I have two sites: MAIN (local subnet 192.168.0.0/24, external IP: M.M.M.M) and CLIENT (10.0.0.0/24, external IP: C.C.C.C). I created an IPSec tunnel between the sites and both sites can ping computers in both subnets. So far so good.
# ipsec status
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 7 minutes ago, 10.0.0.15[C.C.C.C]...M.M.M.M[M.M.M.M]
tunnel{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7e6cd30_i ca170c58_o
tunnel{1}: 10.0.0.0/24 === 192.168.0.0/24
MAIN's external IP address is whitelisted by some resources on the internet (they can only be accessed from MAIN's address). I would like to configure the routing in a way that these resources are accessed by CLIENT's site through that tunnel and MAIN's gateway.
I would normally try doing this by configuring static routing and NAT. The problem here is that I do not have an interfacethat I can use for defining the routes. If I had a VPN server at the MAIN site and VPN client and the CLIENT site, then the VPN client would have some tun interface that I could use to configure what I need.
Can I achieve the same by having an IPSec tunnel between the two sites?
EDIT
More details follow:
So the connection looks like this:
192.168.0.0/24 --- 192.168.0.1/M.M.M.M --- C.C.C.C/10.0.0.1 --- 10.0.0.0/24
(Main subnet) (Main router) (Client router) (Client subnet)
192.168.0.1/M.M.M.M – Ubiquity router
C.C.C.C/10.0.0.1 – simple router with some ports forwarded to 10.0.0.15
10.0.0.15 – Ubuntu machine in client subnet with IPSec tunnel to 192.168.0.1
The tunnel works. Both sites can ping each other`s gateways and other machines in the network.
What I now want to achieve is routing packets to particular external IP addresses from 10.0.0.15 through 192.168.0.1.
Best Answer
So considering the topology I would pick the first option, simply adding a static route in client machines into 10.0.0.0/24. If the remote resources aren't in the same IP range, you would need to add one route per resource.
For example on a Windows machine: Resource 1 (say 10.11.12.13) :
Resource 2 (say 24.25.26.27) :
Then repeat the same thing into 10.0.0.15, but this time targeting 192.168.0.1.
See here for adding persistent routes in Linux (ubuntu).
I understand this approach is pretty granular and not suitable for high scale networks but it should work pretty well for small home/office use.
As an alternative, considering a dedicated NAT gateway would be more effective if you want to proxy all the traffic. Not only to whitelisting resources.
A last alternative as far as I know would be to build an OpenVPN server (instead of IPSec) in 192.168.0.0/24 which will proxy all traffic by default. Excellent tutorial here.
Let me know if you have any question.