Riaan's SysAdmin Blog

My tips, howtos, gotchas, snippets and stuff. Use at your own risk!

LibreswanOCIOracle Bare Metal Cloud Services

OCI (OBMCS) and Libreswan

Recently I wanted to test the Oracle Cloud Infrastructure(OCI) CPE(Customer Premises Equipment) networking; using an IPsec VPN tunnel.  The online documentation covers quite a few popular vendors like Check Point, Cisco, Fortigate, Juniper, Palo Alto.  Since I did not have quick access to any off the shelf VPN services I used the popular open source software Libreswan.

In addition I wanted to make this work to an OCI tenancy and not just a public VPN server.  It may not necessarily apply to any real world use cases but I wanted to test it.

Link of OCI CPE/IPsec documentation:  https://docs.us-phoenix-1.oraclecloud.com/Content/Network/Tasks/configuringCPE.htm?Highlight=ipsec

Below are notes on getting the Libreswan config configured to match what the OCI tunnel requires.  Note that once the VPN link is established you may still need to work on security lists, route tables, routes, DRG's to pass traffic behind the VPN endpoints.

Endpoint A: OCI tenancy with using CPE/IPsec setup
Endpoint B: OCI tenancy using a Libreswan server in a public subnet.  Of course typically this will be a customer endpoint VPN server in their premises or colo's.  Also note that an instance on OCI with a public address is not a true public server but hiding behind a firewall, your instance has a non routable address in the Operating System but no public interface.  So the Libreswan is following a kind of NAT setup as you can see on right side being a 10. address.

Start off by setting up CPE(Public IP address), DRG and IPsec tunnel from the OCI console.  In this case the public IP address for the CPE will be the Libreswan Linux server endpoint B. The OCI IPsec tunnel will provide you three IP addresses and shared secrets.  We will just use one of the three for our test.

Install from standard repo: 

[root@vpn01 opc]# yum install openswan lsof

Set some required kernel settings and firewall rules: 

[root@vpn01 opc]# for s in /proc/sys/net/ipv4/conf/*; do echo 0 > $s/send_redirects; echo 0 > $s/accept_redirects; done
[root@vpn01 opc]# cat /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.ens3.rp_filter = 0
#IPSec
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0 
net.ipv4.conf.ip_vti0.rp_filter = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.default.log_martians = 0

[root@vpn01 opc]# sysctl -p
[root@vpn01 opc]# firewall-cmd --zone=public --add-port=500/udp --permanent
success
[root@vpn01 opc]# firewall-cmd --zone=public --add-port=4500/tcp --permanent
success
[root@vpn01 opc]# firewall-cmd --zone=public --add-port=4500/udp --permanent
success
[root@vpn01 opc]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.0.0/16
success

Test a reachable host on a private network behind endpoint B:

[root@vpn01 opc]# ping 10.0.5.7
PING 10.0.5.7 (10.0.5.7) 56(84) bytes of data.
64 bytes from 10.0.5.7: icmp_seq=1 ttl=64 time=0.164 ms

Per Oracle documentation IPsec tunnel requirements as follow:

ISAKMP Policy Options
ISAKMP Protocol version 1
Exchange type: Main mode
Authentication method: pre-shared-keys
Encryption: AES-128-cbc, AES-192-cbc, AES-256-cbc
Authentication algorithm: SHA-256, SHA-384
Diffie-Hellman group: group 1, group 2, group 5
IKE session key lifetime: 28800 seconds (8 hours)

IPSec Policy Options
IPSec protocol: ESP, tunnel-mode
Encryption: AES-128-cbc, AES-192-cbc, AES-256-cbc
Authentication algorithm: HMAC-SHA1-96
IPSec session key lifetime: 3600 seconds (1 hour)
Perfect Forward Secrecy (PFS): enabled, group 5

Setup a new conf and secrets file:

[root@vpn01 opc]# cat /etc/ipsec.d/U.conf
conn V-Testing
  authby=secret
  keyexchange=ike
  ike=aes_cbc256-sha1;modp1536
  ikelifetime=28800s
  #ike-frag=no
  ikev2=no
  #nat-ikev1-method=drafts
  phase2=esp
  phase2alg=aes_cbc256-sha1;modp1536
  pfs=yes
  salifetime=3600s
  sareftrack=no
  #dpdtimeout=10
  #dpddelay=3
  left=1.1.1.1
  leftid=1.1.1.1
  right=10.0.4.3
  rightid=2.2.2.2
  rightnexthop=2.2.2.2
  rightsourceip=10.0.4.3
  leftsubnet=10.60.0.0/16
  rightsubnet=10.0.0.0/16
  auto=start

[root@vpn01 opc]# cat /etc/ipsec.d/U.secrets
1.1.1.1 2.2.2.2 : PSK "place_your_shared_key_here"

[root@vpn01 opc]# systemctl start ipsec
[root@vpn01 opc]# systemctl enable ipsec
[root@vpn01 opc]# ipsec verify
Verifying installed system and configuration files
...

For reference some initial pluto.log entries used during debugging to get the options matched to OCI. Plus reference links:
https://libreswan.org/man/ipsec.conf.5.html
https://tools.ietf.org/html/rfc3526

initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#15 msgid:08137451 proposal=AES(12)_128-SHA1(2) pfsgroup=MODP1024}

000 "v6neighbor-hole-out":   policy: PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;

000 "V-Testing":   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+ESN_NO;
000 "V-Testing":   conn_prio: 30,30; interface: ens3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "V-Testing":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;
000 "V-Testing":   dpd: action:hold; delay:3; timeout:10; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:drafts
000 "V-Testing":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "V-Testing":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP1024(2)
000 "V-Testing":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)-MODP1024(2)
000 "V-Testing":   ESP algorithms wanted: AES(12)_256-SHA1(2); pfsgroup=MODP1024(2)
000 "V-Testing":   ESP algorithms loaded: AES(12)_256-SHA1(2)

000 Total IPsec connections: loaded 1, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)

For reference some pluto.log entries used during debugging:

[root@vpn01 opc]# tail -f /var/log/pluto.log 
Nov  4 18:41:17: | setup callback for interface lo:500 fd 19
Nov  4 18:41:17: | setup callback for interface ens3:4500 fd 18
Nov  4 18:41:17: | setup callback for interface ens3:500 fd 17
Nov  4 18:41:17: loading secrets from "/etc/ipsec.secrets"
Nov  4 18:41:17: loading secrets from "/etc/ipsec.d/U.secrets"
Nov  4 18:41:17: "V-Testing": route-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip route replace 10.60.0.0/16 via 2.2.2.2 dev ens3  src 10.0.4.3" failed (RTNETLINK answers: Network is unreachable)
Nov  4 18:41:17: "V-Testing" #1: initiating Main Mode
Nov  4 18:41:18: assign_holdpass() delete_bare_shunt() failed
Nov  4 18:41:18: initiate_ondemand_body() failed to install negotiation_shunt,
Nov  4 18:41:18: initiate on demand from 10.0.4.3:8 to 10.60.1.2:0 proto=1 because: acquire

Not sure if this route was necessary or not but showing for reference.  Pretty sure do not need this:

root@vpn01 opc]# route add -net 10.60.0.0/16 gw 10.0.4.1
[root@vpn01 opc]# ip route
default via 10.0.4.1 dev ens3 
10.0.4.0/24 dev ens3 proto kernel scope link src 10.0.4.3 
10.60.0.0/16 via 10.0.4.1 dev ens3 
169.254.0.0/16 dev ens3 proto static scope link 
169.254.0.0/16 dev ens3 scope link metric 1002 

Some ping tests for reference showing passing traffic:


[root@vpn01 opc]# ifconfig ens3
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000
        inet 10.0.4.3  netmask 255.255.255.0  broadcast 10.0.4.255

[root@vpn01 opc]# ping 10.60.1.2
PING 10.60.1.2 (10.60.1.2) 56(84) bytes of data.
64 bytes from 10.60.1.2: icmp_seq=1 ttl=64 time=0.460 ms

[root@gw01 opc]# ifconfig ens3
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000

[root@gw01 opc]# ping 10.0.4.3
PING 10.0.4.3 (10.0.4.3) 56(84) bytes of data.
64 bytes from 10.0.4.3: icmp_seq=1 ttl=64 time=0.424 ms

After tuning security lists, route tables, DRG's, routes etc some ping tests for reference showing passing traffic on private subnets behind endpoints:

[root@client01 opc]# ifconfig ens3
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000
        inet 10.0.5.12  netmask 255.255.255.0  broadcast 10.0.5.255

[root@client01 opc]# ping 10.60.1.2
PING 10.60.1.2 (10.60.1.2) 56(84) bytes of data.
64 bytes from 10.60.1.2: icmp_seq=1 ttl=63 time=0.566 ms

[root@gw01 opc]# ifconfig ens3
ens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000
        inet 10.60.1.2  netmask 255.255.255.0  broadcast 10.60.1.255

[root@gw01 opc]# ping 10.0.5.12
PING 10.0.5.12 (10.0.5.12) 56(84) bytes of data.
64 bytes from 10.0.5.12: icmp_seq=1 ttl=63 time=0.638 ms

admin

Bio Info for Riaan