Site-to-Site VPN with Strongswan, DNS server, overlapping subnets)

Question

I need to create a site-to-site VPN with a remote VPC (IKEv2 + IPSec). Both sides use some web resources of the other, those services hostnames are mapped to IPs using a DNS server (one on each side). Side A uses Fortigate, Side B uses StrongSwan.

The network looks as follow, where Side B has access to subnets A1, A2, A3, while Side A has access to subnet B:

This is the configuration I'm using on Side B

/etc/ipsec.config

conn %default
  keyexchange=ikev2
  mobike=no
  authby=psk

conn sideA
  left=%defaultroute
  leftid=GATEWAY_B_PUBLIC_IP
  leftsubnet=SUBNET_B
  right=GATEWAY_A_PUBLIC_IP
  rightid=GATEWAY_A_PRIVATE_IP
  rightsubnet=SUBNET_A1,SUBNET_A2,SUBNET_A3
  type=tunnel
  auto=start

The issue is that Subnet A4 overlaps Subnet B, so this configuration doesn't work. VPN Gateway B is a virtual machine running Ubuntu 20, so it's open to customizations.

score 0 · Answer 1 · answered Apr 03 '21 at 08:10

Solution

I've changed the ipsec.conf as per following

conn %default
  keyexchange=ikev2
  mobike=no
  authby=psk

conn sideA
  left=%defaultroute
  leftid=GATEWAY_B_PUBLIC_IP
  leftsubnet=VIRTUAL_SUBNET_B
  right=GATEWAY_A_PUBLIC_IP
  rightid=GATEWAY_A_PRIVATE_IP
  rightsubnet=SUBNET_A1,SUBNET_A2,SUBNET_A3
  type=tunnel
  auto=start

Where the VIRTUAL_SUBNET_B is a virtual subnet that doesn't overlap either with the left or the right side.

and created the following NAT rules:

iptables -t nat -A PREROUTING -s SUBNET_Ax -d VIRTUAL_SUBNET_B -j NETMAP --to SUBNET_B
iptables -t nat -A POSTROUTING -s SUBNET_B -d SUBNET_Ax -j NETMAP --to VIRTUAL_SUBNET_B

adding the following lines in /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2

How did you created the virtual subnet ? – Tiziano Jul 28 '22 at 08:39 — Tiziano, Jul 28 '22 at 08:39

Site-to-Site VPN with Strongswan, DNS server, overlapping subnets)

1 Answers1

Solution