{"id":1162,"date":"2017-11-05T13:05:11","date_gmt":"2017-11-05T19:05:11","guid":{"rendered":"http:\/\/blog.ls-al.com\/?p=1162"},"modified":"2017-11-05T13:08:44","modified_gmt":"2017-11-05T19:08:44","slug":"oci-obmcs-and-libreswan","status":"publish","type":"post","link":"https:\/\/blog.ls-al.com\/oci-obmcs-and-libreswan\/","title":{"rendered":"OCI (OBMCS) and Libreswan"},"content":{"rendered":"

Recently I wanted to test the Oracle Cloud Infrastructure(OCI) CPE(Customer Premises Equipment) networking; using an IPsec VPN tunnel.\u00a0 The online documentation covers quite a few popular vendors like Check Point, Cisco, Fortigate, Juniper, Palo Alto.\u00a0 Since I did not have quick access to any off the shelf VPN services I used the popular open source software Libreswan.<\/p>\n

In addition I wanted to make this work to an OCI tenancy and not just a public VPN server.\u00a0 It may not necessarily apply to any real world use cases but I wanted to test it.<\/p>\n

Link of OCI CPE\/IPsec documentation:\u00a0 https:\/\/docs.us-phoenix-1.oraclecloud.com\/Content\/Network\/Tasks\/configuringCPE.htm?Highlight=ipsec<\/p>\n

Below are notes on getting the Libreswan config configured to match what the OCI tunnel requires.\u00a0 Note that once the VPN link is established you may still need to work on security lists, route tables, routes, DRG's to pass traffic behind the VPN endpoints.<\/p>\n

Endpoint A: OCI tenancy with using CPE\/IPsec setup
\nEndpoint B: OCI tenancy using a Libreswan server in a public subnet.\u00a0 Of course typically this will be a customer endpoint VPN server in their premises or colo's.\u00a0 Also note that an instance on OCI with a public address is not a true public server but hiding behind a firewall, your instance has a non routable address in the Operating System but no public interface.\u00a0 So the Libreswan is following a kind of NAT setup as you can see on right side being a 10. address.<\/p>\n

Start off by setting up CPE(Public IP address), DRG\u00a0and IPsec tunnel from the OCI console.\u00a0 In this case the public IP address for the CPE will be the Libreswan Linux server endpoint B. The OCI IPsec tunnel will provide you three IP addresses and shared secrets.\u00a0 We will just use one of the three for our test.<\/p>\n

