In one of my previous articles I wrote about an IPSEC transport between two hosts. That was pretty easy to set up (you might take that as basis if you do use this post). All traffic between those two IPs had been encrypted. Now let’s do that for public IP networks instead of just two IPs.
The goal is, to have all traffic between given public ip networks (here y.y.y.y/26, x.x.x.x/27 and a.a.a.a/27) encrypted. So that if the two hosts communicate with each other, everything is encrypted by IPSEC.
Let’s assume the following:
- node1
- x.x.x.x/27
- y.y.y.y/26
- node2
- a.a.a.a/27
On node1 /etc/ipsec.conf is configured like this:
# ipsec.conf - strongSwan IPsec configuration file conn general authby=ecdsasig compress=no type=tunnel auto=start # this is the tunnel ip of the local machine i.e. the local endpoint left=x.x.x.x # the local networks leftsubnet=x.x.x.x/27,y.y.y.y/26 leftsigkey=/etc/ipsec.d/public/node1.pub.key include /etc/ipsec.d/*.conf
Additionally a configuration file for the node1-to-node2 connection is created in /etc/ipsec.d/node2.conf:
conn node1-node2 also=general # the remote endpoint right=a.a.a.a # the remote networks rightsubnet=a.a.a.a/27 rightsigkey=/etc/ipsec.d/public/node2.pub.key
On node2 it does look pretty much the same, just reversed:
# ipsec.conf - strongSwan IPsec configuration file conn general authby=ecdsasig compress=no type=tunnel auto=start # this is the tunnel ip of the local machine i.e. the local endpoint left=a.a.a.a # the local networks leftsubnet=a.a.a.a/27 leftsigkey=/etc/ipsec.d/public/node2.pub.key include /etc/ipsec.d/*.conf
Additionally a configuration file for the node1-to-node2 connection is created in /etc/ipsec.d/node1.conf:
conn node2-node1 also=general right=x.x.x.x rightsubnet=x.x.x.x/27,y.y.y.y/26 rightsigkey=/etc/ipsec.d/public/node1.pub.key
That’s all. Restart ipsec on both nodes and ping around.
No Comments