[strongSwan] Help needed to use stongswan with amazon VPC

Jean-Sébastien Frerot jean-sebastien.frerot at gameloft.com
Fri Jul 8 19:24:58 CEST 2011


Hi, I'm trying to connect to amazon VPN using strongswan 4.2.4 on debian
5.0.8 but I have some problems.

Here is how the setup is designed from amazon side.
Amazon have 2 public IP addresses and we connect to the 2 ips using 2
distinct vpn connection. However those connection are initiated (on our
side) by only 1 server. So we use the same public ip address on our side.

So we establish the connection with the following subnets
169.254.255.0/30 and 169.254.255.4/30 (one for each vpn connection).
So far, I'm able to make this connection up and running. The problem
comes when I need to route other subnets to this VPN connection with
BGP. In my case I defined on amazon side the following subnet:
10.144.0.0/16. But when I try to use this subnet the packets don't seem
to be routed to the tunnel. Of course bgp is up and the routes are added
by bgp.

I've been able to make the setup work with manual commands and weird (to
me since i'm far from beeing an expert on ipsec/ike) configuration. But
i'm pretty sure there is a clean way to make this works without too much
problems.

Could you please help me on how to setup this connection properly?
Thank you.

Here are the 2 configuration settings I've been able to use to bring up
the vpn connection. The 1st one can't route the 10.144/16 network even
though I add xfrm policies, and the 2nd one is working, but only one vpn
comes up because it can't add the same route on the 2 vpn connections
and I have to run some ip xfrm commands to make it work.

Here is the amazon VPN Connection Configuration

*connection 1:*
Outside IP Addresses:
  - Customer Gateway:        : *my_pub_ip*
  - VPN Gateway              : 72.21.209.225
       
Inside IP Addresses
  - Customer Gateway         : 169.254.255.2/30
  - VPN Gateway              : 169.254.255.1/30

Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key
  - Pre-Shared Key           : *my_psk1*
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

The Border Gateway Protocol (BGPv4) is used within the tunnel, between
the inside
IP addresses, to exchange routes from the VPC to your home network. Each
BGP router has an Autonomous System Number (ASN). Your ASN was provided
to AWS when the Customer Gateway was created.

BGP Configuration Options:
  - Customer Gateway ASN     : 65136
  - VPN Gateway ASN          : 7224
  - Neighbor IP Address      : 169.254.255.1
  - Neighbor Hold Time       : 30

Configure BGP to announce the default route (0.0.0.0/0) to the VPN
Connection
Gateway. The VPN Gateway will announce prefixes to your Customer
Gateway based upon the prefixes assigned in the creation of the VPC.


*Connection 2:*

Outside IP Addresses:
  - Customer Gateway:        : *my_pub_ip*
  - VPN Gateway              : 72.21.209.193
       
Inside IP Addresses
  - Customer Gateway         : 169.254.255.6/30
  - VPN Gateway              : 169.254.255.5/30

Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key
  - Pre-Shared Key           : *my_psk2*
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2


The Border Gateway Protocol (BGPv4) is used within the tunnel, between
the inside
IP addresses, to exchange routes from the VPC to your home network. Each
BGP router has an Autonomous System Number (ASN). Your ASN was provided
to AWS when the Customer Gateway was created.

BGP Configuration Options:
  - Customer Gateway ASN     : 65136
  - VPN Gateway ASN          : 7224
  - Neighbor IP Address      : 169.254.255.5
  - Neighbor Hold Time       : 30

Configure BGP to announce the default route (0.0.0.0/0) to the VPN
Connection
Gateway. The VPN Gateway will announce prefixes to your Customer
Gateway based upon the prefixes assigned in the creation of the VPC.


And here is the configuration I've been trying to setup.

*configuration 1: (10.144/16 not working at all)*
ipsec.secrets:
*my_pub_ip* 72.21.209.225 : PSK "*my_psk1*"
*my_pub_ip* 72.21.209.193 : PSK "*my_psk2*"

strongswan.conf:
charon {
}
pluto {
}
libstrongswan {
}

ipsec.conf
config setup
    charonstart=no
    plutostart=yes
    strictcrlpolicy=no

conn vac1
    keyexchange=ikev1
    auto=start
    authby=psk
    compress=no
    type=tunnel
    ike=aes128-sha1-modp1024
    pfs=yes
    left=*my_pub_ip*
    leftsourceip=169.254.255.2/30
    right=72.21.209.225
    rightsourceip=169.254.255.1/30

conn vac2
    keyexchange=ikev1
    auto=start
    authby=psk
    compress=no
    type=tunnel
    ike=aes128-sha1-modp1024
    pfs=yes
    left=*my_pub_ip*
    leftsourceip=169.254.255.6/30
    right=72.21.209.193
    rightsourceip=169.254.255.5/30

sudo /etc/init.d/ipsec start
Starting strongSwan 4.2.4 IPsec [starter]...
multiple default routes - cannot cope with %defaultroute!!!

