Friday 26 February 2016

Connecting two AWS VPC Regions together with LibreSwan (OpenSWAN) on Debian

In this scenario we have two VPC's each in a separate AWS region - of which we wish to communicate across directly.

Unfortunately VPC peering currently only works across VPC's within the same region.

Firstly enable the af-key module on the kernel:

sudo modprobe af_key

sudo nano /etc/modules

and add:

af_key

We should also ensure that  redirects are not sent or accepted  by setting / disabling:

 /proc/sys/net/ipv4/conf/*/accept_redirects

and

/proc/sys/net/ipv4/conf/*/send_redirects

to '0'.

So to achieve this we will be using LibreSWAN (OpenSWAN). So on our first VPC (in Ireland) AND are second VPC (in Singapore) we shall deploy a new Debian VM with the following security group settings:

Allow UDP 4500 (IPSec/UDP) from 0.0.0.0/0
Allow UDP 500 (IKE protocol) from 0.0.0.0/0
Allow TCP 22  (SSH protocol) from 0.0.0.0/0

and enable some pre-reuqueites (port forwarding etc.) as the VM will be acting as a router in this scenerio:

sudo sysctl -w net.ipv4.ip_forward=1

sudo apt-get update
sudo apt-get install build-essential libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev xmlto libevent-dev libnss3-tools

Unfortuantely the latest Debian stable (jessie) does not currently have LibreSwan packaged yet - so we will need to compile manually:

cd /tmp
wget https://download.libreswan.org/libreswan-3.16.tar.gz
tar zxvf libre*
cd libre*

make programs
make install

We should copy the init script to our init folder:

cp /lib/systemd/system/ipsec.service /etc/init.d/
chmod 0755 /etc/init.d/ipsec.service

systemctl enable ipsec.service

Ensure /etc/ipsec.conf has an include statement for /etc/ipsec.d/* (should be at the bottom) and als uncomment 'version 2' and finally add / amend the following statements to the 'config setup' section:

    protostack=netkey
    interfaces=%defaultroute
    nat_traversal=yes
    force_keepalive=yes
    keep_alive=60
    oe=no
    nhelpers=0

We can now create a configuration for our site to site VPN on VPC1:

sudo vi /etc/ipsec.d/s2s.conf

conn sg-to-ire
type=tunnel
authby=secret
left=%defaultroute
leftid=6.6.6.6
leftnexthop=%defaultroute
leftsubnet=10.10.10.0/24
right=7.7.7.7
rightsubnet=172.16.0.0/24
pfs=yes
auto=start

* Where EIP = Elastic IP.

Create our secrets file:

sudo vi /etc/ipsec.d/sg-to-ire.secrets

and enter:

<SGIP> <IREIP>: PSK "mysecretkey"

and then on VPC2 we do:

sudo vi /etc/ipsec.d/s2s.conf

conn ire-to-sg
type=tunnel
authby=secret
left=%defaultroute
leftid=7.7.7.7
leftnexthop=%defaultroute
leftsubnet=172.16.0.0/24
right=6.6.6.6
rightsubnet=10.10.10.0/24
pfs=yes
auto=start

* Where EIP = Elastic IP.

Create our secrets file:

sudo vi /etc/ipsec.d/ire-to-sg.secrets

and enter:

<IREIP> <SGIP>: PSK "mysecretkey"

Now on both hosts run to create the tunnel run:

sudo service ipsec restart

We can verify VPN connectivity with:

tcpdump -n -i eth0 esp or udp port 500 or udp port 4500

We should also run the following command on both hosts to ensure IPSec will function correctly on them:

sudo ipsec verify

I had some problems starting ipsec:

/usr/local/sbin/ipsec start

After reviewing 'journalctl -xn' I noticed the following error:

Failed to initialize nss database sql:/etc/ipsec.d

So I proceeded to test nss:

/usr/local/sbin/ipsec checknss

And noticed the following error:

/usr/local/sbin/ipsec: certutil: not found

So we can install certutil with:

sudo apt-get install libnss3-tools

And then re-check IPSec with:

sudo ipsec verify

and finally if all OK - start the service:

sudo service ipsec restart


0 comments:

Post a Comment