Unfortunately VPC peering currently only works across VPC's within the same region.
Firstly enable the af-key module on the kernel:
sudo modprobe af_key
sudo nano /etc/modules
and add:
af_key
We should also ensure that redirects are not sent or accepted by setting / disabling:
/proc/sys/net/ipv4/conf/*/accept_redirects
and
/proc/sys/net/ipv4/conf/*/send_redirects
to '0'.
So to achieve this we will be using LibreSWAN (OpenSWAN). So on our first VPC (in Ireland) AND are second VPC (in Singapore) we shall deploy a new Debian VM with the following security group settings:
Allow UDP 4500 (IPSec/UDP) from 0.0.0.0/0
Allow UDP 500 (IKE protocol) from 0.0.0.0/0
Allow TCP 22 (SSH protocol) from 0.0.0.0/0
and enable some pre-reuqueites (port forwarding etc.) as the VM will be acting as a router in this scenerio:
sudo sysctl -w net.ipv4.ip_forward=1
sudo apt-get update
sudo apt-get install build-essential libnss3-dev libnspr4-dev pkg-config libpam-dev libcap-ng-dev libcap-ng-utils libselinux-dev libcurl4-nss-dev libgmp3-dev flex bison gcc make libunbound-dev xmlto libevent-dev libnss3-tools
Unfortuantely the latest Debian stable (jessie) does not currently have LibreSwan packaged yet - so we will need to compile manually:
cd /tmp
wget https://download.libreswan.org/libreswan-3.16.tar.gz
tar zxvf libre*
cd libre*
make programs
make install
We should copy the init script to our init folder:
cp /lib/systemd/system/ipsec.service /etc/init.d/
chmod 0755 /etc/init.d/ipsec.service
systemctl enable ipsec.service
Ensure /etc/ipsec.conf has an include statement for /etc/ipsec.d/* (should be at the bottom) and als uncomment 'version 2' and finally add / amend the following statements to the 'config setup' section:
protostack=netkey
interfaces=%defaultroute
nat_traversal=yes
force_keepalive=yes
keep_alive=60
oe=no
nhelpers=0
We can now create a configuration for our site to site VPN on VPC1:
sudo vi /etc/ipsec.d/s2s.conf
conn sg-to-ire
type=tunnel
authby=secret
left=%defaultroute
leftid=6.6.6.6
leftnexthop=%defaultroute
leftsubnet=10.10.10.0/24
right=7.7.7.7
rightsubnet=172.16.0.0/24
pfs=yes
auto=start
* Where EIP = Elastic IP.
Create our secrets file:
sudo vi /etc/ipsec.d/sg-to-ire.secrets
and enter:
<SGIP> <IREIP>: PSK "mysecretkey"
and then on VPC2 we do:
sudo vi /etc/ipsec.d/s2s.conf
conn ire-to-sg
type=tunnel
authby=secret
left=%defaultroute
leftid=7.7.7.7
leftnexthop=%defaultroute
leftsubnet=172.16.0.0/24
right=6.6.6.6
rightsubnet=10.10.10.0/24
pfs=yes
auto=start
* Where EIP = Elastic IP.
Create our secrets file:
sudo vi /etc/ipsec.d/ire-to-sg.secrets
and enter:
<IREIP> <SGIP>: PSK "mysecretkey"
Now on both hosts run to create the tunnel run:
sudo service ipsec restart
We can verify VPN connectivity with:
tcpdump -n -i eth0 esp or udp port 500 or udp port 4500
We should also run the following command on both hosts to ensure IPSec will function correctly on them:
sudo ipsec verify
I had some problems starting ipsec:
/usr/local/sbin/ipsec start
After reviewing 'journalctl -xn' I noticed the following error:
Failed to initialize nss database sql:/etc/ipsec.d
So I proceeded to test nss:
/usr/local/sbin/ipsec checknss
And noticed the following error:
/usr/local/sbin/ipsec: certutil: not found
So we can install certutil with:
sudo apt-get install libnss3-tools
And then re-check IPSec with:
sudo ipsec verify
and finally if all OK - start the service:
sudo service ipsec restart
No comments:
Post a Comment