0

I currently have an issue at hand, i am not too experienced in the routing part of unix and would be great to have a helping hand.

I currently am using Hetzner for cloud instances.

I currently need to setup a Site-to-Site connection using public encrypted domains.

My stack contains:

1 - Ubuntu Host on Version 20.04.01 (name it Serv-A) 2 - I have strongswan installed on Serv-A 3 - I have a default eth0 interface on Serv-A which has a randomly generated public ip assigned to this as part of the heztner cloud plan. 4 - I created a private network on Hetzner (172.16.0.0/24) and attached it to Serv-A 5 - Serv-A has now another interface card called ens11 and ip 172.16.0.2 6 - I also attached a PUBLIC IP (EIP / Floating ip) to the box. So Serve-A has 2 public ips.

For this example lets say:

The VPN on other side has a public ip of 42.102.1.200

The VPN on the other side has encrypted domain of 42.102.1.215, 42.102.1.216,42.102.1.220

On myside i have Serv-A with Eth0 bind to 2 public ip right now example (102.58.0.22 and floating ip - 196.9.0.109)

The setup needs to be VPN site to site with public IP used as encrypted domain.

So i was asked to NAT a public ip to a private network.

My VPN setup is as follows:

config setup
    # strictcrlpolicy=yes
    # uniqueids = no

conn %default
    ikelifetime=600m # 36,000 s
    keylife=180m # 10,800 s
    rekeymargin=3m
    keyingtries=3
    keyexchange=ikev2
    mobike=no
    type=transport
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!
    auto=start
    dpdaction=restart
    authby=psk
    left= 102.58.0.22
    leftid=196.9.0.109
    leftsubnet=172.16.0.0/24
    leftauth=psk


conn tunnel_1
    right=42.102.1.200
    rightid=42.102.1.200
    rightsubnet=42.102.1.215/32
    rightnexthop=%defaultroute
    rightauth=psk

conn tunnel_
    right=42.102.1.200
    rightid=42.102.1.200
    rightsubnet=42.102.1.216/32
    rightnexthop=%defaultroute
    rightauth=psk

conn tunnel_3
    right=42.102.1.200
    rightid=42.102.1.200
    rightsubnet=42.102.1.229/32
    rightnexthop=%defaultroute
    rightauth=psk

Note that the VPN on the other side allows the connection to made to 102.58.0.22 (serv-A initial IP)

then i need to use 2nd IP 196.9.0.109 i guess for the tunnel.

I have tried to map the 196.9.0.109 ( NEW IP / FLOATING IP) to ens11 by using

+ iptables -t nat -I POSTROUTING -s 172.16.0.1/24 -d 42.102.1.0/24 -j SNAT --to 196.9.0.109

(so everything from private network trying to reach other side, goes though floating IP)

But when i do a traceroute -s 172.16.0.2 42.102.1.215, it goes though the internet -.-" and not the tunnel

+ iptables -t nat -A  PREROUTING -d 196.9.0.109 -j DNAT --to-destination 172.16.0.2

and the guys on the other side also cannot ping me.

Can you please let me know what should be done ? to use encrypted domains and private subnets

Thanks S

Shei Man
  • 1

1 Answers1

0

I am having problem in setting up same thing. Tunnel is not getting up. What was your final configuration and routing rules?

Real Cool
  • 1
  • This does not really answer the question. If you have a different question, you can ask it by clicking [Ask Question](https://serverfault.com/questions/ask). To get notified when this question gets new answers, you can [follow this question](https://meta.stackexchange.com/q/345661). Once you have enough [reputation](https://serverfault.com/help/whats-reputation), you can also [add a bounty](https://serverfault.com/help/privileges/set-bounties) to draw more attention to this question. - [From Review](/review/late-answers/505105) – Dave M Dec 11 '21 at 14:41