Skip to content

Virtual Private Network (IPsec)

The following instructions will deploy a virtual machine acting as an edge VPN endpoint for IPsec site to site connection. It is based on StrongSwan which is a complete IPsec solution providing encryption and authentication to servers and clients. It can be used to secure communications with remote networks, so that connecting remotely is the same as connecting locally.

The full documentation is available here.

Example 1 : interconnect a private subnet located in the infomaniak Public Cloud to an external server

In this example we will expose the private subnet 10.0.0.0/24 located inside the Public Cloud to an external server through an IPsec connection.

graph LR A[Private-VM] --> |10.135.0.0/24| B[External-endpoint]; B[External-endpoint] --> |IPsec Tunnel| C{internet}; C --> |IPsec Tunnel| D[infomaniak-endpoint]; D --> |10.0.0.0/24| E[Private-VM];

Create the network architecture required for this tutorial

1. Create the VPN network, subnet and router

taylor@laptop:~$ openstack router create vpn-router
taylor@laptop:~$ openstack network create vpn-network
taylor@laptop:~$ openstack subnet create vpn-subnet   --network vpn-network   --subnet-range 192.168.0.0/24   --gateway 192.168.0.1   --dns-nameserver 83.166.143.51   --dns-nameserver 83.166.143.52
taylor@laptop:~$ openstack router add subnet vpn-router vpn-subnet

2. connect the router VPN router to the internet

taylor@laptop:~$ openstack router set --external-gateway ext-floating1 vpn-router

3. Create the VM that will be the infomaniak VPN endpoint

taylor@laptop:~$ openstack server create --flavor  a2-ram4-disk20-perf1 --key-name yubikey-taylor --network vpn-network --image "Debian 11 bullseye" vpn

4. Create a Security Group and remove the default one

taylor@laptop:~$ openstack security group create vpn-securitygroup
taylor@laptop:~$ openstack security group rule create --protocol tcp --dst-port 22 --ethertype IPv4  vpn-securitygroup
taylor@laptop:~$ openstack security group rule create --protocol udp --dst-port 500 --ethertype IPv4  vpn-securitygroup
taylor@laptop:~$ openstack security group rule create --protocol udp --dst-port 4500 --ethertype IPv4  vpn-securitygroup
taylor@laptop:~$ openstack security group rule create --protocol esp --ethertype IPv4  vpn-securitygroup
taylor@laptop:~$ openstack server add security group vpn vpn-securitygroup
taylor@laptop:~$ openstack server remove security group vpn default

5. Add a Floating IP to the VPN VM

taylor@laptop:~$ openstack floating ip create ext-floating1
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| created_at          | 2021-09-21T11:04:49Z                 |
| description         |                                      |
| dns_domain          | None                                 |
| dns_name            | None                                 |
| fixed_ip_address    | None                                 |
| floating_ip_address | 195.15.247.104                       |
| floating_network_id | 0f9c3806-bd21-490f-918d-4a6d1c648489 |
| id                  | 157f41c9-eea3-4491-a827-63b306d53277 |
| name                | 195.15.247.104                       |
| port_details        | None                                 |
| port_id             | None                                 |
| project_id          | 1cd2e93b8a95454e906ff3bb2f99b103     |
| qos_policy_id       | None                                 |
| revision_number     | 0                                    |
| router_id           | None                                 |
| status              | DOWN                                 |
| subnet_id           | None                                 |
| tags                | []                                   |
| updated_at          | 2021-09-21T11:04:49Z                 |
+---------------------+--------------------------------------+

Associate the floating IP to the VM. Replace 195.15.247.104 accordingly to your setup

taylor@laptop:~$ VM_PORT=$(openstack port list --server vpn -c id -f value)
taylor@laptop:~$ openstack floating ip set --port ${VM_PORT} 195.15.247.104

5. Install and configure StrongSwan

Connect to the VM created previously

taylor@laptop:~$ ssh debian@195.15.247.104
debian@vpn:~$ sudo apt update
debian@vpn:~$ sudo apt upgrade
debian@vpn:~$ sudo apt install strongswan
debian@vpn:~$ sudo sysctl -w net.ipv4.conf.ens3.send_redirects=1
debian@vpn:~$ echo "1" | sudo tee /proc/sys/net/ipv4/ip_forward

Make the sysctl parameters persistent in case of reboot by editing /etc/sysctl.d/99-sysctl.conf as follow :

root@vpn:~# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 1

Edit the file /etc/ipsec.secrets and choose a strong PSK (Pre Shared Key).

