Page 1 of 1

How to setup a L3 bridge over IPsec (9.x)

Posted: 27 Aug 2012, 11:47
by Aron
This HowTo applies to:
  • Clavister Security Gateway 9.x
Scenario:
  • I have two Clavister Security Gateways with the same subnets behind both and hosts one one side needs to access resources on the other side.
  • I want to use my IPSec tunnel as a Layer 3 bridge between two Clavister Security Gateways.

This can be done by creating a route for the remote ip´s that needs to be accessed over the IPsec tunnel and then use Proxy ARP to publish these ip´s on the internal interface.

1. First, create all the ip objects that are going to be used by the IPsec tunnel.
Create all the the ip´s for the hosts that we need to reach on the remote site. In this example we will name them "ip_lan2lan-hostXX".
Then create an ip group and select all the ip_lan2lan-hostXX ip-objects. This way we can easily add and remove hosts to the setup later.
vpnobjects.png
vpnobjects.png (25.95 KiB) Viewed 2914 times
2. Second we create the IPSec tunnel. On both local and remote network we choose the internal network, assuming that this is the network that we want to bridge between the sites.
ipsectunnel.png
ipsectunnel.png (13.67 KiB) Viewed 2914 times
3. After creating the IPsec tunnel, go to the "Advanced" -tab and uncheck the "Add route for remote network" -box. If not, your entire internal network will be routed over the IPsec tunnel.
autocreateroute.png
autocreateroute.png (16.31 KiB) Viewed 2914 times
4. Now, go to the routing table and create a new route for the IPsec tunnel you just created. As network, choose the ip group with the remote hosts that we created in step one.
rtmain.png
rtmain.png (33.21 KiB) Viewed 2914 times
5. Then go to the "Proxy ARP" -tab and select proxy arp to be used on your internal interface.
proxyarp.png
proxyarp.png (19.22 KiB) Viewed 2914 times
6. Create the necessary ip-rules to allow the traffic to flow between your internal network and the IPSec tunnel.
iprules.PNG
iprules.PNG (22.45 KiB) Viewed 2914 times
7. And at last, follow and apply the same steps on the remote Security Gateway.


By using Proxy ARP, the Security Gateway will respond on ARP requests on the selected interface (lan in this case) for the network or ip´s used on the route Proxy ARP is enabled on ("grp_lan2lan-hosts" in our example).
Packets send to the Security Gateway with a destination ip-address that matches any of the ip´s in the grp_lan2lan-hosts ip group, will be routed and sent in to the IPSec tunnel by the Security Gateway.

Note
  • The same steps must be applied on the remote Security Gateway, but with this sides ip addresses used in the route and proxy arp configuration.
  • Only use Proxy ARP on ip addresses that isn´t already used by any host on the local network to avoid ip conflicts.