[Openswan Users] Openswan with Amazon VPC

Binand Sethumadhavan binand at gmx.net
Sat Feb 16 01:57:31 EST 2013 

Hi All,

I am struggling to setup an IPSec VPN between an Openswan installation
(Centos 6.3, packaged version openswan-2.6.32-16.el6.x86_64) and my Amazon
EC2 VPC (which is basically a private network with EC2 with NAT at the edge
using a black box, details at http://aws.amazon.com/vpc/).

My topology is like this:

Office has two subnets, 172.16.100.0/24 and 172.16.101.0/24, with default
gateway set to 172.16.100.1 and 172.16.101.1 respectively. Office has
externally visible IP address 198.51.100.194 (network: 198.51.100.192/29)
with ISP-side gateway as 198.51.100.193.

EC2 VPC has LAN within 10.0.0.0/24, with default gateway set to 10.0.0.1.

Here are the steps I followed:

1. Created a "customer gateway" with my office external IP address,
198.51.100.194 and routing = Static.

2. Created a "virtual private gateway". Attach it to my VPC.

3. Went to my routing table, route propagation configuration and added the
virtual private gateway to it. My understanding is that the EC2 LAN can be
accessed by traffic emerging out of the virtual private gateway.

4. Created VPN connection with:

VPG = created in step 2
CG = created in step 1
IP prefix to be specified = 172.16.100.0/24 and 172.16.101.0/24

5. Selected the VPN thus created and downloaded configuration with these
parameters: Vendor: Generic, Platform: Generic, Software: Vendor agnostic.
The configuration dump is available at:

http://pastebin.com/vrjYEpFi

6. Used this dump to create my Openswan configuration. It is:

ipsec.secrets:

# AWS VPC connection
# The PSK is autogenerated by AWS.
198.51.100.194  203.0.113.224   :       PSK     "PSK1"
198.51.100.194  203.0.113.192   :       PSK     "PSK2"

ipsec.conf (I don't think the two-tunnel HA model works with Openswan, so I
have let one of them to be down all the time).

conn aws-vpc-1
        leftsourceip=192.168.1.74
        leftsubnets="172.16.100.0/24 172.16.101.0/24"
        right=203.0.113.224
        rightid=203.0.113.224
        rightsourceip=192.168.1.73
        rightsubnet=10.0.0.0/24
        also=aws-vpc-common

#conn aws-vpc-2
        #leftsourceip=192.168.1.78
        #leftsubnets="172.16.100.0/24 172.16.100.0/24"
        #right=203.0.113.192
        #rightid=203.0.113.192
        #rightsourceip=192.168.1.77
        #rightsubnet=10.0.0.0/24
        #also=aws-vpc-common

conn aws-vpc-common
        left=198.51.100.194
        leftid=198.51.100.194
        leftnexthop=198.51.100.193
        type=tunnel
        authby=secret
        auto=start
        ike=aes128-sha1;modp1024
        phase2=esp
        phase2alg=aes128-sha1;modp1024
        aggrmode=no



[root at zagreb ipsec.d]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-279.19.1.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
ipsec_setup: defaulting leftsubnet to 192.168.1.74
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled


And this is what is logged to syslog:

http://pastebin.com/mb57S3eb

Finally:

[root at zagreb ipsec.d]# service ipsec status
IPsec running  - pluto pid: 3597
pluto pid 3597
2 tunnels up
some eroutes exist

My problem is that nothing goes through the tunnel.

[root at zagreb ipsec.d]# ip route show
172.16.101.2 dev tun0  proto kernel  scope link  src 172.16.101.1
198.51.100.192/29 dev eth1  proto kernel  scope link  src 198.51.100.194
172.16.100.0/24 dev eth0  proto kernel  scope link  src 172.16.100.1
172.16.101.0/24 via 172.16.101.2 dev tun0
10.0.0.0/24 via 198.51.100.193 dev eth1  src 192.168.1.74
169.254.0.0/16 dev eth1  scope link  metric 1002
169.254.0.0/16 dev eth0  scope link  metric 1003
default via 198.51.100.193 dev eth1

More information about the Users mailing list