Linux IPSec VPN-2: Amazon Cloud Sever & Linksys Router

This is a post in response to a comment made earlier on my previous blog post on Linux IPSec Setup asking for assistance. So here's what I could possibly do to help the needy.

This is a setup which I assisted one of my friend in creating a VPN between a Static IP Linksys Router and an Amazon cloud based server. Since we all know that Amazon cloud servers don't actually have a static public IP assigned to them instead they've a One-to-One NAT mechanism at the best so this becomes a bit trickier for anyone new to the OpenSWAN or IPSec in Linuxes.

Regardless of the Operating System the openswan package needs to be installed on the server properly. Please refer to other blogs or Google in order to install ipsec service. See this references in this link:

The topology we'll be working on is defined in the diagram below.

Now get to the configurations.

The ipsec.conf file contains these:

config setup
        interfaces=%defaultroute
        klipsdebug=all
        plutodebug=all
        protostack=netkey
        nat_traversal=yes
conn Linksys
        type=tunnel
        left=10.2.147.164
        leftnexthop=%defaultroute
        leftsubnet=10.2.147.164/26
        right=120.121.122.123
        rightnexthop=%defaultroute
        rightsubnet=192.168.4.0/24
        auth=esp
        keyexchange=ike
        authby=secret
        pfs=yes
        auto=start

And ipsec.secrets contains this:

10.2.147.164 120.121.122.123 : PSK  "y0ur_S3cret_PSK_k3y"

Lets quickly get to the Linksys router and adjust the router according to the following settings.

Move to the VPN tab after logging in to the Linksys router.

Save the settings and restart vpn on both ends. Your VPN should start rocking by now. Ping from the 192.168.4.0/24 LAN to the Amazon IPSec Server's Private IP and it should be replying.

Please always read logs on both the router and the linux server very carefully and figure out what they are trying to communicate. Without any logs I probably would never had created this VPN.

I hope it be of some help to someone. Have a great day.

Linux IPSec VPN SETUP

Linux IPSec VPN SETUP(CentOS)

Once I was required to deploy a VoIP infrastructure where we were required to have a VPN connectivity between its two offices located at London and Berlin. One of the office had CISCO PIX and the other office had nothing but our VoIP server for VPN. So, I had to setup an IPsec tunnel between Linux and CISCO. Here is a how-to for public reading and for future references.

UPDATE: A new scenario for Amazon based Linux VPN Server is published on this link.

NETWORK DESIGN

VPN network overview

IPsec SETUP ON CENTOS

On our CentOS server we require to install openswan application. This application will do the job.

Install OpenSWAN:

[root@localhost ~]#yum upgrade
[root@localhost ~]#yum install openswan ipsec-tool
Use this command to start Openswan at boot time
[root@localhost ~]#chkconfig ipsec on

At this point if all commands are successfully executed we've openswan installed. Now we need to configure it accordingly.

Disable ICMP send/accept redirects
Note: Look at *, this is your NIC name i.e eth0 or eth1 on which we are going to terminate the VPN.

Disable /proc/sys/net/ipv4/conf/*/send_redirects
[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/send_redirects"

Disable /proc/sys/net/ipv4/conf/*/accept_redirects
[root@localhost ~]#echo 0 >> "/proc/sys/net/ipv4/conf/*/accept_redirects"

Enable IP Forwarding
[root@localhost ~]#nano /etc/sysctl.conf
Set:
net/ipv4/ip_forward = 1
[root@localhost ~]#sysctl -p

Verify ipsec/openswan

Check if IPSec package is happy with your settings. Mine are copied after VPN was established.

[root@localhost ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.21/K2.6.18-194.3.1.el5 (netkey)
Checking for IPsec support in kernel                        [OK]
NETKEY detected, testing for disabled ICMP send_redirects   [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets)           [OK]
Checking that pluto is running                              [OK]
Two or more interfaces found, checking IP forwarding        [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                   [OK]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: localhost.localdomain  [MISSING]
Does the machine have at least one non-private address?     [FAILED]
Ignore Opportunistic Encryption DNS Checks Failures

IPsec CONFIGURATIONS

Now we need to configure our linux-vpn, for this we need to edit the ipsec.conf file.

