Skip to content

Instantly share code, notes, and snippets.

@vpack

vpack/VPN+BGP.md

Last active July 2, 2016 11:18
Show Gist options
  • Save vpack/54569eb84f4eea7261d28f3adbd52a59 to your computer and use it in GitHub Desktop.
Save vpack/54569eb84f4eea7261d28f3adbd52a59 to your computer and use it in GitHub Desktop.
Download ZIP
VPN cross-region
Raw
VPNCross-Region.md

OpenSwan

Commands:

sudo sysctl -w net.ipv4.ip_forward=1
sudo apt-get install –y openswan

# find local ip
sudo ip addr show


sudo chkconfig ipsec on

sudo vi /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

sudo service network restart

sudo service ipsec stop
sudo service ipsec start
sudo ipsec auto –add vpc2vpcConnection
sudo ipsec auto –up vpc2vpcConnection

Verify:

sudo ipsec verify
sudo service ipsec status

Reference:

Raw
Working-ec2-to-ec2-config.md

Worked with AWS support and got this config working

Using AWS Linux Image

yum install -y openswan chkconfig ipsec

[root@ip-10-202-24-214 etc]# grep ^ ipsec.conf ipsec.secrets ipsec.d/dev-ops.conf
ipsec.conf:version 2.0
ipsec.conf:
ipsec.conf:config setup
ipsec.conf:        nat_traversal=yes
ipsec.conf:     virtual_private=%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:10.130.0.0/16
ipsec.conf:        protostack=netkey
ipsec.conf:     plutostderrlog=/var/log/pluto.log
ipsec.conf:include /etc/ipsec.d/*.conf
ipsec.secrets:#include /etc/ipsec.d/*.secrets
ipsec.secrets:
ipsec.secrets:#50.17.7.115 0.0.0.0: PSK "RilX5WsnUQKuGTvViecPg7+TrK9yPT+i1tpMQiaF"
ipsec.secrets:52.222.28.100 50.17.7.115: PSK "RilX5WsnUQKuGTvViecPg7+TrK9yPT+i1tpMQiaF"
ipsec.d/dev-ops.conf:conn dev-ops
ipsec.d/dev-ops.conf:        authby=secret
ipsec.d/dev-ops.conf:        forceencaps=yes
ipsec.d/dev-ops.conf:        auto=start
ipsec.d/dev-ops.conf:        type=tunnel
ipsec.d/dev-ops.conf:
ipsec.d/dev-ops.conf:        left=%defaultroute
ipsec.d/dev-ops.conf:   leftnexthop=%defaultroute
ipsec.d/dev-ops.conf:        leftid=52.222.28.100
ipsec.d/dev-ops.conf:        leftsubnet=10.202.0.0/16
ipsec.d/dev-ops.conf:
ipsec.d/dev-ops.conf:        right=50.17.7.115
ipsec.d/dev-ops.conf:        rightid=50.17.7.115
ipsec.d/dev-ops.conf:        rightsubnet=10.130.0.0/16
ipsec.d/dev-ops.conf:

Other VPN Server

[root@ip-10-130-54-30 etc]# grep ^ ipsec.conf ipsec.secrets ipsec.d/ops-dev.conf
ipsec.conf:version 2.0
ipsec.conf:
ipsec.conf:config setup
ipsec.conf:        nat_traversal=yes
ipsec.conf:        virtual_private=%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:10.202.24.0/21
ipsec.conf:        protostack=netkey
ipsec.conf:     plutostderrlog=/var/log/pluto.log
ipsec.conf:include /etc/ipsec.d/*.conf
ipsec.conf:
ipsec.secrets:include /etc/ipsec.d/*.secrets
ipsec.secrets:
ipsec.secrets:#52.222.28.100 0.0.0.0: PSK "RilX5WsnUQKuGTvViecPg7+TrK9yPT+i1tpMQiaF"
ipsec.secrets:50.17.7.115 52.222.28.100: PSK "RilX5WsnUQKuGTvViecPg7+TrK9yPT+i1tpMQiaF"
ipsec.d/ops-dev.conf:conn ops-dev
ipsec.d/ops-dev.conf:        authby=secret
ipsec.d/ops-dev.conf:        forceencaps=yes
ipsec.d/ops-dev.conf:        auto=start
ipsec.d/ops-dev.conf:        type=tunnel
ipsec.d/ops-dev.conf:
ipsec.d/ops-dev.conf:        left=%defaultroute
ipsec.d/ops-dev.conf:   leftnexthop=%defaultroute
ipsec.d/ops-dev.conf:        leftid=50.17.7.115
ipsec.d/ops-dev.conf:#        leftsourceip=10.130.54.30
ipsec.d/ops-dev.conf:        leftsubnet=10.130.0.0/16
ipsec.d/ops-dev.conf:
ipsec.d/ops-dev.conf:        right=52.222.28.100
ipsec.d/ops-dev.conf:        rightid=52.222.28.100
ipsec.d/ops-dev.conf:#        rightsourceip=10.202.24.214
ipsec.d/ops-dev.conf:        rightsubnet=10.202.0.0/16
ipsec.d/ops-dev.conf:
[root@ip-10-130-54-30 etc]#

Both server:

vi /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

#Verify
sysctl -p

Troubleshooting tips:

tcpdump -nni any icmp
tcpdump -i any ip proto 50
tcpdump -i any host 52.49.33.4

route -n
service ipsec restart
ipsec auto -add dev-eastb
ipsec whack --listen
ipsec whack --name dev-eastb --initiate
Raw
working-ec2-to-vpn.md

Worked with AWS support and got this config working

Setup:

  1. A1 - Create new EIP
  2. A1 - Create new EC2 with that EIP
    • Using AWS Linux Image
  3. A2 - Create VPN using EIP from other account
    • Use Static
    • Setup static routes / propagate routes
  4. A1: Installation / Configuration
    • yum install -y openswan
  5. A1: Configure route tables to allow traffic to A2 CIDR via vpn-ec2-eni

OpenSwan Config:

$ cat dev-east.conf dev-east.secrets
conn dev-eastb
    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=52.222.32.1
    leftnexthop=%defaultroute
    leftsubnet=10.202.24.0/21
    right=52.2.132.255
    rightsubnet=10.120.0.0/16
    ike=aes128-sha1;modp1024!
    ikelifetime=28800s
    phase2=esp
    phase2alg=aes128-sha1;modp1024
    salifetime=3600s
    pfs=yes
    auto=start
    rekey=yes
    keyingtries=%forever
    dpddelay=10
    dpdtimeout=60
    dpdaction=restart_by_peer
52.222.32.1 52.2.132.255 : PSK "XXXXXXXXXXXXX.K9SJDDlvtXOdYYA"
52.222.32.1 52.22.104.234: PSK "XXXXXXXXXXXXX.YYYYYYYYYYYYYYY"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment