-1

I've deployed a RHEL 7.5 VM running Libreswan 3.23-5 on AWS. I've successfully set up several IPSec tunnels from my VM to 6 other organizations. What we hope to achieve is a hub-spoke setup, where each organization needs only one VPN tunnel to AWS (my VPN VM) and should be able to communicate (AMQP) with the 6 other organizations through the Hub's IPSec tunnel. I've successfully had them ping my subnet, but I would like them to be able to ping the other organizations subnets. Is this something I set up in the conf file for each connection or thorough the routing table? Currently, the configuration files under the ipsec.d directory contain only my subnets in the leftsunets line and not the other organizations. 

conn hub-to-spoke1
    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=hub.public.ip.address
    leftnexthop=%defaultroute
    leftsubnets=hub.subnets.cidr.blocks
    right=spoke1.public.ip.address
    rightsubnet=spoke1.subnet.cidr.block
    pfs=yes
    auto=add
    ikelifetime=24h
    keylife=8h
    ike=aes256-sha1;modp1536
    phase2=esp
    phase2alg=aes256-sha1;modp1024

We are using Pre-Shared Keys. What configurations do I have to do on my side to get the connections to forward to the other organizations? What does each organization have to do to allow connections from the other 6 organizations through the one tunnel? I greatly appreciate any help as this is my first foray into networking.

Alessandro
  • 309
  • 5
  • 23

1 Answers1

0

I was able to successfully connect the partners by doing adding the spokes' private subnets to the hub's left subnets, and each partner should have each other private partners subnets as right subnets. You also have to add the partners' subnets to the route table in AWS console. Here is a sample config file for the hub:

conn hub-to-spoke
    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=hub.public.ip.address
    leftnexthop=%defaultroute
    leftsubnets="all hub subnets and all other spokes subnets"
    right=spoke.public.ip.address
    rightsubnets="all spoke subnets"
    pfs=yes
    auto=add
    ikelifetime=24h
    keylife=8h
    ike=aes256-sha1;modp1536
    phase2=esp
    phase2alg=aes256-sha1;modp1024

For the spoke here is a sample config

conn spoke-to-hub
    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=spoke.public.ip.address
    leftnexthop=%defaultroute
    leftsubnets="spoke's subnets"
    right=hub.public.ip.address
    rightsubnet="list of hub's subnets and other spokes subnets"
    pfs=yes
    auto=add
    ikelifetime=24h
    keylife=8h
    ike=aes256-sha1;modp1536
    phase2=esp
    phase2alg=aes256-sha1;modp1024

You will have to ensure there is no private subnet overlap.

Alessandro
  • 309
  • 5
  • 23