ip xfrm state
src *my_pub_ip* dst 72.21.209.225
    proto esp spi 0xd49408d7 reqid 16385 mode tunnel
    replay-window 32
    auth hmac(sha1) 0x3696cf0b7cbd526edf0b8793084334a6095b3cff
    enc cbc(aes) 0x30114b8b79147b3c13c2b7218690b6d2
    sel src 0.0.0.0/0 dst 0.0.0.0/0
src 72.21.209.225 dst *my_pub_ip*
    proto esp spi 0xb0c07db9 reqid 16385 mode tunnel
    replay-window 32
    auth hmac(sha1) 0xd344ac06e528c175a9be5c8f7519a9ff4afb17ab
    enc cbc(aes) 0x44e6172afdf19dd8a65b216a7af68890
    sel src 0.0.0.0/0 dst 0.0.0.0/0
src *my_pub_ip* dst 72.21.209.193
    proto esp spi 0x89e3ed52 reqid 16389 mode tunnel
    replay-window 32
    auth hmac(sha1) 0xaf259a9e3b69ea2d2ca0ce1455f554423cb9b66c
    enc cbc(aes) 0x8cf4a967db5f0dde1b57cfe66655c915
    sel src 0.0.0.0/0 dst 0.0.0.0/0
src 72.21.209.193 dst *my_pub_ip*
    proto esp spi 0x50c171bb reqid 16389 mode tunnel
    replay-window 32
    auth hmac(sha1) 0x9d3b74757f63d31a4800a57856ae906157c064ef
    enc cbc(aes) 0xb37734dc1199d74030032776d2078ddc
    sel src 0.0.0.0/0 dst 0.0.0.0/0

ip xfrm policy
src 169.254.255.2/32 dst 169.254.255.1/32
    dir out priority 2080 ptype main
    tmpl src *my_pub_ip* dst 72.21.209.225
        proto esp reqid 16385 mode tunnel
src 169.254.255.1/32 dst 169.254.255.2/32
    dir fwd priority 2080 ptype main
    tmpl src 72.21.209.225 dst *my_pub_ip*
        proto esp reqid 16385 mode tunnel
src 169.254.255.1/32 dst 169.254.255.2/32
    dir in priority 2080 ptype main
    tmpl src 72.21.209.225 dst *my_pub_ip*
        proto esp reqid 16385 mode tunnel
src 169.254.255.6/32 dst 169.254.255.5/32
    dir out priority 2080 ptype main
    tmpl src *my_pub_ip* dst 72.21.209.193
        proto esp reqid 16389 mode tunnel
src 169.254.255.5/32 dst 169.254.255.6/32
    dir fwd priority 2080 ptype main
    tmpl src 72.21.209.193 dst *my_pub_ip*
        proto esp reqid 16389 mode tunnel
src 169.254.255.5/32 dst 169.254.255.6/32
    dir in priority 2080 ptype main
    tmpl src 72.21.209.193 dst *my_pub_ip*
        proto esp reqid 16389 mode tunnel
src ::/0 dst ::/0
    dir 4 priority 0 ptype main
src ::/0 dst ::/0
    dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
...

bgpd:
sh ip bgp
...
*> 10.144.0.0/16    169.254.255.1          100           150 7224 i
*                   169.254.255.5          100           100 7224 i
...

