VPN tunnel and gateway with only one interface


#1

I have a hosted Virtual Private Server (VPS) on which I have deployed VyOS 1.1.5 (Helium) in the hope of using it as an endpoint in a site-to-site VPN tunnel, with my in house Cisco ISA550 (ISA) being the other endpoint.

The hosted VPS end should also act as a gateway to the internet for the devices using the tunnel. This is the crux of the matter and the whole point of the exercise – to give (some) local devices (behind ISA) a Point of Presence in the VPS (geographic) network.

There are a number of restrictions I am trying to overcome, viz.:

  1. ISA is behind NATed ISP router, which provides the public (dynamic) IP.
  2. Local in house network is also NATed - behind ISA.
  3. VPS has only one Ethernet interface (static public IP). I am hoping this may be overcome by judicious use of a dummy interface (eth0 as WAN and dum1 as LAN, for instance).
  4. VPS provider has, rightly, declined to offer addition interfaces to VPS.

The main principle I am hoping to achieve is to set up IPSec policies on ISA (Site to Site, pre-shared key) to decide which local devices to route through the VPN tunnel at any given time (not all of them should use this tunnel). This being the dynamic IP end, I was thinking this should initiate the tunnel and VPS should respond. The other way round will not work as ISA public IP provided by ISP router, not ISA, so connection request would not traverse ISP Router.

Assuming the tunnel can be built, I then need to route traffic on VPS from WAN (eth0) to LAN (dum1) which then gets routed back out through eth0 to the real world, effectively using VPS as a gateway at that end of the tunnel. There are obviously no ‘real’ IP addresses on the dummy interface, so everything needs to route through eth0, the ONLY ‘real’ interface.

This all new to me. I did try a few virtual appliance solutions, but they all seem to require two ‘real’ interfaces. VyOS, although a steep learning curve, seems to be the most flexible but also, therefore, the most complex to configure. I hoping to stay the course and make it all worthwhile with an efficient, powerful and reliable solution as the result.

If such a VPN configuration is not possible, I would be happy to fall back on a more modest configuration for webproxy, but this, too, seems to rely on a multiplicity of interfaces.

Any ideas, suggestions or alternative solutions gratefully received.

MTIA
;-}
P


#2

I think this is doable using IPSec and GRE and NAT. You need a double NAT (once on outgoing tun interface and one on outgoing WAN VPS interface) or some static routes on the VPS to subnets on the ISA side. This doesn’t take into account all the NATing behind the ISP router.

ISA side (if it were VyOS)

set interfaces tunnel tun0 address ‘10.0.0.1/30’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 local-ip ‘5.6.7.8’
set interfaces tunnel tun0 remote-ip ‘1.2.3.4’

set system gateway-address ‘10.0.0.2’ < send everything over the tunnel

set protocols static route 1.2.3.4/32 next-hop ‘5.6.7.1’ < usual default gateway address send vpn tunnel traffic through regular gateway

set vpn ipsec esp-group ESP1 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group ESP1 proposal 1 hash ‘md5’
set vpn ipsec ike-group IKE1 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group IKE1 proposal 1 hash ‘md5’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 1.2.3.4 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 1.2.3.4 authentication pre-shared-secret ‘rootme’
set vpn ipsec site-to-site peer 1.2.3.4 ike-group ‘IKE1’
set vpn ipsec site-to-site peer 1.2.3.4 local-address ‘5.6.7.8’
set vpn ipsec site-to-site peer 1.2.3.4 tunnel 1 esp-group ‘ESP1’
set vpn ipsec site-to-site peer 1.2.3.4 tunnel 1 protocol ‘gre’

set nat source rule 11 outbound-interface ‘tun0’
set nat source rule 11 translation address ‘masquerade’

VPS VyOS

set interfaces tunnel tun0 address ‘10.0.0.2/30’
set interfaces tunnel tun0 encapsulation ‘gre’
set interfaces tunnel tun0 local-ip ‘1.2.3.4’
set interfaces tunnel tun0 remote-ip ‘5.6.7.8’

set vpn ipsec esp-group ESP1 proposal 1 encryption ‘aes128’
set vpn ipsec esp-group ESP1 proposal 1 hash ‘md5’
set vpn ipsec ike-group IKE1 proposal 1 encryption ‘aes128’
set vpn ipsec ike-group IKE1 proposal 1 hash ‘md5’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec site-to-site peer 5.6.7.8 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 5.6.7.8 authentication pre-shared-secret ‘rootme’
set vpn ipsec site-to-site peer 5.6.7.8 ike-group ‘IKE1’
set vpn ipsec site-to-site peer 5.6.7.8 local-address ‘1.2.3.4’
set vpn ipsec site-to-site peer 5.6.7.8 tunnel 1 esp-group ‘ESP1’
set vpn ipsec site-to-site peer 5.6.7.8 tunnel 1 protocol ‘gre’

set nat source rule 11 outbound-interface ‘eth0’
set nat source rule 11 protocol ‘all’
set nat source rule 11 translation address masquerade


#3

HI jl3128,

Thank you for your helpful reply.

Unfortunately, the ISA neither has a cli nor does it support GRE (as good as it is - one of the best UTM routers I have had - it still inherits some shortcomings from its Linksys heritage.)

So, with the best will the world I will have to admit (partial) defeat and fall back to plan b - webroxy - which I have now got working - after a fashion.

Thank you, though, for your help. It has been useful as part of the leaning curve for what I believe is a great product.

;-}
P