search

linux-system-roles / vpn

Role for managing VPN/IPSec
https://linux-system-roles.github.io/vpn/
MIT License
8 stars 14 forks source link

connections.policies seems to be a required attribute #41

Open dberardo-com opened 2 years ago

dberardo-com commented 2 years ago

not defining this variable results the mesh_conf script to break

dberardo-com commented 2 years ago

what should be used as a default var then?

richm commented 2 years ago

can you provide your settings, and the error message you are getting?

dberardo-com commented 2 years ago

wow, that was fast.

so i am using this config:

- hosts: hostgroup
  become: true
  become_user: root

  vars:
    vpn_opportunistic: true
    vpn_connections:
      - name: something
        auto: start
        hosts:
          myhost1:
            hostname: xxx.xxx.xxx.xxx
          myhost2:
            hostname: yyy.yyy.yyy.yyy
  tasks:
    - include_role:
        name: vpn

tasks are under a roles/vpn/ local folder

and i get get an error at this stage of the mesh_conf.yml:

- name: Set policies fact
  when: conn.policies is defined
  set_fact:
    policies: "{{ conn.policies | rejectattr('cidr', 'match', '^default$') | list }}"

which basically states that the conn.policies attribute is undefined (i can provide the exact log tomorrow if needed)

I am running ansible against Ubuntu 20.04 hosts using a Windows controller machine running Cygwin

richm commented 2 years ago

@ueno looks like a bug - the policies line should not cause an error if policies is not defined e.g. maybe something like this:

    policies: "{{ conn.policies | rejectattr('cidr', 'match', '^default$') | list if conn.policies is defined else [] }}"

and then on line 28, something similar:

      {% set pol = conn.policies | d([]) | selectattr('cidr', 'match', '^default$') | map(attribute='policy') | join(',') %}

or something like that. We also need to add a test for this case - it looks like the test for mesh ensures that conn.policies is always defined - but the docs say it doesn't have to be defined - so we should have a test for that case.

@dberardo-com in the meantime, I think you can define the policies like this

    vpn_connections:
      - name: something
        auto: start
        hosts:
          myhost1:
            hostname: xxx.xxx.xxx.xxx
          myhost2:
            hostname: yyy.yyy.yyy.yyy
        policies:
          - policy: private-or-clear
            cidr: default

not sure - never tried this, just reading the docs

ueno commented 2 years ago

@richm thank you for looking into it! let me try to come up with a PR.

dberardo-com commented 2 years ago

thanks for the prompt response.

I have tried to use the private-or-clear policy as a workaround, like @richm suggested, that was also my initial guess. but ipsec is not able to start up and i get this error:

ipsec show
  File "/usr/lib/ipsec/show", line 52
    print "Need to find matching IPsec policy for %s/32 <=> %s/32" % (source, dest)
          ^
SyntaxError: invalid syntax

Note: the IP that gets written in the ipsec.conf file ends with "/32"

Is this problem related or should i open a new issue ? Because i also cannot see any new virtual network interface being generated on the machine, and the ansible scripts have already run till the end (only the final ping fails), so i wonder if solving the policy issue will fix all the rest or if there is something worse going on

richm commented 2 years ago

Can you try an explicit cidr value as in the mesh test? https://github.com/linux-system-roles/vpn/blob/master/tests/tests_mesh_cert.yml

also - I don't know if the role is supported against an Ubuntu managed host - we only test with Red Hat/CentOS/Fedora, and the role was developed with those platforms in mind - the error from ipsec show that you have posted would seem to suggest that the role is writing the configuration in a format that might not be supported by libreswan on ubuntu

dberardo-com commented 2 years ago

i have switched to 2 centos7 machines now and i have removed the policies block from the inventory and it seems to have run properly.

if i run ipsec status i receive a long output and no error, but my questions now are:

Maybe i am missing some information, but i have read through the whole README file

dberardo-com commented 2 years ago

here the status log:

``` ipsec status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1@4500 000 interface lo/lo 127.0.0.1@500 000 interface eth0/eth0 @4500 000 interface eth0/eth0 @500 000 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=disabled 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset 000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted= 000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec 000 pluto_version=3.25, pluto_vendorid=OE-Libreswan-3.25 000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri= 000 ocsp-trust-name= 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 secctx-attr-type=32001 000 debug: 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10 000 000 ESP algorithms supported: 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384 000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512 000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160 000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128 000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96, keysizemin=128, keysizemax=128 000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16 000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 algorithm IKE DH Key Exchange: name=DH22, bits=1024 000 algorithm IKE DH Key Exchange: name=DH23, bits=2048 000 algorithm IKE DH Key Exchange: name=DH24, bits=2048 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "clear": IPADDRESS---IPADDRESS.1...%group; unrouted; eroute owner: #0 000 "clear": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "clear": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "clear": our auth:unset, their auth:unset 000 "clear": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "clear": labeled_ipsec:no; 000 "clear": policy_label:unset; 000 "clear": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0; 000 "clear": retransmit-interval: 0ms; retransmit-timeout: 0s; 000 "clear": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "clear": policy: AUTH_NEVER+GROUP+GROUTED+PASS+NEVER_NEGOTIATE; 000 "clear": conn_prio: 32,32; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "clear": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no; 000 "clear": our idtype: ID_IPV4_ADDR; our id=IPADDRESS; their idtype: %none; their id=(none) 000 "clear": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both 000 "clear": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "private": IPADDRESS---IPADDRESS.1...%opportunisticgroup; unrouted; eroute owner: #0 000 "private": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "private": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "private": our auth:rsasig, their auth:rsasig 000 "private": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "private": labeled_ipsec:no; 000 "private": policy_label:unset; 000 "private": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; 000 "private": retransmit-interval: 500ms; retransmit-timeout: 2s; 000 "private": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "private": policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP; 000 "private": conn_prio: 32,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "private": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "private": our idtype: ID_IPV4_ADDR; our id=IPADDRESS; their idtype: %none; their id=(none) 000 "private": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "private": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "private-or-clear": IPADDRESS---IPADDRESS.1...%opportunisticgroup; unrouted; eroute owner: #0 000 "private-or-clear": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "private-or-clear": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "private-or-clear": our auth:rsasig, their auth:rsasig 000 "private-or-clear": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "private-or-clear": labeled_ipsec:no; 000 "private-or-clear": policy_label:unset; 000 "private-or-clear": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; 000 "private-or-clear": retransmit-interval: 500ms; retransmit-timeout: 2s; 000 "private-or-clear": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "private-or-clear": policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS; 000 "private-or-clear": conn_prio: 32,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "private-or-clear": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "private-or-clear": our idtype: ID_IPV4_ADDR; our id=IPADDRESS; their idtype: %none; their id=(none) 000 "private-or-clear": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "private-or-clear": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "private-or-clear#IPADDRESS.0/20": IPADDRESS---IPADDRESS.1...%opportunistic===IPADDRESS.0/20; unrouted; eroute owner: #0 000 "private-or-clear#IPADDRESS.0/20": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "private-or-clear#IPADDRESS.0/20": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "private-or-clear#IPADDRESS.0/20": our auth:rsasig, their auth:rsasig 000 "private-or-clear#IPADDRESS.0/20": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "private-or-clear#IPADDRESS.0/20": labeled_ipsec:no; 000 "private-or-clear#IPADDRESS.0/20": policy_label:unset; 000 "private-or-clear#IPADDRESS.0/20": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1; 000 "private-or-clear#IPADDRESS.0/20": retransmit-interval: 500ms; retransmit-timeout: 2s; 000 "private-or-clear#IPADDRESS.0/20": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "private-or-clear#IPADDRESS.0/20": policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_PROPOSE+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS; 000 "private-or-clear#IPADDRESS.0/20": conn_prio: 32,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "private-or-clear#IPADDRESS.0/20": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "private-or-clear#IPADDRESS.0/20": our idtype: ID_IPV4_ADDR; our id=IPADDRESS; their idtype: %none; their id=(none) 000 "private-or-clear#IPADDRESS.0/20": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "private-or-clear#IPADDRESS.0/20": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 Total IPsec connections: loaded 4, active 0 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0) 000 IPsec SAs: total(0), authenticated(0), anonymous(0) 000 000 Bare Shunt list: 000 ```