ip route | grep 10.144
10.144.0.0/16 via 169.254.255.1 dev eth1  proto zebra  metric 100

ip route get 10.144.8.30
10.144.8.30 via 169.254.255.1 dev eth1  src 169.254.255.2
    cache  mtu 1500 advmss 1460 hoplimit 64

ping 10.144.8.30
PING 10.144.8.30 (10.144.8.30) 56(84) bytes of data.
From 169.254.255.2 icmp_seq=1 Destination Host Unreachable
From 169.254.255.2 icmp_seq=2 Destination Host Unreachable
From 169.254.255.2 icmp_seq=3 Destination Host Unreachable

ping -I 10.123.0.22 10.144.8.30
PING 10.144.8.30 (10.144.8.30) from 10.123.0.22 : 56(84) bytes of data.
From 10.123.0.22 icmp_seq=1 Destination Host Unreachable
From 10.123.0.22 icmp_seq=2 Destination Host Unreachable
From 10.123.0.22 icmp_seq=3 Destination Host Unreachable

auth.log
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: loading secrets
from "/etc/ipsec.secrets"
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: loading secrets
from "/var/lib/strongswan/ipsec.secrets.inc"
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]:   loaded private
key file '/etc/ipsec.d/private/vpn-fw1Key.pem' (1679 bytes)
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]:   loaded shared
key for 72.21.209.225 *my_pub_ip*
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]:   loaded shared
key for 72.21.209.193 *my_pub_ip*
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: added connection
description "vac1"
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac1" #1:
initiating Main Mode
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: added connection
description "vac2"
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #2:
initiating Main Mode
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #2:
received Vendor ID payload [Dead Peer Detection]
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac1" #1:
received Vendor ID payload [Dead Peer Detection]
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #2: Peer
ID is ID_IPV4_ADDR: '72.21.209.193'
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #2: ISAKMP
SA established
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #3:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#2}
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac1" #1: Peer
ID is ID_IPV4_ADDR: '72.21.209.225'
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac1" #1: ISAKMP
SA established
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac1" #4:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #3:
route-client output: /usr/lib/ipsec/_updown: doroute `ip route add
169.254.255.5/32 via 72.21.209.193 dev eth1:MASTER  src 169.254.255.6
table 220' failed (RTNETLINK answers: No such process)
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #3: sent
QI2, IPsec SA established {ESP=>0xb660e8f1 <0x11e0e25a}
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac1" #4:
route-client output: /usr/lib/ipsec/_updown: doroute `ip route add
169.254.255.1/32 via 72.21.209.225 dev eth1:MASTER  src 169.254.255.2
table 220' failed (RTNETLINK answers: No such process)
Jul  8 15:04:58 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac1" #4: sent
QI2, IPsec SA established {ESP=>0x9545fa88 <0xd79a4539}
Jul  8 15:05:01 vpn-fw1.mdc.gameloft.org CRON[30531]:
pam_unix(cron:session): session opened for user root by (uid=0)
Jul  8 15:05:01 vpn-fw1.mdc.gameloft.org CRON[30532]:
pam_unix(cron:session): session opened for user root by (uid=0)
Jul  8 15:05:01 vpn-fw1.mdc.gameloft.org CRON[30532]:
pam_unix(cron:session): session closed for user root
Jul  8 15:05:02 vpn-fw1.mdc.gameloft.org pluto[30451]: packet from
72.21.209.193:500: received Vendor ID payload [Dead Peer Detection]
Jul  8 15:05:02 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #5:
responding to Main Mode
Jul  8 15:05:02 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #5:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jul  8 15:05:02 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #5: Peer
ID is ID_IPV4_ADDR: '72.21.209.193'
Jul  8 15:05:02 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #5: sent
MR3, ISAKMP SA established
Jul  8 15:05:02 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #5: cannot
respond to IPsec SA request because no connection is known for
0.0.0.0/0===*my_pub_ip*...72.21.209.193===0.0.0.0/0
Jul  8 15:05:02 vpn-fw1.mdc.gameloft.org pluto[30451]: "vac2" #5:
sending encrypted notification INVALID_ID_INFORMATION to 72.21.209.193:500

*configuration 2: (10.144/16 work with manual ip xfrm commands)*
ipsec.secrets:
*my_pub_ip* 72.21.209.225 : PSK "*my_psk1*"
*my_pub_ip* 72.21.209.193 : PSK "*my_psk2*"

strongswan.conf:
charon {
}
pluto {
}
libstrongswan {
}

ipsec.conf
conn vac1
    keyexchange=ikev1
    auto=start
    authby=psk
    compress=no
    type=tunnel
    ike=aes128-sha1-modp1024
    pfs=yes
    left=*my_pub_ip*
    leftsubnet=10.0.0.0/8
    leftsourceip=169.254.255.2/30
    right=72.21.209.225
    rightsubnet=10.144.0.0/16
    rightsourceip=169.254.255.1/30

conn vac2
    keyexchange=ikev1
    auto=start
    authby=psk
    compress=no
    type=tunnel
    ike=aes128-sha1-modp1024
    pfs=yes
    left=*my_pub_ip*
    leftsubnet=10.0.0.0/8
    leftsourceip=169.254.255.6/30
    right=72.21.209.193
    rightsubnet=10.144.0.0/16
    rightsourceip=169.254.255.5/30

sudo /etc/init.d/ipsec start
Starting strongSwan 4.2.4 IPsec [starter]...
multiple default routes - cannot cope with %defaultroute!!!


