[Openswan Users] Connecting to AWS with BGP routing

Thu Feb 18 20:58:33 EST 2016

Hello,

I got OpenSwan talking to AWS Virtual Gateway just fine, and can now route
directly between two VPC's using static routes.
But I have to switch to BGP routing in order to do smarter routing (e.g.
have a Virtual Gateway act as a hub between multiple VPC's and non-VPC
networks).

I tried configuring bgpd from Quagga but it fails to initiate the
connection, and I suspect that it might be related to the IPSec tunnel not
having routable end-points(?)
(I might be talking rubbish here, I'm a noob when it comes to ipsec).

Here is the configuration I have in a test network. It's a VPC running
OpenSwan on Ubuntu 14.04 on EC2 with a subnet of 10.20.50/24 and connecting
to a Virtual GW in another VPC (the test "Hub") which has a subnet of
10.20.30/24).

*version 2.0*
*config setup*
* dumpdir=/var/run/pluto/*
* nat_traversal=yes*
*
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.20.50.0/24*
* oe=off*
* protostack=netkey*
* interfaces=%defaultroute*
*include /etc/ipsec.d/*.conf*
*conn amos-spoke-c-amos-hub-1*
*    type=tunnel*
*    authby=secret*
*    forceencaps=yes*
*    auto=start*
*    left=%defaultroute*
*    leftid=52.4.101.228*
*    leftnexthop=%defaultroute*
*    leftsubnet=10.20.50.0/24 <http://10.20.50.0/24>*
*    right=52.7.165.219*
*    rightid=52.7.165.219*
*    rightsubnet=10.20.30.0/24 <http://10.20.30.0/24>*

bgpd.conf:

*!*
*! Zebra configuration saved from vty*
*!   2016/02/18 05:51:54*
*!*
*hostname ip-10-20-50-15*
*password zebra*
*log stdout*
*!*
*debug bgp events*
*debug bgp keepalives*
*debug bgp updates*
*debug bgp fsm*
*debug bgp filters*
*!*
*router bgp 65102*
* bgp router-id 0.0.0.0*
* neighbor 169.254.44.121 remote-as 7224*
* neighbor 169.254.44.121 timers 10 30*
* neighbor 169.254.44.121 timers connect 30*
* neighbor 169.254.44.121 soft-reconfiguration inbound*
*!*
*line vty*
*!*

The VirtualGateway configuration in generic format is below (I tried to
keep only relevant parts). I suspect that the issue boils down to that my
configuration doesn't mention any of the "*Inside IP Addresses*" from that
file, but I don't know how am I supposed to do that.

Could you please explain to me what should I change?

Thanks.

*Amazon Web Services*
*Virtual Private Cloud*

*IPSec Tunnel #1*
*================================================================================*
*#1: Internet Key Exchange Configuration*
*...*
*The Customer Gateway and Virtual Private Gateway each have two addresses
that relate*
*to this IPSec tunnel. Each contains an outside address, upon which
encrypted*
*traffic is exchanged. Each also contain an inside address associated with*
*the tunnel interface.*

*The Customer Gateway outside IP address was provided when the Customer
Gateway*
*was created. Changing the IP address requires the creation of a new*
*Customer Gateway.*

*The Customer Gateway inside IP address should be configured on your tunnel*
*interface. *

*Outside IP Addresses:*
*  - Customer Gateway        : 52.4.101.228 *
*  - Virtual Private Gateway        : 52.7.165.219*
*Inside IP Addresses*
*  - Customer Gateway         : 169.254.44.122/30
<http://169.254.44.122/30>*
*  - Virtual Private Gateway             : 169.254.44.121/30
<http://169.254.44.121/30>*

*Configure your tunnel to fragment at the optimal size:*
*  - Tunnel interface MTU     : 1436 bytes*

*#4: Border Gateway Protocol (BGP) Configuration:*

*The Border Gateway Protocol (BGPv4) is used within the tunnel, between the
inside*
*IP addresses, to exchange routes from the VPC to your home network. Each*
*BGP router has an Autonomous System Number (ASN). Your ASN was provided *
*to AWS when the Customer Gateway was created.*

*BGP Configuration Options:*
*  - Customer Gateway ASN          : 65102 *
*  - Virtual Private  Gateway ASN          : 7224*
*  - Neighbor IP Address      : 169.254.44.121*
*  - Neighbor Hold Time       : 30*

*Configure BGP to announce routes to the Virtual Private Gateway. The
gateway*
*will announce prefixes to your customer gateway based upon the prefix you *
*assigned to the VPC at creation time.*

*...*
*(Tunnel 2 configuration removed)*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160219/3436f67b/attachment.html>