{"id":1668,"date":"2020-06-23T15:01:19","date_gmt":"2020-06-23T20:01:19","guid":{"rendered":"https:\/\/blog.iqonda.net\/?p=1668"},"modified":"2020-06-23T15:03:53","modified_gmt":"2020-06-23T20:03:53","slug":"aws-vpn-to-libreswan","status":"publish","type":"post","link":"https:\/\/blog.ls-al.com\/aws-vpn-to-libreswan\/","title":{"rendered":"AWS VPN to Libreswan"},"content":{"rendered":"<h1>AWS VPN to Azure VM with Libreswan<\/h1>\n<p>NOTE: As of this article AWS Site to Site VPN gateway can generate an Openswan configuration but not Libreswan.  This is a test to use Libreswan.<\/p>\n<p>Using an Azure Virtual Machine on the left and AWS VPN gateway on the right but of course can also use <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/vpn-gateway\/vpn-gateway-howto-site-to-site-resource-manager-portal\">Azure VPN service<\/a><\/p>\n<p>For reference OCI to Libreswan from a while <a href=\"https:\/\/blog.iqonda.net\/oci-obmcs-and-libreswan\/\">back<\/a><\/p>\n<h3>Setup right side in AWS Console<\/h3>\n<ul>\n<li>Create Customer Gateway &gt; azure-gw01 using Static Routing and specify Azure VM IP Address   - Create Virtual Private Gateway az-vpg01 Amazon default ASN<\/li>\n<li>Attach VPG to VPC<br \/>\nFor Site-to-Site VPN<\/li>\n<li>Create VPN Connection &gt; iqonda-aws-azure pick VPG and CG Routing Static leave all defaults for now and no Static IP Prefixes for the moment<\/li>\n<li>Record Tunnel1 IP Address<\/li>\n<\/ul>\n<h3>Setup left side in Azure<\/h3>\n<h2>Create a Centos VM in Azure<\/h2>\n<ul>\n<li>\n<p>Virtual machines &gt; Add<br \/>\n| test01 | CentOS-based 8.1 | Standard_B1ls 1 vcpu, 0.5 GiB memory ($3.80\/month) | AzureUser<br \/>\n*<em> I used a password for AzureUser and sort out SSH keys after logged in.<\/em><\/p>\n<\/li>\n<li>\n<p>I used | Standard HDD | myVnet | mySubnet(10.0.0.0\/24) <\/p>\n<\/li>\n<li>\n<p>record public IP<\/p>\n<\/li>\n<li>\n<p>Network add inbound rules for ipsec. I did an all traffic for the AWS endpoint IP address but you want to be more specific on ipsec ports.<\/p>\n<\/li>\n<\/ul>\n<h2>software<\/h2>\n<pre><code># cat \/etc\/centos-release\nCentOS Linux release 8.1.1911 (Core) \n\n# yum install libreswan\n\n# echo \"net.ipv4.ip_forward=1\" > \/usr\/lib\/sysctl.d\/60-ipsec.conf\n# sysctl -p \/usr\/lib\/sysctl.d\/60-ipsec.conf\nnet.ipv4.ip_forward = 1\n\n# for s in \/proc\/sys\/net\/ipv4\/conf\/*; do echo 0 > $s\/send_redirects; echo 0 > $s\/accept_redirects; done\n\n# echo 0 > \/proc\/sys\/net\/ipv4\/conf\/all\/rp_filter\n\n# ipsec verify\nVerifying installed system and configuration files\n\nVersion check and ipsec on-path                     [OK]\nLibreswan 3.29 (netkey) on 4.18.0-147.8.1.el8_1.x86_64\nChecking for IPsec support in kernel                [OK]\n NETKEY: Testing XFRM related proc values\n         ICMP default\/send_redirects                [OK]\n         ICMP default\/accept_redirects              [OK]\n         XFRM larval drop                           [OK]\nPluto ipsec.conf syntax                             [OK]\nChecking rp_filter                                  [OK]\nChecking that pluto is running                      [OK]\n Pluto listening for IKE on udp 500                 [OK]\n Pluto listening for IKE\/NAT-T on udp 4500          [OK]\n Pluto ipsec.secret syntax                          [OK]\nChecking 'ip' command                               [OK]\nChecking 'iptables' command                         [OK]\nChecking 'prelink' command does not interfere with FIPS [OK]\nChecking for obsolete ipsec.conf options            [OK]<\/code><\/pre>\n<p>NOTE: skipping firewalld and rules. this instance did not have firewalld enabled and iptables -L is open.<\/p>\n<blockquote>\n<p>Download openswan config in AWS console to see the PSK<\/p>\n<p>I had issues bringing the tunnel up but after reboot it works<\/p>\n<\/blockquote>\n<h2>post tunnel UP<\/h2>\n<ul>\n<li>add static route(s) to VPN<\/li>\n<li>check route table for subnet <\/li>\n<li>enable subnet association to route table<\/li>\n<li>enable route propagation<\/li>\n<\/ul>\n<p>ping test both ways works...<\/p>\n<h2>source<\/h2>\n<pre><code>[root@test01 ipsec.d]# cat aws-az-vpn.conf \nconn Tunnel1\n        authby=secret\n        auto=start\n        encapsulation=yes\n        left=%defaultroute\n        leftid=[Azure VM IP]\n        right=[AWS VPN Tunnel 1 IP]\n        type=tunnel\n        phase2alg=aes128-sha1;modp1024\n        ike=aes128-sha1;modp1024\n        leftsubnet=10.0.1.0\/16\n        rightsubnet=172.31.0.0\/16\n\nconn Tunnel2\n        authby=secret\n        auto=add\n        encapsulation=yes\n        left=%defaultroute\n        leftid=[Azure VM IP]\n        right=[AWS VPN Tunnel 2 IP]\n        type=tunnel\n        phase2alg=aes128-sha1;modp1024\n        ike=aes128-sha1;modp1024\n        leftsubnet=10.0.1.0\/16\n        rightsubnet=172.31.0.0\/16\n\n[root@test01 ipsec.d]# cat aws-az-vpn.secrets \n52.188.118.56 18.214.218.99: PSK \"Qgn...............mn\"\n52.188.118.56 52.3.140.122: PSK \"cWu..................87\"<\/code><\/pre>\n<h2>Tunnel switch<\/h2>\n<p>Although Libreswan can't manage two tunnels to the same right side without something like Quagga at least I did a very quick and dirty switchover script.  It works and very minimal pings missed.<\/p>\n<pre><code>[root@test01 ~]# cat switch-aws-tunnel.sh \n#!\/bin\/bash\necho \"Current Tunnel Status\"\nipsec status | grep routed\n\nactive=$(ipsec status | grep erouted | cut -d \\\" -f2)\ninactive=$(ipsec status | grep unrouted | cut -d \\\" -f2)\n\necho \"Showing active and inactive in tunnels\"\necho \"active: $active\"\necho \"inactive: $inactive\"\n\necho \"down tunnels....\"\nipsec auto --down $active\nipsec auto --down $inactive\n\necho \"adding tunnels....\"\nipsec auto --add Tunnel1\nipsec auto --add Tunnel2\n\necho \"up the tunnel that was inactive before....\"\nipsec auto --up $inactive\n\necho \"Current Tunnel Status\"\nipsec status | grep routed<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>AWS VPN to Azure VM with Libreswan NOTE: As of this article AWS Site to Site VPN gateway can generate<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73,103,20],"tags":[],"class_list":["post-1668","post","type-post","status-publish","format-standard","hentry","category-aws","category-azure","category-vpn"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/1668","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=1668"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/1668\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=1668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=1668"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=1668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}