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.
infomaniak-endpoint external-endpoint : PSK "Replace This with A very strong and very long string!"

Edit the file /etc/ipsec.conf and replace the IPs accordingly to your setup.

192.168.0.35 = infomaniak vpn VM local IP

195.15.226.142 = IP of the external endpoint

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.
conn infomaniak_VPN
    keyexchange=ikev2
    left=192.168.0.35
    leftsubnet=10.0.0.0/24
    leftid=infomaniak-endpoint
    leftfirewall=no
    leftsendcert=never
    right=195.15.226.142
    rightsubnet=10.135.0.0/24
    rightid=external-endpoint
    auto=route
    dpdaction=hold
    dpddelay=30s
    dpdtimeout=120s
    ike=aes128-sha256-modp1536
    ikelifetime=3600s
    esp=aes128-sha256-modp1536
    lifetime=3600s
    type=tunnel
    authby=psk

debian@vpn:~$ sudo ipsec restart
Starting strongSwan 5.9.1 IPsec [starter]...

debian@vpn:~$ sudo ipsec status
Routed Connections:
infomaniak_VPNaaS{1}:  ROUTED, TUNNEL, reqid 1
infomaniak_VPNaaS{1}:   0.0.0.0/32 === 0.0.0.0/32
Security Associations (0 up, 0 connecting):
  none
The connection won't be up until we configure the other side.

6. Confgure the other side the same way but inverse left and right entries. Also in the ipsec.secrets

root@external-endpoint-vm:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        mobike=no

# basic configuration
conn infomaniak_VPN
    keyexchange=ikev2
    leftfirewall=no
    left=195.15.226.142
    leftsubnet=10.135.0.0/24
    leftid=external-endpoint
    right=195.15.244.244
    rightsubnet=10.0.0.0/24
    rightid=infomaniak-endpoint
    auto=route
    dpdaction=hold
    dpddelay=30s
    dpdtimeout=120s
    ike=aes128-sha256-modp1536
    ikelifetime=3600s
    esp=aes128-sha256-modp1536
    lifetime=3600s
    type=tunnel
    authby=psk
root@external-endpoint-vm:~# cat /etc/ipsec.secrets
# which knows the public part.
external-endpoint infomaniak-endpoint : PSK "Replace This with A very strong and very long string!"

7. Bring up the VPN connection

debian@vpn:~$ sudo ipsec up infomaniak_VPN

8. We add rule allowing the vpn VM to forward the traffic from the remote subnet

taylor@laptop:~$ VM_PORT=$(openstack port list --server vpn -c id -f value)
taylor@laptop:~$ openstack port set --allowed-address ip-address=10.135.0.0/24 ${VM_PORT}

9. We create a static route on the vpn router so the traffic from the local subnets to the remote subnet goes through the VPN

taylor@laptop:~$ openstack router add route --route destination=10.135.0.0/24,gateway=192.168.0.35 vpn-router

At this point the private VM should be accessible from the external endpoint.

10. Exposing a private subnet to the VPN

In this example the subnet 10.0.0.0/24 will be accesible from the external-endpoint. Let's create it and also create a VM on this subnet to confirm it works.

taylor@laptop (pub1|taylor):~$ openstack network create ik-private-net-1
taylor@laptop (pub1|taylor):~$ openstack subnet create ik-private-subnet-1   --network ik-private-net-1   --subnet-range 10.0.0.0/24   --gateway 10.0.0.1   --dns-nameserver 83.166.143.51   --dns-nameserver 83.166.143.52
taylor@laptop (pub1|taylor):~$ openstack router add subnet vpn-router  ik-private-subnet-1
taylor@laptop (pub1|taylor):~$ openstack server create --flavor  a2-ram4-disk20-perf1 --key-name yubikey-taylor --network ik-private-net-1 --image "Debian 11 bullseye" ik-private-subnet-1-vm-1
taylor@laptop (pub1|taylor):~$ openstack security group rule create --protocol tcp --dst-port 22 --ethertype IPv4  default
taylor@laptop (pub1|taylor):~$ openstack security group rule create --protocol icmp default
Back to top