AWS VPN to Libreswan
AWS VPN to Azure VM with Libreswan
NOTE: As of this article AWS Site to Site VPN gateway can generate an Openswan configuration but not Libreswan. This is a test to use Libreswan.
Using an Azure Virtual Machine on the left and AWS VPN gateway on the right but of course can also use Azure VPN service
For reference OCI to Libreswan from a while back
Setup right side in AWS Console
- Create Customer Gateway > azure-gw01 using Static Routing and specify Azure VM IP Address - Create Virtual Private Gateway az-vpg01 Amazon default ASN
- Attach VPG to VPC
For Site-to-Site VPN
- Create VPN Connection > iqonda-aws-azure pick VPG and CG Routing Static leave all defaults for now and no Static IP Prefixes for the moment
- Record Tunnel1 IP Address
Setup left side in Azure
Create a Centos VM in Azure
Virtual machines > Add
| test01 | CentOS-based 8.1 | Standard_B1ls 1 vcpu, 0.5 GiB memory ($3.80/month) | AzureUser
* I used a password for AzureUser and sort out SSH keys after logged in.
I used | Standard HDD | myVnet | mySubnet(10.0.0.0/24)
record public IP
Network add inbound rules for ipsec. I did an all traffic for the AWS endpoint IP address but you want to be more specific on ipsec ports.
# cat /etc/centos-release CentOS Linux release 8.1.1911 (Core) # yum install libreswan # echo "net.ipv4.ip_forward=1" > /usr/lib/sysctl.d/60-ipsec.conf # sysctl -p /usr/lib/sysctl.d/60-ipsec.conf net.ipv4.ip_forward = 1 # for s in /proc/sys/net/ipv4/conf/*; do echo 0 > $s/send_redirects; echo 0 > $s/accept_redirects; done # echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter # ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.29 (netkey) on 4.18.0-147.8.1.el8_1.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OK]
NOTE: skipping firewalld and rules. this instance did not have firewalld enabled and iptables -L is open.
Download openswan config in AWS console to see the PSK
I had issues bringing the tunnel up but after reboot it works
post tunnel UP
- add static route(s) to VPN
- check route table for subnet
- enable subnet association to route table
- enable route propagation
ping test both ways works...
[root@test01 ipsec.d]# cat aws-az-vpn.conf conn Tunnel1 authby=secret auto=start encapsulation=yes left=%defaultroute leftid=[Azure VM IP] right=[AWS VPN Tunnel 1 IP] type=tunnel phase2alg=aes128-sha1;modp1024 ike=aes128-sha1;modp1024 leftsubnet=10.0.1.0/16 rightsubnet=172.31.0.0/16 conn Tunnel2 authby=secret auto=add encapsulation=yes left=%defaultroute leftid=[Azure VM IP] right=[AWS VPN Tunnel 2 IP] type=tunnel phase2alg=aes128-sha1;modp1024 ike=aes128-sha1;modp1024 leftsubnet=10.0.1.0/16 rightsubnet=172.31.0.0/16 [root@test01 ipsec.d]# cat aws-az-vpn.secrets 18.104.22.168 22.214.171.124: PSK "Qgn...............mn" 126.96.36.199 188.8.131.52: PSK "cWu..................87"
Although Libreswan can't manage two tunnels to the same right side without something like Quagga at least I did a very quick and dirty switchover script. It works and very minimal pings missed.
[root@test01 ~]# cat switch-aws-tunnel.sh #!/bin/bash echo "Current Tunnel Status" ipsec status | grep routed active=$(ipsec status | grep erouted | cut -d \" -f2) inactive=$(ipsec status | grep unrouted | cut -d \" -f2) echo "Showing active and inactive in tunnels" echo "active: $active" echo "inactive: $inactive" echo "down tunnels...." ipsec auto --down $active ipsec auto --down $inactive echo "adding tunnels...." ipsec auto --add Tunnel1 ipsec auto --add Tunnel2 echo "up the tunnel that was inactive before...." ipsec auto --up $inactive echo "Current Tunnel Status" ipsec status | grep routed