dberardo-com commented 2 years ago

status log of ipsec verify:

Version check and ipsec on-path                         [OK]
Libreswan 3.25 (netkey) on 3.10.0-1160.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects                  [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Two or more interfaces found, checking IP forwarding    [FAILED]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
 /proc/sys/net/ipv4/conf/ip_vti0/rp_filter              [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OK]
richm commented 2 years ago

I use ipsec whack --traffic - you can see from the fields inBytes and outBytes if encrypted traffic is flowing.

richm commented 2 years ago

i have switched to 2 centos7 machines now and i have removed the policies block from the inventory and it seems to have run properly.

if i run ipsec status i receive a long output and no error, but my questions now are:

* is there a simple way to manually test if the ipsec VPN is actually working fine ? e.g. setting up a firewall to hide ports to public traffic and only letting the VPN connected machines in via UDP port 500

In addition to the information listed here - https://github.com/linux-system-roles/vpn#verifying-a-successful-startup - I have used ipsec whack --traffic to see that the inBytes and outBytes values are increasing over time (assuming there is some sort of network traffic between the machines e.g. a ping should do it).

Maybe @ueno could suggest some other method of verifying the connection (which might be good to add to https://github.com/linux-system-roles/vpn#verifying-a-successful-startup)

* what are the private IP addresses that are associated with the 2 nodes in the VPN cluster? are they static? is there a way to set them to a specific value in the ansible script?

The vpn role uses whatever you use in your ansible inventory and/or vars you pass into the role as the hostnames, and whatever IP addresses resolve according to your DNS, by default. https://github.com/linux-system-roles/vpn#vpn-system-role "Basic Usage" - basically, use the hosts.$name_of_ansible_host.hostname field as a different hostname/IP address than the one you are using with ansible. See https://github.com/linux-system-roles/vpn#examples

The VPN role (and the underlying libreswan) do not create IP addresses.

* Is the ansible script creating a mesh of VPN connected nodes?

It can - see https://github.com/linux-system-roles/vpn#opportunistic-mesh-vpn-configuration

Note that there are two different types of "mesh", depending on how you define the term.

A "mesh" can mean that you explicitly define, in your ansible inventory, all of the hosts and the relationships between them, by specifying each tunnel with each pair of hosts. This would be what we call a "host-to-host" mesh in an "N-to-N" configuration. Something like https://github.com/linux-system-roles/vpn#host-to-host-multiple-vpn-tunnels-with-multiple-nics

A "mesh" can also mean that you specify that all hosts matching a CIDR will use VPN between themselves. In this case, you do not have to explicitly specify each pair of hosts which are connected, but you still have to specify all of the hosts on which you want to enable and configure vpn.

and shouldn't there be a virtual netork interface per each node pair on every machine? this way the cluster can work also when some node fails (high availability)

Not sure I understand the question.

Maybe i am missing some information, but i have read through the whole README file

ggrandis commented 2 years ago

and shouldn't there be a virtual netork interface per each node pair on every machine? this way the cluster can work also when some node fails (high availability)

Not sure I understand the question.

Hi, me and @dberardo-com trying to setup ipse tunnel between two server hosted on contabo and we have just one ethernet interface with public IP address. Servers don't have a second ethernet interface with private ip address so i think we need to setup vti interface in order to get it working, right?

richm commented 2 years ago

Servers don't have a second ethernet interface with private ip address

Sometimes they do, but I'm not sure how this is related to the problem.

so i think we need to setup vti interface in order to get it working, right?

Can't you just set up a VPN tunnel between the two external, public IP addresses? That is the typical use case for setting up a VPN between two machines connected by the public internet. If not, then I guess I don't understand the issue.

ggrandis commented 2 years ago

Usually IpSec need private subnet on phase2. So, i think that public ip address is used just for phase1. is ti right? How can setup a tunnel without phase 2 mandatory information? that's why i thinked about vti interface and routed ipsec connection

richm commented 2 years ago

Usually IpSec need private subnet on phase2. So, i think that public ip address is used just for phase1. is ti right? How can setup a tunnel without phase 2 mandatory information? that's why i thinked about vti interface and routed ipsec connection

Not sure. Note that the vpn system role uses libreswan as its underlying implementation. so if there is a way to do what you want according to the libreswan docs https://libreswan.org/wiki/Main_Page we can probably figure out how to do that with the vpn role

richm commented 2 years ago

you might find this interesting - https://www.redhat.com/en/blog/automating-host-host-vpn-tunnels-rhel-system-roles

ggrandis commented 2 years ago

Hi @richm we solved and manually setted up routed ipsec tunnel with vti interface. @dberardo-com is working in order to configure tunnel using ansible

richm commented 2 years ago

Hi @richm we solved and manually setted up routed ipsec tunnel with vti interface. @dberardo-com is working in order to configure tunnel using ansible

Can you share what you did? This sounds like something that will be useful for others setting up VPNs.