ip xfrm policy
src 10.0.0.0/8 dst 10.144.0.0/16
    dir out priority 2864 ptype main
    tmpl src *my_pub_ip* dst 72.21.209.193
        proto esp reqid 16389 mode tunnel
src 10.144.0.0/16 dst 10.0.0.0/8
    dir fwd priority 2864 ptype main
    tmpl src 72.21.209.193 dst *my_pub_ip*
        proto esp reqid 16389 mode tunnel
src 10.144.0.0/16 dst 10.0.0.0/8
    dir in priority 2864 ptype main
    tmpl src 72.21.209.193 dst *my_pub_ip*
        proto esp reqid 16389 mode tunnel
src ::/0 dst ::/0
    dir 4 priority 0 ptype main
src ::/0 dst ::/0
    dir 3 priority 0 ptype main
...

ip route | grep 10.144
*empty*

If I add the following policies:
ip xfrm policy add dir in src 169.254.255.5/30 dst 169.254.255.6/30
priority 2864 tmpl mode tunnel reqid 16389 src 72.21.209.193 dst
*my_pub_ip* proto esp
ip xfrm policy add dir out src 169.254.255.6/30 dst 169.254.255.5/30
priority 2864 tmpl mode tunnel reqid 16389 src *my_pub_ip* dst
72.21.209.193 proto esp


Then the 10.144/16 subnet works

ip route | grep 10.144
10.144.0.0/16 via 169.254.255.5 dev eth1  proto zebra  metric 100


ping -I 10.123.0.22 10.144.8.30
PING 10.144.8.30 (10.144.8.30) from 10.123.0.22 : 56(84) bytes of data.
64 bytes from 10.144.8.30: icmp_seq=1 ttl=62 time=17.7 ms
64 bytes from 10.144.8.30: icmp_seq=2 ttl=62 time=17.5 ms
64 bytes from 10.144.8.30: icmp_seq=3 ttl=62 time=17.4 ms

auth.log
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: loading secrets
from "/etc/ipsec.secrets"
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: loading secrets
from "/var/lib/strongswan/ipsec.secrets.inc"
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]:   loaded private
key file '/etc/ipsec.d/private/vpn-fw1Key.pem' (1679 bytes)
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]:   loaded shared
key for 72.21.209.225 *my_pub_ip*
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]:   loaded shared
key for 72.21.209.193 *my_pub_ip*
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: added connection
description "vac1"
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac1" #1:
initiating Main Mode
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: added connection
description "vac2"
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac2" #2:
initiating Main Mode
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac2" #2:
received Vendor ID payload [Dead Peer Detection]
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac1" #1:
received Vendor ID payload [Dead Peer Detection]
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac2" #2: Peer
ID is ID_IPV4_ADDR: '72.21.209.193'
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac2" #2: ISAKMP
SA established
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac2" #3:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#2}
  src 169.254.255.6 table 220' failed (RTNETLINK answers: No such process)
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac2" #3: sent
QI2, IPsec SA established {ESP=>0x6705b3eb <0x945af92b}
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac1" #1: Peer
ID is ID_IPV4_ADDR: '72.21.209.225'
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac1" #1: ISAKMP
SA established
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac1" #4:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Jul  8 14:44:21 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac1" #4: cannot
route -- route already in use for "vac2"
Jul  8 14:44:26 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac1" #4: cannot
route -- route already in use for "vac2"
Jul  8 14:44:31 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac1" #4: cannot
route -- route already in use for "vac2"
Jul  8 14:44:36 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac1" #4: cannot
route -- route already in use for "vac2"
Jul  8 14:44:46 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac1" #4: cannot
route -- route already in use for "vac2"
Jul  8 14:44:56 vpn-fw1.mdc.gameloft.org pluto[25503]: "vac1" #4: cannot
route -- route already in use for "vac2"


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110708/6bef92a0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110708/6bef92a0/attachment.pgp>


More information about the Users mailing list