How to setup a L3 bridge over IPsec (9.x)

Security Gateway Articles and How to's
Posts: 19
Joined: 09 Dec 2011, 22:39
Location: Clavister HQ - Örnsköldsvik

How to setup a L3 bridge over IPsec (9.x)

Post by Aron » 27 Aug 2012, 11:47

This HowTo applies to:
  • Clavister Security Gateway 9.x
  • I have two Clavister Security Gateways with the same subnets behind both and hosts one one side needs to access resources on the other side.
  • I want to use my IPSec tunnel as a Layer 3 bridge between two Clavister Security Gateways.

This can be done by creating a route for the remote ip´s that needs to be accessed over the IPsec tunnel and then use Proxy ARP to publish these ip´s on the internal interface.

1. First, create all the ip objects that are going to be used by the IPsec tunnel.
Create all the the ip´s for the hosts that we need to reach on the remote site. In this example we will name them "ip_lan2lan-hostXX".
Then create an ip group and select all the ip_lan2lan-hostXX ip-objects. This way we can easily add and remove hosts to the setup later.
vpnobjects.png (25.95 KiB) Viewed 5534 times
2. Second we create the IPSec tunnel. On both local and remote network we choose the internal network, assuming that this is the network that we want to bridge between the sites.
ipsectunnel.png (13.67 KiB) Viewed 5534 times
3. After creating the IPsec tunnel, go to the "Advanced" -tab and uncheck the "Add route for remote network" -box. If not, your entire internal network will be routed over the IPsec tunnel.
autocreateroute.png (16.31 KiB) Viewed 5534 times
4. Now, go to the routing table and create a new route for the IPsec tunnel you just created. As network, choose the ip group with the remote hosts that we created in step one.
rtmain.png (33.21 KiB) Viewed 5534 times
5. Then go to the "Proxy ARP" -tab and select proxy arp to be used on your internal interface.
proxyarp.png (19.22 KiB) Viewed 5534 times
6. Create the necessary ip-rules to allow the traffic to flow between your internal network and the IPSec tunnel.
iprules.PNG (22.45 KiB) Viewed 5534 times
7. And at last, follow and apply the same steps on the remote Security Gateway.

By using Proxy ARP, the Security Gateway will respond on ARP requests on the selected interface (lan in this case) for the network or ip´s used on the route Proxy ARP is enabled on ("grp_lan2lan-hosts" in our example).
Packets send to the Security Gateway with a destination ip-address that matches any of the ip´s in the grp_lan2lan-hosts ip group, will be routed and sent in to the IPSec tunnel by the Security Gateway.

  • The same steps must be applied on the remote Security Gateway, but with this sides ip addresses used in the route and proxy arp configuration.
  • Only use Proxy ARP on ip addresses that isn´t already used by any host on the local network to avoid ip conflicts.