I've deployed a RHEL 7.5 VM running Libreswan 3.23-5 on AWS. I've successfully set up several IPSec tunnels from my VM to 6 other organizations. What we hope to achieve is a hub-spoke setup, where each organization needs only one VPN tunnel to AWS (my VPN VM) and should be able to communicate (AMQP) with the 6 other organizations through the Hub's IPSec tunnel. I've successfully had them ping my subnet, but I would like them to be able to ping the other organizations subnets. Is this something I set up in the conf file for each connection or thorough the routing table? Currently, the configuration files under the ipsec.d directory contain only my subnets in the leftsunets line and not the other organizations.
conn hub-to-spoke1
type=tunnel
authby=secret
left=%defaultroute
leftid=hub.public.ip.address
leftnexthop=%defaultroute
leftsubnets=hub.subnets.cidr.blocks
right=spoke1.public.ip.address
rightsubnet=spoke1.subnet.cidr.block
pfs=yes
auto=add
ikelifetime=24h
keylife=8h
ike=aes256-sha1;modp1536
phase2=esp
phase2alg=aes256-sha1;modp1024
We are using Pre-Shared Keys. What configurations do I have to do on my side to get the connections to forward to the other organizations? What does each organization have to do to allow connections from the other 6 organizations through the one tunnel? I greatly appreciate any help as this is my first foray into networking.
I was able to successfully connect the partners by doing adding the spokes' private subnets to the hub's left subnets, and each partner should have each other private partners subnets as right subnets. You also have to add the partners' subnets to the route table in AWS console. Here is a sample config file for the hub:
conn hub-to-spoke
type=tunnel
authby=secret
left=%defaultroute
leftid=hub.public.ip.address
leftnexthop=%defaultroute
leftsubnets="all hub subnets and all other spokes subnets"
right=spoke.public.ip.address
rightsubnets="all spoke subnets"
pfs=yes
auto=add
ikelifetime=24h
keylife=8h
ike=aes256-sha1;modp1536
phase2=esp
phase2alg=aes256-sha1;modp1024
For the spoke here is a sample config
conn spoke-to-hub
type=tunnel
authby=secret
left=%defaultroute
leftid=spoke.public.ip.address
leftnexthop=%defaultroute
leftsubnets="spoke's subnets"
right=hub.public.ip.address
rightsubnet="list of hub's subnets and other spokes subnets"
pfs=yes
auto=add
ikelifetime=24h
keylife=8h
ike=aes256-sha1;modp1536
phase2=esp
phase2alg=aes256-sha1;modp1024
You will have to ensure there is no private subnet overlap.