Install from standard repo:\u00a0<\/strong><\/p>\n

\r\n[root@vpn01 opc]# yum install openswan lsof\r\n<\/pre>\n
Set some required kernel settings and firewall rules:\u00a0<\/strong><\/p>\n
\r\n[root@vpn01 opc]# for s in \/proc\/sys\/net\/ipv4\/conf\/*; do echo 0 &gt; $s\/send_redirects; echo 0 &gt; $s\/accept_redirects; done\r\n[root@vpn01 opc]# cat \/etc\/sysctl.conf\r\nnet.ipv4.ip_forward = 1\r\nnet.ipv4.conf.all.accept_redirects = 0\r\nnet.ipv4.conf.all.send_redirects = 0\r\nnet.ipv4.conf.ens3.rp_filter = 0\r\n#IPSec\r\nnet.ipv4.conf.default.rp_filter = 0\r\nnet.ipv4.conf.default.accept_redirects = 0\r\nnet.ipv4.conf.default.send_redirects = 0\r\nnet.ipv4.conf.all.rp_filter = 0 \r\nnet.ipv4.conf.ip_vti0.rp_filter = 0\r\nnet.ipv4.icmp_ignore_bogus_error_responses = 1\r\nnet.ipv4.conf.default.log_martians = 0\r\n\r\n[root@vpn01 opc]# sysctl -p\r\n[root@vpn01 opc]# firewall-cmd --zone=public --add-port=500\/udp --permanent\r\nsuccess\r\n[root@vpn01 opc]# firewall-cmd --zone=public --add-port=4500\/tcp --permanent\r\nsuccess\r\n[root@vpn01 opc]# firewall-cmd --zone=public --add-port=4500\/udp --permanent\r\nsuccess\r\n[root@vpn01 opc]# firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.0.0\/16\r\nsuccess\r\n<\/pre>\n
Test a reachable host on a private network behind endpoint B:<\/strong><\/p>\n
\r\n[root@vpn01 opc]# ping 10.0.5.7\r\nPING 10.0.5.7 (10.0.5.7) 56(84) bytes of data.\r\n64 bytes from 10.0.5.7: icmp_seq=1 ttl=64 time=0.164 ms\r\n<\/pre>\n
Per Oracle documentation IPsec tunnel requirements as follow:<\/strong><\/p>\n
ISAKMP Policy Options<\/strong>
\nISAKMP Protocol version 1
\nExchange type: Main mode
\nAuthentication method: pre-shared-keys
\nEncryption: AES-128-cbc, AES-192-cbc, AES-256-cbc
\nAuthentication algorithm: SHA-256, SHA-384
\nDiffie-Hellman group: group 1, group 2, group 5
\nIKE session key lifetime: 28800 seconds (8 hours)<\/p>\n
IPSec Policy Options<\/strong>
\nIPSec protocol: ESP, tunnel-mode
\nEncryption: AES-128-cbc, AES-192-cbc, AES-256-cbc
\nAuthentication algorithm: HMAC-SHA1-96
\nIPSec session key lifetime: 3600 seconds (1 hour)
\nPerfect Forward Secrecy (PFS): enabled, group 5<\/p>\n
Setup a new conf and secrets file:<\/strong><\/p>\n
\r\n[root@vpn01 opc]# cat \/etc\/ipsec.d\/U.conf\r\nconn V-Testing\r\n  authby=secret\r\n  keyexchange=ike\r\n  ike=aes_cbc256-sha1;modp1536\r\n  ikelifetime=28800s\r\n  #ike-frag=no\r\n  ikev2=no\r\n  #nat-ikev1-method=drafts\r\n  phase2=esp\r\n  phase2alg=aes_cbc256-sha1;modp1536\r\n  pfs=yes\r\n  salifetime=3600s\r\n  sareftrack=no\r\n  #dpdtimeout=10\r\n  #dpddelay=3\r\n  left=1.1.1.1\r\n  leftid=1.1.1.1\r\n  right=10.0.4.3\r\n  rightid=2.2.2.2\r\n  rightnexthop=2.2.2.2\r\n  rightsourceip=10.0.4.3\r\n  leftsubnet=10.60.0.0\/16\r\n  rightsubnet=10.0.0.0\/16\r\n  auto=start\r\n\r\n[root@vpn01 opc]# cat \/etc\/ipsec.d\/U.secrets\r\n1.1.1.1 2.2.2.2 : PSK "place_your_shared_key_here"\r\n\r\n[root@vpn01 opc]# systemctl start ipsec\r\n[root@vpn01 opc]# systemctl enable ipsec\r\n[root@vpn01 opc]# ipsec verify\r\nVerifying installed system and configuration files\r\n...\r\n<\/pre>\n
For reference some initial pluto.log entries used during debugging to get the options matched to OCI.  Plus reference links:
\nhttps:\/\/libreswan.org\/man\/ipsec.conf.5.html
\nhttps:\/\/tools.ietf.org\/html\/rfc3526
\n<\/strong><\/p>\n
\r\ninitiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#15 msgid:08137451 proposal=AES(12)_128-SHA1(2) pfsgroup=MODP1024}\r\n\r\n000 "v6neighbor-hole-out":   policy: PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+PASS+NEVER_NEGOTIATE;\r\n\r\n000 "V-Testing":   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+ESN_NO;\r\n000 "V-Testing":   conn_prio: 30,30; interface: ens3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;\r\n000 "V-Testing":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no;\r\n000 "V-Testing":   dpd: action:hold; delay:3; timeout:10; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:drafts\r\n000 "V-Testing":   newest ISAKMP SA: #0; newest IPsec SA: #0;\r\n000 "V-Testing":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP1024(2)\r\n000 "V-Testing":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)-MODP1024(2)\r\n000 "V-Testing":   ESP algorithms wanted: AES(12)_256-SHA1(2); pfsgroup=MODP1024(2)\r\n000 "V-Testing":   ESP algorithms loaded: AES(12)_256-SHA1(2)\r\n\r\n000 Total IPsec connections: loaded 1, active 1\r\n000  \r\n000 State Information: DDoS cookies not required, Accepting new IKE connections\r\n000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)\r\n000 IPsec SAs: total(1), authenticated(1), anonymous(0)\r\n<\/pre>\n
