How to setup up site-to-site VPN in aws using OpenSwan.
basically this vedio is correct, but dont follow it on the phase
setting( that 3 lines of security setting).
1.install openswan:
$ sudo apt-get install openswan
2. enable redirects
$ sudo su
$ for path in /proc/sys/net/ipv4/conf/*;
$ do echo 0 > $path/accept_redirects;
$ echo 0 > $path/send_redirects;
$ done
3. setup sysctl
$ sudo vim /etc/sysctl.conf
modify the file as follow:
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Above setting doesn't seem to work in ec2 instance. to enable ip_forward
, you need to type following command line:
$ sudo su
$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ exit
4.configure ipsec.conf
$ sudo vim /etc/ipsec.conf
and modifi the file like
config setup
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# put all possible subnet here: %v(4/6)CIDR
virtual_private=%v4:10.0.0.0/8, %v4:172.31.0.0/16, %v4:192.168.0.0/16
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
conn connection_name
authby=secret
auto=start
type=tunnel
# Left security gateway, subnet behind it, nexthop toward right.
leftid=name_of_machine, can_be_your_public_id
left=ip_of_this_machine
leftsubnet=<subnet_of_this_machine>
leftnexthop=<ignore>
# Right security gateway, subnet behind it, nexthop toward left.
right=public_id_of_the_other_machine
rightsubnet=<you know>
rightnexthop=<ignore>
more information of ipsec.conf
please check here.
5.setup pre-shared key
$ sudo vim /etc/ipsec.secrets
and modifi the file like
<this_machines_id> <remote_id(default_isvalue_of_right)>: PSK "my secrets"
6.start and verify tunnel
verify setup
# verify if setup is correct as
$ sudo ipsec verify
the output should be
perl: warning: Falling back to the standard locale ("C").
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-74-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
you can start you tunnel using
$ sudo service ipsec restart
# or up specify a channel
$ sudo ipsec auto --add connection_name
$ sudo ipsec auto --up connection_name
# check status by
$ sudo service ipsec status
sudo: unable to resolve host ip-10-0-1-88
IPsec running - pluto pid: 11574
pluto pid 11574
1 tunnels up
some eroutes exist
Tools for trouble shooting
google for more detail
Sent a single udp package to ip/port
$ echo -n "foo"| nc -4u -w1 54.84.49.221 50
sniffing package of port of certian interface
$ sudo tcpdump -n -i eth0 esp or udp port 500 or udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
06:26:33.918387 IP 54.84.49.221.50640 > 10.0.1.88.4500: [|isakmp]
06:26:39.153992 IP 54.84.49.221.46341 > 10.0.1.88.4500: [|isakmp]
06:26:40.482219 IP 54.84.49.221.49448 > 10.0.1.88.4500: [|isakmp]
06:26:41.485620 IP 54.84.49.221.57306 > 10.0.1.88.4500: [|isakmp]
06:26:42.522311 IP 54.84.49.221.40383 > 10.0.1.88.4500: [|isakmp]
06:26:43.656389 IP 54.84.49.221.44336 > 10.0.1.88.4500: [|isakmp]
display the relationship of process, port, and status
$ sudo netstat -nap
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 476 10.0.1.88:22 65.96.153.200:63248 ESTABLISHED -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.1:4500 0.0.0.0:* -
udp 0 0 10.0.1.88:4500 0.0.0.0:* -
udp 0 0 52.87.255.65:4500 0.0.0.0:* -
udp 0 0 127.0.0.1:500 0.0.0.0:* -
udp 0 0 10.0.1.88:500 0.0.0.0:* -
udp 0 0 52.87.255.65:500 0.0.0.0:* -
Future plan
1.Try to set up VPN among MOC, AWS and maybe other PCs
2. Have a try on StrongSwan and tell the different between this and OpenSwan