After reading all the notes, blog posts, forum posts I was able to luck onto a configuration that works for me, your milage will vary.
Spin up your new instances in AWS, details can be found elsewhere, but once you get the new instances spun up in each location you can start the configuration parts.
After the instance is deployed right click on it and select Networking > Change Source/Dest. Check and then select Enable
If you do not enable this setting, you will not get full two way traffic, so be warned.
Now we want to add the routing to the VPC the select an Elastic IP for the instances and assign it. Once per site. Write down the Network Interface ID, eni-XXXXXXXX
While under the VPC select Route Tables and then your VPC
Edit > Add Another Route
The next part put your remote subnet and the Network Interface ID, eni-XXXXXXXX and save that.
For the security parts, you need these.
If you had your instance in the default group, that is fine, but here we want to change it.
I usually make my own firewall rules for this part, use your own judgement here.
You need UDP 500 and UDP 4500.
You also need ESP 50
I usually do All Traffic to the remote public IP
And then I do Custom Protocol type in 50, and then all ports to the remote IP
The sg- sources are the other security groups, you need to to have those for all the subnets to talk to each other.
Next do you apt-get/yum install openswan, it is part of the standard ubuntu packages. You also want to install ipsec-tools on Ubuntu.
Now we get to the "works for me" part of this. After reading the openswan manual, may forum, blog and news group posts, I discovered the that I needed more settings then they were showing. So here we go.
conn conn-name-east type=tunnel left=10.1.1.101 # your private IP of this server leftsubnets=10.1.0.0/16 # Full VPC subnet leftid=52.XX.XX.XX #Your public IP of this server leftsourceip=10.1.1.101 right=54.XX.XX.XX # The remote server IP rightsubnets=10.2.0.0/16 rightid=54.XX.XX.XX #The other IP pfs=no forceencaps=yes authby=secret auto=start
Now that is a great start, just change the values accordingly for your other connection
conn conn-name-west type=tunnel left=10.2.1.101 # your private IP of this server leftsubnets=10.2.0.0/16 # Full VPC subnet leftid=54.XX.XX.XX #Your public IP of this server leftsourceip=10.2.1.101 right=52.XX.XX.XX # The remote server IP rightsubnets=10.1.0.0/16 rightid=52.XX.XX.XX #The other IP pfs=no forceencaps=yes authby=secret auto=start
Shhh.. it's a secret..
So above we are telling it to auth by secret, I am not sure this is the most secure way to do things, but it does seem to work so far.
On each side I am using the public IP and remote IP in the secrets.
54.XX.XX.XX 52.XX.XX.XX: PSK "$VER_SEC_PSK"
Now for the commands that need to be run on both servers.
We need to tell our new happy servers that, yes they can talk, and yes they can forward information to the networks
In the /etc/sysctl.conf you want to clear out what is there and add these values.
net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.eth0.rp_filter=0 net.ipv4.conf.lo.rp_filter=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 net.ipv4.conf.eth0.send_redirects=0 net.ipv4.conf.lo.send_redirects=0 net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.eth0.accept_redirects=0 net.ipv4.conf.lo.accept_redirects=0 net.ipv4.ip_forward=1
If you do not want to restart the system, type paste these commands so the settings take effect instantly.
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
If you are not able to ping, run this command on the machine, go ahead try it, it is fun.
iptables -t nat -A POSTROUTING -s localsubnet/16 ! -d remotesubnet/16 -o eth0 -j MASQUERADE
That last command took me a while, because if you notice I am relying on AWS firewalls to protect me, not the system itself. I want the system to be able to communicate with everything else, on a select IP.
For simple verification you can run the sudo service ipsec status command
ubuntu@myawesomevpnserver-east:~$ sudo service ipsec status
IPsec running - pluto pid: 2282
pluto pid 2282
1 tunnels up
some eroutes exist
Some useful commands and their outputs.
ipsec verify Used to make sure your configurations are in tact
ubuntu@myawesomevpnserver-east:~$ sudo ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.38/K3.13.0-44-generic (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [OK] [OK] [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [WARNING] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
ipsec auto status make sure you are connected and the tunnel is up. you mainly care about the last 4 lines here, there is a lot of output
ubuntu@myawesomevpnserver-east:~$ sudo ipsec auto status ipsec auto: warning: obsolete command syntax used 000 using kernel interface: netkey 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 ---- SNIP ---- 000 #939: "conn-name-east/1x1":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3269s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set 000 #938: "conn-name-east/1x1":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 672s; lastdpd=-1s(seq in:0 out:0); idle; import:not set 000 #930: "conn-name-east/1x1":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 4875s; newest IPSEC; eroute owner; isakmp#929; idle; import:not set 000 #930: "conn-name-east/1x1" esp.ff5004e8@52.XX.XX.XX esp.b8805a31@10.1.1.101 tun.0@52.XX.XX.XX tun.0@110.1.1.101 ref=0 refhim=4294901761
That should get you started, so good luck and remember kids. It works for me!
No comments:
Post a Comment