This is a post in response to a comment made earlier on my previous blog post on Linux IPSec Setup asking for assistance. So here's what I could possibly do to help the needy.
This is a setup which I assisted one of my friend in creating a VPN between a Static IP Linksys Router and an Amazon cloud based server. Since we all know that Amazon cloud servers don't actually have a static public IP assigned to them instead they've a One-to-One NAT mechanism at the best so this becomes a bit trickier for anyone new to the OpenSWAN or IPSec in Linuxes.
Regardless of the Operating System the openswan package needs to be installed on the server properly. Please refer to other blogs or Google in order to install ipsec service. See this references in this link:
The topology we'll be working on is defined in the diagram below.
Now get to the configurations.
The ipsec.conf file contains these:
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=all
protostack=netkey
nat_traversal=yes
conn Linksys
type=tunnel
left=10.2.147.164
leftnexthop=%defaultroute
leftsubnet=10.2.147.164/26
right=120.121.122.123
rightnexthop=%defaultroute
rightsubnet=192.168.4.0/24
auth=esp
keyexchange=ike
authby=secret
pfs=yes
auto=start
Save the settings and restart vpn on both ends. Your VPN should start rocking by now. Ping from the 192.168.4.0/24 LAN to the Amazon IPSec Server's Private IP and it should be replying.
Please always read logs on both the router and the linux server very carefully and figure out what they are trying to communicate. Without any logs I probably would never had created this VPN.
I hope it be of some help to someone. Have a great day.
This is a setup which I assisted one of my friend in creating a VPN between a Static IP Linksys Router and an Amazon cloud based server. Since we all know that Amazon cloud servers don't actually have a static public IP assigned to them instead they've a One-to-One NAT mechanism at the best so this becomes a bit trickier for anyone new to the OpenSWAN or IPSec in Linuxes.
Regardless of the Operating System the openswan package needs to be installed on the server properly. Please refer to other blogs or Google in order to install ipsec service. See this references in this link:
The topology we'll be working on is defined in the diagram below.
Now get to the configurations.
The ipsec.conf file contains these:
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=all
protostack=netkey
nat_traversal=yes
conn Linksys
type=tunnel
left=10.2.147.164
leftnexthop=%defaultroute
leftsubnet=10.2.147.164/26
right=120.121.122.123
rightnexthop=%defaultroute
rightsubnet=192.168.4.0/24
auth=esp
keyexchange=ike
authby=secret
pfs=yes
auto=start
And ipsec.secrets contains this:
10.2.147.164 120.121.122.123 : PSK "y0ur_S3cret_PSK_k3y"
Lets quickly get to the Linksys router and adjust the router according to the following settings.
Move to the VPN tab after logging in to the Linksys router.
Please always read logs on both the router and the linux server very carefully and figure out what they are trying to communicate. Without any logs I probably would never had created this VPN.
I hope it be of some help to someone. Have a great day.
V good ..... i really need it.......is that possible that we can also setup pptp/l2tp for dialup VPN on same machine.
ReplyDeleteThanks
infosec.pk
Ofcourse that's possible as well since the pptpd can be executed and started independently. Both IPSec and L2TP will behave separately.
DeleteI suggest you get a Vyatta installed on your Amazon instance rather a plain Linux OS. Will give you lots of relevant things easily.
I enjoyed the tips you are providing on your website. Linksys Router Tech Support can make one’s help technical service. Thanks for the information……..
ReplyDeleteLinksys Router Support please visit the link.
Thankyou
Lacy Brown
Hi, the post is really nice very few of technology blogs having information about Linksys Router Support setup the post is so helpful for technical professionals.
ReplyDeleteLinksys Router Support please visit the link.
Thankyou
Lacy Brown
I am attempting something similar to this. I am using a Cisco however. The problem is that the Cisco is trying to negotiate with, and looking for the key on the default outbound of the cloud service. What I mean is that is say the peer is the default outbound, and not the ip addreess that i have assigned to use as the one-to-one.
ReplyDeleteIt looks like this:
Peer: X.X.X.35 port 50356
but the peer I have set on the cisco config is this
X.X.X.126
Do you happen to have an idea of what this is? Is it the /etc/ipsec.d/CustomTunnel.conf configuration that is causing this?