Magic WAN 301

HQ Router Setup

In the Cloudflare Managed Labs (CML) dashboard, select the HQ Router

The bastion will load the command line of the linux machine that is running Strongswan.  Strongswan is installed by default, we just need to make some changes to the configuration to allow for connectivity to Cloudflare Magic WAN.  

Perform the following steps to get Strongswan configured with Cloudflare Magic WAN.

To properly configure Strongswan we will need to work on the following files: /etc/ipsec.conf

IPSec Tunnel Configuration:

At the command line type sudo nano /etc/ipsec.conf

In the configuration file, the only changes you will need to make are to update the following:

Leftid = <FQDN from Tunnel in CF Dashboard>
Right = <CF ANYCAST IP ADDRESS from Dashboard>
Rightid = <CF ANYCAST IP ADDRESS from Dashboard>

Make the changes and save the file. 

Note: The file /etc/ipsec.secrets is pre-configured. For this lab, the pre-shared key is #Savetheinternet.  

At this point, we should be able to connect the router to Magic WAN via the IPsec tunnel.  To confirm this enter the following commands:

sudo ipsec reload
sudo ipsec restart
sudo ipsec status

If everything is configured correctly, you should see an output that looks like this:

Now that the tunnels are created, we need to configure the router to send traffic via the tunnel through creating a VT interface.   Then we will configure the routing to allow the traffic from the LAN devices to connect to the Internet via the IPsec tunnel interface.

First create the IPSec VTI Tunnel Interface

sudo ip tunnel add vti1 local 10.20.101.5 remote 162.159.67.139  mode vti key 50

IMPORTANT: 10.20.101.5 is an example internal IP address. Use the IP Address Assigned to eth0 Note that 162.159.67.139 is an example CF Anycast address. Use the CF Anycast IP address assigned to your account. 

sudo ip addr add 192.168.100.101/31 dev vti1

NOTE: This address is the other side of the IPsec Tunnel that we created in the dashboard.

sudo ip link set vti1 up

Verify tunnel creation with ifconfig

Next we will need to create routing inside the Strongswan Router using Policy Based Routing (PBR) to send traffic in the LAN through the Cloudflare Magic Wan IPsec tunnel.

This requires: 

  1. Creating the corresponding PBR rule(s) to route specific traffic according to route table IPSEC1.
    1. NOTE: IP rule(s) entered via the CLI at a later order is given a higher priority (i.e. lower preference number) than the rule(s) configured prior, as IP rules are evaluated sequentially from lower preference number to higher preference number. The best way to ensure the proper priority of a given IP rule is to explicitly configure the appropriate priority number when configuring the rule.
  2. Lastly, configure a default route in table IPSEC1 that routes all traffic that is being performed route lookup in table IPSEC1 to be sent over the IPsec tunnel to Cloudflare Magic WAN.
  3. Validate the effect of the configuration with cat /etc/iproute2/rt_tables, ip rule and ip route list table IPSEC1 or ip route list table 201 or ip route list table all

Use the Following Commands to create the routes and rules to allow for proper routing capabilities:

ip rule add from 10.23.x.0/28 table IPSEC1
ip rule add from 10.23.x.2 to 10.23.x.0/28 lookup main
ip rule add to 10.90.0.6/32 lookup main - This is a critical step, do not skip
ip route add default via 192.168.100.100 dev vti1 table IPSEC1

At this point, the router configuration should be completed.  Log into the HQ Origin machine to confirm connectivity. At the command line, enter curl icanhazip.com and you should get a Cloudflare IP address returned to you:

Now that we have successfully configured the HQ Router, we need to configure the Branch Router.  The process to do this is nearly identical to the configuration for the HQ Router.