I'm trying to set up an IPSec VPN connection between our corporate network and Amazon's Virtual Private Cloud, using their VPN system and a Linux server. Unfortunately, the only guide I've found discusses how to set up the tunnel using a host Linux machine and get that linux machine to access VPC instances, but there's no discussion I can find online on how to get the instance to access the corporate network (or the rest of the internet via that network).
Network information
Local subnet: 10.3.0.0/25
Remote subnet: 10.4.0.0/16
Tunnel 1:
Outside IP Addresses:
- Customer Gateway: : 199.167.xxx.xxx
- VPN Gateway : 205.251.233.121
Inside IP Addresses
- Customer Gateway : 169.254.249.2/30
- VPN Gateway : 169.254.249.1/30
Tunnel 2:
Outside IP Addresses:
- Customer Gateway: : 199.167.xxx.xxx
- VPN Gateway : 205.251.233.122
Inside IP Addresses
- Customer Gateway : 169.254.249.6/30
- VPN Gateway : 169.254.249.5/30
Here is my /etc/ipsec-tools.conf:
flush;
spdflush;
spdadd 169.254.249.2/30 169.254.249.1/30 any -P out ipsec
esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;
spdadd 169.254.249.1/30 169.254.249.2/30 any -P in ipsec
esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 169.254.249.6/30 169.254.249.5/30 any -P out ipsec
esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;
spdadd 169.254.249.5/30 169.254.249.6/30 any -P in ipsec
esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;
spdadd 169.254.249.2/30 10.4.0.0/16 any -P out ipsec
esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;
spdadd 10.4.0.0/16 169.254.249.2/30 any -P in ipsec
esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 169.254.249.6/30 10.4.0.0/16 any -P out ipsec
esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;
spdadd 10.4.0.0/16 169.254.249.6/30 any -P in ipsec
esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;
Here's my /etc/racoon/racoon.conf:
remote 205.251.233.122 {
exchange_mode main;
lifetime time 28800 seconds;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
generate_policy off;
}
remote 205.251.233.121 {
exchange_mode main;
lifetime time 28800 seconds;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
generate_policy off;
}
sainfo address 169.254.249.2/30 any address 169.254.249.1/30 any {
pfs_group 2;
lifetime time 3600 seconds;
encryption_algorithm aes128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 169.254.249.6/30 any address 169.254.249.5/30 any {
pfs_group 2;
lifetime time 3600 seconds;
encryption_algorithm aes128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
BGP is working fine, so I'm not going to post those configs.
Here's what works
- From the Linux box, I can ping the local endpoints (169.254.249.2/169.254.249.6), and their remote equivalents (169.254.249.1/169.254.249.5).
- I can also ping the instances in VPC, SSH to them, etc.
- From the remote instances in VPC, I can ping the local and remote endpoints as well
- I cannot ping the local servers on the 10.3.0.0/25 subnet
I assume I'm missing something simple, but I've tried adding entries to ipsec-tools.conf to mirror the {local endpoint}<->{remote subnet}, using {local subnet}<->{remote endpoint}, but it didn't seem to work.
When I ping from {remote instance} to {local server}, the pings timeout. The packets are visible on the eth0 interface (even though the local network is on eth1).
Google has been little help; it shows only people trying to use OpenSwan, or having similar issues but with hardware routers, or using older tools.
Well, I cheated :) I installed Astaro gateway which is officially supported by Amazon and then used that to model my own. You can just SSH into the Astaro unit and see how they set everything up. Of course, you could stick with the Astaro unit if you feel like paying for it.
Figured it out. Had to change my ipsec-tools.conf to this:
And change my racoon.conf to this:
However, this configuration as I understand it will only route traffic between 10.3.0.0/25 and 10.4.0.0/16 over the first tunnel (via x.x.x.121). I'll update the answer when I figure that out.
Do you know the reason to using "require" instead of "use" for the setkey configuration? Do you also know if it matters in what order I place the statements within the remote and sainfo sections and mistakenly duplicating certain statements? For example:
vs
Did you also figure out how to get traffic to flow on both tunnels?
Thank you for any guidance.