For reference some pluto.log entries used during debugging:<\/strong><\/p>\n
\r\n[root@vpn01 opc]# tail -f \/var\/log\/pluto.log \r\nNov  4 18:41:17: | setup callback for interface lo:500 fd 19\r\nNov  4 18:41:17: | setup callback for interface ens3:4500 fd 18\r\nNov  4 18:41:17: | setup callback for interface ens3:500 fd 17\r\nNov  4 18:41:17: loading secrets from "\/etc\/ipsec.secrets"\r\nNov  4 18:41:17: loading secrets from "\/etc\/ipsec.d\/U.secrets"\r\nNov  4 18:41:17: "V-Testing": route-client output: \/usr\/libexec\/ipsec\/_updown.netkey: doroute "ip route replace 10.60.0.0\/16 via 2.2.2.2 dev ens3  src 10.0.4.3" failed (RTNETLINK answers: Network is unreachable)\r\nNov  4 18:41:17: "V-Testing" #1: initiating Main Mode\r\nNov  4 18:41:18: assign_holdpass() delete_bare_shunt() failed\r\nNov  4 18:41:18: initiate_ondemand_body() failed to install negotiation_shunt,\r\nNov  4 18:41:18: initiate on demand from 10.0.4.3:8 to 10.60.1.2:0 proto=1 because: acquire\r\n<\/pre>\n
Not sure if this route was necessary or not but showing for reference.\u00a0 Pretty sure do not need this:<\/strong><\/p>\n
\r\nroot@vpn01 opc]# route add -net 10.60.0.0\/16 gw 10.0.4.1\r\n[root@vpn01 opc]# ip route\r\ndefault via 10.0.4.1 dev ens3 \r\n10.0.4.0\/24 dev ens3 proto kernel scope link src 10.0.4.3 \r\n10.60.0.0\/16 via 10.0.4.1 dev ens3 \r\n169.254.0.0\/16 dev ens3 proto static scope link \r\n169.254.0.0\/16 dev ens3 scope link metric 1002 \r\n<\/pre>\n
Some ping tests for reference showing passing traffic:<\/strong><\/p>\n
\r\n\r\n[root@vpn01 opc]# ifconfig ens3\r\nens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000\r\n        inet 10.0.4.3  netmask 255.255.255.0  broadcast 10.0.4.255\r\n\r\n[root@vpn01 opc]# ping 10.60.1.2\r\nPING 10.60.1.2 (10.60.1.2) 56(84) bytes of data.\r\n64 bytes from 10.60.1.2: icmp_seq=1 ttl=64 time=0.460 ms\r\n\r\n[root@gw01 opc]# ifconfig ens3\r\nens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000\r\n\r\n[root@gw01 opc]# ping 10.0.4.3\r\nPING 10.0.4.3 (10.0.4.3) 56(84) bytes of data.\r\n64 bytes from 10.0.4.3: icmp_seq=1 ttl=64 time=0.424 ms\r\n<\/pre>\n
After tuning security lists, route tables, DRG's, routes etc some ping tests for reference showing passing traffic on private subnets behind endpoints:<\/strong><\/p>\n
\r\n[root@client01 opc]# ifconfig ens3\r\nens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000\r\n        inet 10.0.5.12  netmask 255.255.255.0  broadcast 10.0.5.255\r\n\r\n[root@client01 opc]# ping 10.60.1.2\r\nPING 10.60.1.2 (10.60.1.2) 56(84) bytes of data.\r\n64 bytes from 10.60.1.2: icmp_seq=1 ttl=63 time=0.566 ms\r\n\r\n[root@gw01 opc]# ifconfig ens3\r\nens3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9000\r\n        inet 10.60.1.2  netmask 255.255.255.0  broadcast 10.60.1.255\r\n\r\n[root@gw01 opc]# ping 10.0.5.12\r\nPING 10.0.5.12 (10.0.5.12) 56(84) bytes of data.\r\n64 bytes from 10.0.5.12: icmp_seq=1 ttl=63 time=0.638 ms\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Recently I wanted to test the Oracle Cloud Infrastructure(OCI) CPE(Customer Premises Equipment) networking; using an IPsec VPN tunnel.\u00a0 The online<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[95,87,89],"tags":[],"class_list":["post-1162","post","type-post","status-publish","format-standard","hentry","category-libreswan","category-oci","category-oracle-bare-metal-cloud-services"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/1162","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=1162"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/1162\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=1162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=1162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=1162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}