EoIP shared ethernet LAN using IPsec: Difference between revisions
Paul Wouters (talk | contribs) No edit summary |
Tuomo Soini (talk | contribs) No edit summary |
||
| (5 intermediate revisions by one other user not shown) | |||
| Line 18: | Line 18: | ||
== add a libreswan connection == | == add a libreswan connection == | ||
The IPsec connection needs to allow sending GRE (protocol | The IPsec connection needs to allow sending GRE (protocol 47) traffic. If you have public IP addresses on the IPsec gateways (not behind a NAT router) you can use IPsec transport mode to save a few bytes over tunnel mode to increase the changes of the packet sizes not causing problems (because protocols might assume a 1500 mtu to be always possible because it thinks it is operating in a LAN). If one of the IPsec gateways is behind NAT, you should use tunnel mode. This assumes the two gateways have stable public IP addresses (PublicIP-A and PublicIP-B) | ||
<pre> | <pre> | ||
| Line 46: | Line 46: | ||
Once both ends are configured you can bring the tunnel up manually using: ipsec auto --up tun-eoip | Once both ends are configured you can bring the tunnel up manually using: ipsec auto --up tun-eoip | ||
== Bridge configuration == | |||
<pre> | |||
# /etc/sysconfig/network-scripts/ifcfg-LAN-br0 | |||
DEVICE=LAN-br0 | |||
STP=no | |||
TYPE=Bridge | |||
BOOTPROTO=none | |||
DEFROUTE=no | |||
IPV4_FAILURE_FATAL=yes | |||
PEERDNS=no | |||
NAME=LAN-br0 | |||
IPADDR=<ip-address-to-use> | |||
PREFIX=<cidr-netmask> | |||
UUID=<uuid-generated-with-uuidgen> | |||
IPV6INIT=no | |||
IPV6_DEFROUTE=no | |||
IPV6_PEERDNS=no | |||
ONBOOT=yes | |||
</pre> | |||
Start bridge interface | |||
<pre> | |||
ifup LAN-br0 | |||
</pre> | |||
== EoIP tunnel configuration == | == EoIP tunnel configuration == | ||
| Line 86: | Line 114: | ||
<pre> | <pre> | ||
iptables -A INPUT -i eth0 -p gre -m policy --dir in --pol ipsec -j ACCEPT | iptables -A INPUT -i eth0 -p gre -m policy --dir in --pol ipsec -j ACCEPT | ||
iptables-A OUTPUT -p gre -m policy --dir out --pol ipsec --mode tunnel --tunnel-dst PublicIP-A --tunnel-src PublicIP-B -j ACCEPT | iptables -A OUTPUT -p gre -m policy --dir out --pol ipsec --mode tunnel --tunnel-dst PublicIP-A --tunnel-src PublicIP-B -j ACCEPT | ||
iptables -A POSTROUTING -o LAN-br0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | iptables -A POSTROUTING -o LAN-br0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | ||
</pre> | </pre> | ||
This write up was contributed by [http://networklab.global NetworkLab] | |||
Latest revision as of 23:33, 8 February 2016
Sometimes it is desirable to have a virtual ethernet LAN so all remote peers appear to be within the same LAN. One example is various network/LAN type multiuser games. This will allow all broadcast traffic to make it to all remote parties as if they were on the same local LAN network.
EoIP and IPsec
This configuration uses the linux-eoip software together with libreswan. The linux-eoip software is currently being added to fedora/epel7, see this review bug
Note that at least for RHEL/Fedora, the linux-eoip package isn't properly integrated yet, so some additional manual configuration for now is required.
eoip configuration
Create a bridge device for the LAN facing interface and assign a LAN IP address, for example LAN-bro
On RHEL/Fedora you can use an ifcfg file in /etc/sysconfig/networking-scripts
add a libreswan connection
The IPsec connection needs to allow sending GRE (protocol 47) traffic. If you have public IP addresses on the IPsec gateways (not behind a NAT router) you can use IPsec transport mode to save a few bytes over tunnel mode to increase the changes of the packet sizes not causing problems (because protocols might assume a 1500 mtu to be always possible because it thinks it is operating in a LAN). If one of the IPsec gateways is behind NAT, you should use tunnel mode. This assumes the two gateways have stable public IP addresses (PublicIP-A and PublicIP-B)
# /etc/ipsec.d/tun-eoip.conf
conn tun-eoip
type=transport
left=PublicIP-A
initial-contact=yes
leftsubnet=PublicIP-A/32
leftid=pubipA
leftprotoport=47/0
right=PublicIP-B
rightsubnet=PublicIP-B/32
rightid=pubipB
rightprotoport=47/0
# you can also use raw RSA instead of PSK authentication
authby=secret
auto=start
# /etc/ipsec./tun-eoip.secret PublicIP-A PublicIP-B : PSK "Someverylongsecurerandomsecret"
Once both ends are configured you can bring the tunnel up manually using: ipsec auto --up tun-eoip
Bridge configuration
# /etc/sysconfig/network-scripts/ifcfg-LAN-br0 DEVICE=LAN-br0 STP=no TYPE=Bridge BOOTPROTO=none DEFROUTE=no IPV4_FAILURE_FATAL=yes PEERDNS=no NAME=LAN-br0 IPADDR=<ip-address-to-use> PREFIX=<cidr-netmask> UUID=<uuid-generated-with-uuidgen> IPV6INIT=no IPV6_DEFROUTE=no IPV6_PEERDNS=no ONBOOT=yes
Start bridge interface
ifup LAN-br0
EoIP tunnel configuration
Configure the LAN-br0 tunnel. Note the ID must be the same on both sides.
# /etc/eoip/eoip.cfg [zeoip0] id=2 dst=pubipB dynamic=1
Bring up the eoip tunnel:
eoip /etc/eoip/eoip.cfg
This will show a new zeoip0: device
5: zeoip0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master LAN-br0 state UNKNOWN qlen 500 link/ether 92:ab:59:99:9e:db brd ff:ff:ff:ff:ff:ff inet6 fe80::90ab:59ff:fe99:9edb/64 scope link valid_lft forever preferred_lft forever
Add this to the bridge:
brctl addif LAN-br0 zeoip0
iptables configuration
The tunnel should allow GRE only over IPsec. You should also clamp the MSS on the LAN bridge:
iptables -A INPUT -i eth0 -p gre -m policy --dir in --pol ipsec -j ACCEPT iptables -A OUTPUT -p gre -m policy --dir out --pol ipsec --mode tunnel --tunnel-dst PublicIP-A --tunnel-src PublicIP-B -j ACCEPT iptables -A POSTROUTING -o LAN-br0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
This write up was contributed by NetworkLab