Wednesday, April 22, 2015

Works for me!

One of the more interesting things I have had to do lately was setup a site to site VPN in AWS using openswan.
After reading all the notes, blog posts, forum posts I was able to luck onto a configuration that works for me, your milage will vary.

Spin up your new instances in AWS, details can be found elsewhere, but once you get the new instances spun up in each location you can start the configuration parts.

After the instance is deployed right click on it and select Networking > Change Source/Dest. Check and then select Enable


If you do not enable this setting, you will not get full two way traffic, so be warned.


Now we want to add the routing to the VPC the select an Elastic IP for the instances and assign it. Once per site. Write down the Network Interface ID, eni-XXXXXXXX

While under the VPC select Route Tables and then your VPC
Edit > Add Another Route
The next part put your remote subnet and the Network Interface ID, eni-XXXXXXXX and save that.

For the security parts, you need these.
If you had your instance in the default group, that is fine, but here we want to change it.
I usually make my own firewall rules for this part, use your own judgement here.

You need UDP 500 and UDP 4500.
You also need ESP 50

I usually do All Traffic to the remote public IP
And then I do Custom Protocol type in 50, and then all ports to the remote IP

The sg- sources are the other security groups, you need to to have those for all the subnets to talk to each other.

Next do you apt-get/yum install openswan, it is part of the standard ubuntu packages. You also want to install ipsec-tools on Ubuntu.

Now we get to the "works for me" part of this. After reading the openswan manual, may forum, blog and news group posts, I discovered the that I needed more settings then they were showing. So here we go.

conn conn-name-east
 type=tunnel 
 left=10.1.1.101 # your private IP of this server 
 leftsubnets=10.1.0.0/16 # Full VPC subnet
 leftid=52.XX.XX.XX #Your public IP of this server 
 leftsourceip=10.1.1.101
 right=54.XX.XX.XX   # The remote server IP 
 rightsubnets=10.2.0.0/16
 rightid=54.XX.XX.XX  #The other IP
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

Now that is a great start, just change the values accordingly for your other connection

conn conn-name-west
 type=tunnel 
 left=10.2.1.101 # your private IP of this server 
 leftsubnets=10.2.0.0/16 # Full VPC subnet
 leftid=54.XX.XX.XX #Your public IP of this server 
 leftsourceip=10.2.1.101
 right=52.XX.XX.XX   # The remote server IP 
 rightsubnets=10.1.0.0/16
 rightid=52.XX.XX.XX  #The other IP
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

Shhh.. it's a secret..
So above we are telling it to auth by secret, I am not sure this is the most secure way to do things, but it does seem to work so far.
On each side I am using the public IP and remote IP in the secrets.


54.XX.XX.XX 52.XX.XX.XX: PSK "$VER_SEC_PSK"


Now for the commands that need to be run on both servers.
We need to tell our new happy servers that, yes they can talk, and yes they can forward information to the networks
In the /etc/sysctl.conf you want to clear out what is there and add these values.


net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.lo.rp_filter=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.eth0.send_redirects=0
net.ipv4.conf.lo.send_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.lo.accept_redirects=0
net.ipv4.ip_forward=1

If you do not want to restart the system, type paste these commands so the settings take effect instantly.


echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects 
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects 
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects 
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects

If you are not able to ping, run this command on the machine, go ahead try it, it is fun.


iptables -t nat  -A POSTROUTING -s localsubnet/16 ! -d remotesubnet/16 -o eth0 -j MASQUERADE

That last command took me a while, because if you notice I am relying on AWS firewalls to protect me, not the system itself. I want the system to be able to communicate with everything else, on a select IP.

For simple verification you can run the sudo service ipsec status  command


ubuntu@myawesomevpnserver-east:~$ sudo service ipsec status
IPsec running  - pluto pid: 2282
pluto pid 2282
1 tunnels up
some eroutes exist



Some useful commands and their outputs.
ipsec verify Used to make sure your configurations are in tact

ubuntu@myawesomevpnserver-east:~$  sudo ipsec verify 
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                              [OK]
Linux Openswan U2.6.38/K3.13.0-44-generic (netkey)
Checking for IPsec support in kernel                         [OK]
 SAref kernel support                                        [N/A]
 NETKEY:  Testing XFRM related proc values                   [OK]
 [OK]
 [OK]
Checking that pluto is running                               [OK]
 Pluto listening for IKE on udp 500                          [OK]
 Pluto listening for NAT-T on udp 4500                       [OK]
Checking for 'ip' command                                    [OK]
Checking /bin/sh is not /bin/dash                            [WARNING]
Checking for 'iptables' command                              [OK]
Opportunistic Encryption Support                             [DISABLED]

ipsec auto status  make sure you are connected and the tunnel is up. you mainly care about the last 4 lines here, there is a lot of output


ubuntu@myawesomevpnserver-east:~$  sudo ipsec auto status 
ipsec auto: warning: obsolete command syntax used
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
---- SNIP ---- 
000 #939: "conn-name-east/1x1":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3269s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #938: "conn-name-east/1x1":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 672s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #930: "conn-name-east/1x1":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 4875s; newest IPSEC; eroute owner; isakmp#929; idle; import:not set
000 #930: "conn-name-east/1x1" esp.ff5004e8@52.XX.XX.XX esp.b8805a31@10.1.1.101 tun.0@52.XX.XX.XX tun.0@110.1.1.101 ref=0 refhim=4294901761


That should get you started, so good luck and remember kids. It works for me!

No comments:

Post a Comment