Created
November 5, 2013 21:53
-
-
Save esoupy/7327017 to your computer and use it in GitHub Desktop.
OpenSwan Install and Configuration on Ubuntu between AWS VPC's
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Required: | |
| An instance accessible with an EIP from each VPC network | |
| Unique and non-overlapping CIDR ranges | |
| Security Group allowing each others EIP (udp: 500,4500 and icmp: echo reply) | |
| Disable Source/Dest Check on each Openswan AWS instance | |
| Configure Routing Tables on each VPC (add tables with associated subnets) | |
| Remote Network A: 10.11.0.0/16 -> openswan instance id | |
| Remote Network B: 10.10.0.0/16 -> openswan instance id | |
| On Each Server: | |
| Install Openswan | |
| % sudo apt-get install openswan | |
| update /etc/sysctl.conf | |
| -------------------------- | |
| net.ipv4.ip_forward=1 | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| net.ipv4.conf.eth0.send_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.eth0.accept_redirects = 0 | |
| -------------------------- | |
| % sudo sysctl -p | |
| edit /etc/ipsec.conf | |
| Add line: include /etc/ipsec.d/*.conf (do not indent) | |
| On Network A openswan side, create /etc/ipsec.d/to-networkB.conf: | |
| conn to-networkB | |
| type=tunnel | |
| authby=secret | |
| left=10.10.0.21 ## <- the private IP of your openswan server Network A | |
| leftid=1.2.3.4 ## <- external IP of Network A | |
| leftsubnet=10.10.0.0/16 | |
| right=5.6.7.8 ## <- the external IP of Network B | |
| rightsubnet=10.11.0.0/16 | |
| pfs=yes | |
| auto=start | |
| Add to /etc/ipsec.secrets file: | |
| 1.2.3.4 5.6.7.8: PSK "create_your_super_secret_phrase_here" | |
| On Network B openswan side, create /etc/ipsec.d/to-networkA.conf: | |
| conn to-networkA | |
| type=tunnel | |
| authby=secret | |
| left=10.11.0.25 ## <- the private IP of your openswan server Network B | |
| leftid=5.6.7.8 ## <- the external IP of Network B | |
| leftsubnet=10.11.0.0/16 | |
| right=1.2.3.4 ## <- external IP of Network A | |
| rightsubnet=10.10.0.0/16 | |
| pfs=yes | |
| auto=start | |
| Add to /etc/ipsec.secrets file: | |
| 5.6.7.8 1.2.3.4: PSK "create_your_super_secret_phrase_here" | |
| --------- | |
| On Both Servers | |
| % service ipsec restart | |
| Look at /var/log/syslog and auth.log for connectivity errors and status | |
| % ipsec auto --status | |
| Test by pinging a host on the other side | |
| Success! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Which ubuntu version have you tried this? I cant make ping to work from VPC 1 to 2 or vice versa with ubuntu 14.04
It just stays at "ipsec__plutorun: 104 "to-nv" #1: STATE_MAIN_I1: initiate"
Nov 21 17:25:32 ip-172-16-239-10 ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
Nov 21 17:25:32 ip-172-16-239-10 ipsec_setup: Using NETKEY(XFRM) stack
Nov 21 17:25:32 ip-172-16-239-10 kernel: [284815.609461] Initializing XFRM netlink socket
Nov 21 17:25:32 ip-172-16-239-10 ipsec_setup: ...Openswan IPsec started
Nov 21 17:25:32 ip-172-16-239-10 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Nov 21 17:25:32 ip-172-16-239-10 pluto: adjusting ipsec.d to /etc/ipsec.d
Nov 21 17:25:32 ip-172-16-239-10 ipsec__plutorun: 002 added connection description "o2nv"
Nov 21 17:25:32 ip-172-16-239-10 ipsec__plutorun: 104 "o2nv" #1: STATE_MAIN_I1: initiate