Skip to content

Instantly share code, notes, and snippets.

@esoupy
Created November 5, 2013 21:53
Show Gist options
  • Save esoupy/7327017 to your computer and use it in GitHub Desktop.
Save esoupy/7327017 to your computer and use it in GitHub Desktop.
OpenSwan Install and Configuration on Ubuntu between AWS VPC's
Required:
An instance accessible with an EIP from each VPC network
Unique and non-overlapping CIDR ranges
Security Group allowing each others EIP (udp: 500,4500 and icmp: echo reply)
Disable Source/Dest Check on each Openswan AWS instance
Configure Routing Tables on each VPC (add tables with associated subnets)
Remote Network A: 10.11.0.0/16 -> openswan instance id
Remote Network B: 10.10.0.0/16 -> openswan instance id
On Each Server:
Install Openswan
% sudo apt-get install openswan
update /etc/sysctl.conf
--------------------------
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
--------------------------
% sudo sysctl -p
edit /etc/ipsec.conf
Add line: include /etc/ipsec.d/*.conf (do not indent)
On Network A openswan side, create /etc/ipsec.d/to-networkB.conf:
conn to-networkB
type=tunnel
authby=secret
left=10.10.0.21 ## <- the private IP of your openswan server Network A
leftid=1.2.3.4 ## <- external IP of Network A
leftsubnet=10.10.0.0/16
right=5.6.7.8 ## <- the external IP of Network B
rightsubnet=10.11.0.0/16
pfs=yes
auto=start
Add to /etc/ipsec.secrets file:
1.2.3.4 5.6.7.8: PSK "create_your_super_secret_phrase_here"
On Network B openswan side, create /etc/ipsec.d/to-networkA.conf:
conn to-networkA
type=tunnel
authby=secret
left=10.11.0.25 ## <- the private IP of your openswan server Network B
leftid=5.6.7.8 ## <- the external IP of Network B
leftsubnet=10.11.0.0/16
right=1.2.3.4 ## <- external IP of Network A
rightsubnet=10.10.0.0/16
pfs=yes
auto=start
Add to /etc/ipsec.secrets file:
5.6.7.8 1.2.3.4: PSK "create_your_super_secret_phrase_here"
---------
On Both Servers
% service ipsec restart
Look at /var/log/syslog and auth.log for connectivity errors and status
% ipsec auto --status
Test by pinging a host on the other side
Success!
@ddimri
Copy link

ddimri commented Nov 21, 2016

Which ubuntu version have you tried this? I cant make ping to work from VPC 1 to 2 or vice versa with ubuntu 14.04
It just stays at "ipsec__plutorun: 104 "to-nv" #1: STATE_MAIN_I1: initiate"
Nov 21 17:25:32 ip-172-16-239-10 ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
Nov 21 17:25:32 ip-172-16-239-10 ipsec_setup: Using NETKEY(XFRM) stack
Nov 21 17:25:32 ip-172-16-239-10 kernel: [284815.609461] Initializing XFRM netlink socket
Nov 21 17:25:32 ip-172-16-239-10 ipsec_setup: ...Openswan IPsec started
Nov 21 17:25:32 ip-172-16-239-10 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Nov 21 17:25:32 ip-172-16-239-10 pluto: adjusting ipsec.d to /etc/ipsec.d
Nov 21 17:25:32 ip-172-16-239-10 ipsec__plutorun: 002 added connection description "o2nv"
Nov 21 17:25:32 ip-172-16-239-10 ipsec__plutorun: 104 "o2nv" #1: STATE_MAIN_I1: initiate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment