How to forward all traffic between two ipsec tunnels?

I want to create vpn (IKEv2) tunnel with middle vpn server. Its should work like this schema – client -> middle (server A) -> output (server B).

I’m using strongswan. This is my configs:

ipsec.conf server_А

config setup

conn client-tunnel
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@SERVER_A_DOMAIN_NAME
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.10.10.0/24
    rightdns=1.1.1.1
    rightsendcert=never
    eap_identity=%identity
    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

conn tunnel-to-second
    right=SERVER_B_DOMAIN_NAME
    rightid=SERVER_B_DOMAIN_NAME
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftid=twerker
    leftauth=eap-mschapv2
    eap_identity=%identity
    auto=start

/etc/ufw/before.rules server_А

*nat
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT

*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT

*filter..............
.........

-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT

ipsec.conf server_B

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@SERVER_B_DOMAIN_NAME
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=11.11.11.0/24
    rightdns=1.1.1.1
    rightsendcert=never
    eap_identity=%identity
    ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
    esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

/etc/ufw/before.rules server_B

*nat
-A POSTROUTING -s 11.11.11.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
-A POSTROUTING -s 11.11.11.0/24 -o eth0 -j MASQUERADE
COMMIT

*mangle
-A FORWARD --match policy --pol ipsec --dir in -s 11.11.11.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT

*filter..........
..........

-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 11.11.11.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 11.11.11.0/24 -j ACCEPT

At now its working like two independent vpns:
Client -> Server A = Client sending traffic from server A.
Server A -> Server B = Server A sending traffic from server B, but client still sending traffic from server A. If I run curl ident.me on server A, I’m getting server B ip. While run curl ident.me on client I’m getting server A ip.

How I can build gateway between this two vpns?

PS I’m noob in network management.
PPS Both servers working on Ubuntu 20.04 and located in different locations.


Go to Source of this post
Author Of this post: terlimbombom
Title Of post: How to forward all traffic between two ipsec tunnels?
Author Link: {authorlink}