

This will make communication possible between LAN3 and LAN2 (via SRV-01 which is the default gateway for both). WAN access will also work from both LAN3 and LAN2 thanks to the double source NAT.

B. Make SRV-01 a DHCP server for LAN1

This approach is not as clean as above but is slightly simpler. It assumes you are able to disable DHCP on ISP router

Disable DHCP on ISP router
Set up DHCP for LAN1 on SRV-01 and make SRV-01 (192.168.5.8) the default gateway for LAN1
Set up source NAT translation for LAN2 on SRV-01 so that the WAN access works from LAN2:

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 -d 192.168.5.4 -j SNAT --to-source 192.168.5.8
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.2.0/24 ! -d 192.168.5.0/24 -j SNAT --to-source 192.168.5.8

The first line enables SNAT so that LAN2 hosts can access the ISP router itself and the second line disables SNAT for LAN2-LAN1 access.

Again, this approach is not as clean as the one above as there are two routers in the same subnet (SRV-01, ISP router). When I used this approach myself I noticed my second router (SRV-01 in this scenario) would send ICMP redirects to the ISP router as it would see that the client (host on LAN1) and the upstream router (ISP router) are on the same LAN. This might not be desired as network policies implemented on SRV-01 could be circumvented.

Hope that helps.

Best Answer

Related Solutions

Linux – GRE Tunnel over IPsec with Loopback

Linux – How to configure dual homed server in order for both network segments to communicate

Related Topic