[root@localhost ~]#nano /etc/ipsec.conf

Insert the following lines in that file accordingly.

config setup
        interfaces=%defaultroute
        klipsdebug=all                 #enable debugging
        plutodebug=all
        protostack=netkey

conn BER-LON-VoIP
        type=tunnel          #tunnel mode ipsec
        left= 213.YX.XY.213     #the IP address of your OpenSWAN endpoint
        leftnexthop=%defaultroute      #default gateway
        leftsubnet=10.100.100.0/24     # network behind your endpoint
        right=  123.XX.YY.123            # Your IP, or %any for a road-warrior setup
        rightnexthop=%defaultroute     #defaultroute for road warrior unknown
        rightsubnet=192.168.150.0/24   #network behind the CISCO
        auth=esp
        esp=3des-sha1           #esp: 3des, hmac: sha1
        keyexchange=ike         #use regular ike
        authby=secret           #pre-shared secret, you can also use rsa nounces
        pfs=no                  #use perfect forward secrecy
        auto=start     #don't initiate tunnel, but allow incoming


CONFIGURE  Pre Shared Key

Syntax of ipsec.secrets
<IP of VPN Server{left}> <IP of CISCO Router{right}> : PSK  "<PreShared Key>"

[root@localhost ~]#nano /etc/ipsec.secrets
213.YX.XY.213 123.XX.YY.123 : PSK "$#@$@%$$FDSF#$@#$@#"


Enabling MASQUERADE NAT on VPN Server(Optional)
This will take all the traffic from interface eth1 and send the traffic out from interface eth2. We required this so that all the traffic that is required to go through VPN uses this server as its gateway.

[root@localhost ~]#iptables --append FORWARD --in-interface eth1 -j ACCEPT
[root@localhost ~]#iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE

USEFUL IPsec COMMANDS

Check Status of Tunnels :
[root@localhost ~]# ipsec auto –-status

This will show the status of all VPN connections defined in ipsec.conf as well as show the connected/up VPNs.See the end lines corresponding to BER-LON-VoIP


000 #2: "BER-LON-VoIP":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 26334s; newest IPSEC; eroute
owner; isakmp#1; idle; import:admin initiate
000 #2: "BER-LON-VoIP" esp.3b80b0ab@213.YX.XY.213
esp.140f56a9@10.100.100.6 tun.0@ 213.YX.XY.213 tun.0@10.100.100.6
ref=0 refhim=4294901761
000 #1: "BER-LON-VoIP":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 892s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:admin initiate

NOTE: There are no state lines for the disconnected tunnels.

Start-up a tunnel:
[root@localhost ~]# ipsec auto –up <Connection Name>
This command will start an Ipsec tunnel defined by the name in ipsec.conf
[root@localhost ~]#  ipsec auto --up BER-LON-VoIP
117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate
003 "BER-LON-VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079
004 "BER-LON-VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-
HMAC_SHA1 NATOA=none NATD=none DPD=none}
last line (STATE QI2) is important for successful VPN establishment.


Shut-down a specific tunnel:
Similarly to disconnect a tunnel use the following.
[root@localhost ~]# ipsec auto –down <Connection Name>


Restart a specific tunnel
[root@localhost ~]# ipsec auto --down BER-LON-VoIP

[root@localhost ~]# ipsec auto --up BER-LON-VoIP

117 "BER-LON-VoIP" #3: STATE_QUICK_I1: initiate
003 " BER-LON -VoIP" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=1b5a4079
004 " BER-LON -VoIP" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f08318d <0x4265b938 xfrm=3DES_0-
HMAC_SHA1 NATOA=none NATD=none DPD=none}


Restart All Tunnels:
[root@localhost ~]# service ipsec restart

CISCO IPsec VPN SETUP

These commands were issued on the CISCO equipment to setup a tunnel.

#ip access-list extended VPN-LON-BER
#permit ip 192.168.150.0 0.0.0.255 10.100.100.0 0.0.0.255
#permit ip 192.168.170.0 0.0.0.255 10.100.100.0 0.0.0.255
#crypto isakmp key 6 $#@$@%$$FDSF#$@#$@# address  213.YX.XY.213 no-xauth
#crypto ipsec transform-set VPN-LON-BER-set esp-3des esp-md5-hmac
#crypto map lonbermap 13 ipsec-isakmp
#set peer 213.YX.XY.213
#set transform-set VPN- LON-BER -set
#match address VPN- LON-BER -set



REFERENCES
http://linux.die.net/man/8/ipsec_spi
http://www.daemon.be/maarten/openswanpix.html
http://www.wlug.org.nz/FreeSwanToCiscoPix
http://www.diverdown.cc/vpn/freeswanciscorouter.html
http://www.wlug.org.nz/FreeSwanToCiscoPix
http://howtoforums.net/viewtopic.php?t=92
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs