This guide will explain how to configure IPsec site-to-site VPN for connecting remote sites to the OpenStack environment. Make sure you have followed the Prepare VPN-appliance guide before proceeding with this guide.
Remote site
We'll start with deciding what settings we want to have for encryption, in this case I have a pre-configured Vyatta based firewall that I want to connect with the network in MyELITS.
Here's the config on my VyOS router on the Stockholm side:
| IP's |
|
| IKE Group (phase 1) |
|
| ESP Group (phase 2) |
|
Now that we know the settings we want to use we can move on to the pfSense and adding our IPsec configuration.
IPsec Phase 1
We need to start with enabling IPsec and defining a Phase 1 config for the VPN tunnel.
Go to VPN - IPsec. Click on the green Add P1 button to add a new Phase 1.
In this guide we'll assume that we are going to use a IKEv1 tunnel, this is usually what you want unless you are read into IKEv2 and know what you are doing.
Below is an example configuration based on the "Remote site" security settings, we just need to make sure to match the settings in our end with the settings from OpenStack STO, because we are behind NAT we specify the "My Identifier" and "Peer Identifier" manually to make sure that we don't get a mismatch there.
This is an example configuration
The picture attached is a example configuration. You should not copy the configuration to the letter.
IPsec Phase 2
In the pfSense web UI, go to VPN - IPsec.
You should see the Phase 1 that we created in the last step, now expand the "Phase 2" settings and click the green "Add P2" button.
This is an example configuration
The picture attached is a example configuration. You should not copy the configuration to the letter.
Now press Save, we are done with the IPsec setup so we can continue to add the necessary firewall rules.
Firewall configuration
Go to Firewall - Rules - IPsec. Add new rule. Now we need to allow the traffic over the IPsec interface.
Hit save and then apply. We still have one firewall left to configure, the one in Openstack.
In the MyELITS portal, go to Infrastructure - Servers - Access & Security -> Create Security Group, give the security group the name ipsec and a good description (if you already have a ipsec rule you can go ahead and verify all rules mentioned below are there, then attach the rule to the VPN server).
Click on Add Rule, add the rules one-by-one according to the table below.
| Rule | Direction | Open Port | Value | Remote | CIDR |
|---|---|---|---|---|---|
| Other protocol | Ingress | - | 50 | CIDR | 0.0.0.0/0 |
| Other protocol | Ingress | - | 51 | CIDR | 0.0.0.0/0 |
| UDP | Ingress | Port | 500 | CIDR | 0.0.0.0/0 |
| UDP | Ingress | Port | 4500 | CIDR | 0.0.0.0/0 |
Once you have added the rules you can go back to Infrastructure - Servers - List Servers.
Click the arrow to the right of your VPN Server and select Edit Security Groups.
Add the new security group to your server and hit Save.
Routing
Right now, the other servers in your project do not know where to go if they get traffic from your virtual network. We can solve that by adding a new route in MyELITS Portal.
Go to Infrastructure - Network - Routers.
Click on default-router and then Static Routes.
Here you want to add a new Static Route. Specify the subnet (Destination CIDR) of the remote site and specify the VPN servers local IP as "Next Hop".
STO:
LPI:
Testing
Now we can move on to testing the IPsec tunnel inside pfSense by navigating to Diagnostics - Ping, enter the internal IP of the remote gateway and click Ping.
Comments
Article is closed for comments.