Hello,
I have an edgrouter POE installed as a router on my home network.
I would like to establish an IPSec tunnel to my VPS, either as IPSec site-to-site or L2TP/IPSec, so that I could access my home LAN resources from the VPS. However, I'm not quite familiar with IPSec and I'm still unable to successfully connect these two sites.
My first question is, which option is better for this case, site-to-site IPSec or L2TP?
When I was doing some tests on a local LAN, I was able to succesfully create L2TP tunnel, however the vps is an OpenVZ server and the kernel currently running there does not support IPSec, so I'm stuck with the kernel-libipsec plugin and I was unable to make L2TP work with that. That might be party due to my incompetence, so I'll look into that later.
However, I had some partial success with site-to-site, the connection has been succesfully established, but I can't ping the other side neither from the vps or from the edgerouter.
The question is, what is the correct setting for local/remote subnets on each side?
These are my settings on the edgerouter's side:
auto-firewall-nat-exclude enable
esp-group FOO0 {
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
site-to-site {
peer <vps_ip> {
authentication {
mode pre-shared-secret
pre-shared-secret *****
}
connection-type initiate
description vpn
ike-group FOO0
local-address any
tunnel 1 {
esp-group FOO0
local {
prefix 192.168.0.0/24
}
remote {
prefix 10.99.98.0/24
}
}
}
}
192.168.0.0/24 is my home LAN subnet
10.99.98.0/24 should be the vps vpn subnet, however I'm not quite sure how should I set it up with strongswan, since even though after issuing "ipsec up <conn_name>" and getting a message that the connection has been succesfully made and routes have been adjusted, there is no interface with that subnet there. ipsec0 is up, but with no ip address assigned.
This is my ipsec.conf at the vps:
config setup
charondebug="ike 2, knl 3, cfg 2"
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
nat_traversal=yes
protostack=netkey
oe=off
plutoopts="--interface=venet0"
conn thunderbolt
authby=secret
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
keyexchange=ikev1
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=tunnel
left=<vps_ip_address>
leftsubnet=10.99.98.0/24
leftnexthop=%defaultroute
rightprotoport=17/1701
right=<edgerouter_wan_ip>
rightsubnet=192.168.0.0/24Am I doing something wrong? As I said, I don't have enough background on IPSec, so I might not be getting the whole picture correctly, so I'd be glad if someone could push me in a correct direction :-)
Also, it _might_ be possible that the problem is that the vps runs off the OpenVZ engine, since I was unable to use the default kernel-netlink plugin (the currently running kernel does not support ipsec) and I was stuck with the userspace kernel-libipsec plugin. It might be possible that some specifics of the OpenVZ are messing with something and that's why it does not work, but I'm also not that familiar with OpenVZ either so I can't tell.
Anyway, thanks for any input and sorry for the long post...