In this tutorial we will setup a gateway to gateway IPSec VPN using OpenSwan.
The Scenario:
The scenario we will use in this guide will be specifically in an Amazon Web Services (AWS) environment, where we will be establishing a IPSec VPN Tunnel between a VPC in Dublin and a VPC in London, so that we can reach the internal ranges over the VPN tunnel.
In a Non-AWS scenario, we could look at connecting two networks over the internet, maybe like a Office to Datacenter Connectivity between cities, like a Server Network in Johannesburg and a Office Network in Cape Town.
The Environment:
- VPC (Dublin):
-
- NAT IP: 52.1.2.3
-
- Private CIDR: 172.24.16.0/24
* VPC (London): * - *NAT IP*: 62.4.5.6 * - *Private CIDR*: 172.24.17.0/24
The Setup:
We will be using CentOS Linux distribution for our setup and the following will be installed on our NAT Instances:
$ sudo yum install openswan -y
Edit the configuration:
$ sudo vi /etc/ipsec.conf
Make sure to uncomment the include line as this will be the pointer of where our custom configuration will be picked up from:
# OpenSwan IPsec Configuration
config setup
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
include /etc/ipsec.d/*.conf
Config: Dublin to London
Our first configuration will be on our Dublin instance:
$ sudo vi /etc/ipsec.d/dublin-to-london.conf
Note: that left* will always be the side where you are logged on to
conn dublin-to-london
type=tunnel
authby=secret
left=%defaultroute
leftid=52.1.2.3
leftnexthop=%defaultroute
leftsubnet=172.24.16.0/24
right=62.4.5.6
rightsubnet=172.24.17.0/24
pfs=yes
auto=start
Create the secrets file:
$ sudo vi /etc/ipsec.d/dublin-to-london.secrets
Supply your Left Public IP, Right Public IP, PSK, and your Secret:
52.1.2.3 62.4.5.6: PSK "MyBigSecretValue"
Config: London to Dublin
Our second configuration will be on our London instance:
$ sudo vi /etc/ipsec.d/vpc2-to-vpc1.conf
conn london-to-dublin
type=tunnel
authby=secret
left=%defaultroute
leftid=62.4.5.6
leftnexthop=%defaultroute
leftsubnet=172.24.17.0/24
right=52.1.2.3
rightsubnet=172.24.16.0/24
pfs=yes
auto=start
Create the secrets file:
$ sudo vi /etc/ipsec.d/london-to-dublin.secrets
Supply your Left Public IP, Right Public IP, PSK, and your Secret:
62.4.5.6 52.1.2.3: PSK "MyBigSecretValue"
Start the Services:
On both NAT instances, perform the following:
$ sudo chkconfig ipsec on
$ sudo service ipsec restart
Set kernel parameters:
$ sudo vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Load the kernel parameters:
$ sudo sysctl -p
Restart your network configuration:
$ sudo service network restart
VPN Status Checks:
Check the service status for OpenSwan:
$ sudo ipsec verify
Check the status of the OpenSwan Service and VPN Tunnels:
$ sudo service ipsec status
You should now be able to connect to the other private network over the established VPN tunnel.
Comments