[strongSwan] Connection to AWS-VPC
Doug Tucker
doug.tucker at navigaglobal.com
Thu Sep 17 22:47:22 CEST 2020
It creates the needed vti interfaces and sets some iptables stuff. Here is mine in it's entirety.
#!/bin/bash
while [[ $# > 1 ]]; do
case ${1} in
-ln|--link-name)
TUNNEL_NAME="${2}"
TUNNEL_PHY_INTERFACE="${PLUTO_INTERFACE}"
shift
;;
-ll|--link-local)
TUNNEL_LOCAL_ADDRESS="${2}"
TUNNEL_LOCAL_ENDPOINT="${PLUTO_ME}"
shift
;;
-lr|--link-remote)
TUNNEL_REMOTE_ADDRESS="${2}"
TUNNEL_REMOTE_ENDPOINT="${PLUTO_PEER}"
shift
;;
-m|--mark)
TUNNEL_MARK="${2}"
shift
;;
-r|--static-route)
TUNNEL_STATIC_ROUTE="${2}"
shift
;;
*)
echo "${0}: Unknown argument \"${1}\"" >&2
;;
esac
shift
done
command_exists() {
type "$1" >&2 2>&2
}
create_interface() {
ip link add ${TUNNEL_NAME} type vti local ${TUNNEL_LOCAL_ENDPOINT} remote ${TUNNEL_REMOTE_ENDPOINT} key ${TUNNEL_MARK}
ip addr add ${TUNNEL_LOCAL_ADDRESS} remote ${TUNNEL_REMOTE_ADDRESS} dev ${TUNNEL_NAME}
ip link set ${TUNNEL_NAME} up mtu 1419
}
configure_sysctl() {
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.${TUNNEL_NAME}.rp_filter=2
sysctl -w net.ipv4.conf.${TUNNEL_NAME}.disable_policy=1
sysctl -w net.ipv4.conf.${TUNNEL_PHY_INTERFACE}.disable_xfrm=1
sysctl -w net.ipv4.conf.${TUNNEL_PHY_INTERFACE}.disable_policy=1
}
add_route() {
IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}"
for i in "${route[@]}"; do
ip route add ${i} dev ${TUNNEL_NAME} metric ${TUNNEL_MARK}
done
iptables -t mangle -A FORWARD -o ${TUNNEL_NAME} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A INPUT -p esp -s ${TUNNEL_REMOTE_ENDPOINT} -d ${TUNNEL_LOCAL_ENDPOINT} -j MARK --set-xmark ${TUNNEL_MARK}
ip route flush table 220
}
cleanup() {
IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}"
for i in "${route[@]}"; do
ip route del ${i} dev ${TUNNEL_NAME} metric ${TUNNEL_MARK}
done
iptables -t mangle -D FORWARD -o ${TUNNEL_NAME} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D INPUT -p esp -s ${TUNNEL_REMOTE_ENDPOINT} -d ${TUNNEL_LOCAL_ENDPOINT} -j MARK --set-xmark ${TUNNEL_MARK}
ip route flush cache
}
delete_interface() {
ip link set ${TUNNEL_NAME} down
ip link del ${TUNNEL_NAME}
}
# main execution starts here
command_exists ip || echo "ERROR: ip command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2
command_exists iptables || echo "ERROR: iptables command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2
command_exists sysctl || echo "ERROR: sysctl command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2
case "${PLUTO_VERB}" in
up-client)
create_interface
configure_sysctl
add_route
;;
down-client)
cleanup
delete_interface
;;
esac
Doug Tucker
Sr. Director of Networking & Linux Operations
o: 817.975.5832 | m: 817.975.5832
e: doug.tucker at navigaglobal.com
[cid:image001.png at 01D4FEC7.F32F3010]<https://navigaglobal.com/>
[cid:image002.png at 01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal> [cid:image003.png at 01D4FEC7.F32F3010] <https://twitter.com/navigaglobal> [cid:image004.png at 01D4FEC7.F32F3010] <https://www.linkedin.com/company/navigaglobal/about/>
Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
________________________________
From: Users <users-bounces at lists.strongswan.org> on behalf of Dominik <dr896543 at gmail.com>
Sent: Thursday, September 17, 2020 9:32 AM
To: users at lists.strongswan.org <users at lists.strongswan.org>
Subject: Re: [strongSwan] Connection to AWS-VPC
Thanks Doug,
what does the aws-updown.sh do?
Kind regards
Dominik
On 16.09.20 17:28, Doug Tucker wrote:
ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
# Site network admin:
# basic configuration
config setup
# strictcrlpolicy=yes
uniqueids = no
# charondebug = "ike 2,chd 3, enc 2"
# Add connections here.
############################################################
## Common configuration
############################################################
conn Tunnel1
auto=start
left=%defaultroute
leftid=1.1.1.1
right=2.2.2.2
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes256-sha1-modp1024
ikelifetime=8h
esp=aes256-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
mark=100
leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel1 -ll 169.254.x.x/30 -lr 169.254.x.x/30 -m 100 -r 10.x.x.0/20"
conn Tunnel2
auto=start
left=%defaultroute
leftid=1.1.1.1
right=2.2.2.2
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes128-sha1-modp1024
ikelifetime=8h
esp=aes128-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
mark=200
leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel2 -ll 169.254.x.x/30 -lr 169.254.x.x/30 -m 200 -r 10.x.x.0/20"
Let me know if there is more you would like to see.
Doug Tucker
Sr. Director of Networking & Linux Operations
o: 817.975.5832 | m: 817.975.5832
e: doug.tucker at navigaglobal.com
[cid:image001.png at 01D4FEC7.F32F3010]<https://navigaglobal.com/>
[cid:image002.png at 01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal> [cid:image003.png at 01D4FEC7.F32F3010] <https://twitter.com/navigaglobal> [cid:image004.png at 01D4FEC7.F32F3010] <https://www.linkedin.com/company/navigaglobal/about/>
Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.
________________________________
From: Users <users-bounces at lists.strongswan.org><mailto:users-bounces at lists.strongswan.org> on behalf of Dominik Reusser <dr896543 at gmail.com><mailto:dr896543 at gmail.com>
Sent: Tuesday, September 15, 2020 1:19 AM
To: users at lists.strongswan.org<mailto:users at lists.strongswan.org> <users at lists.strongswan.org><mailto:users at lists.strongswan.org>
Subject: [strongSwan] Connection to AWS-VPC
NCS WARNING: External email. Please verify sender before opening attachments or clicking on links.
Has anyone successfully connected to AWS VPC? My connection is established and ICMP-Pakets are routed through the AWS cloud. However, UDP and TCP packets - while being sent towards the AWS server (from tcp dump on the client side) - do not appear in the logs of the VPC.
With a corresponding setup with OpenSwan I get a working connection. However, I would prefer to use strong Swan.
If you have successfully connected to AWS VPC, could you please share your configuration files?
Thanks
Kind regards
Dominik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200917/40c52ba5/attachment-0001.html>
More information about the Users
mailing list