[Openswan Users] Connecting to AWS with BGP routing

Amos Shapira amos.shapira at gmail.com
Thu Feb 18 21:11:47 EST 2016 

I forgot to include the output of *"ipsec auto --status"*, which should be
useful:

*000*
*000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}*
*000*
*000 "amos-spoke-c-amos-hub-1":
10.20.50.0/24===10.20.50.15[52.4.101.228]...52.7.165.219
<http://10.20.50.0/24===10.20.50.15[52.4.101.228]...52.7.165.219><52.7.165.219>===10.20.30.0/24
<http://10.20.30.0/24>; erouted; eroute owner: #10*
*000 "amos-spoke-c-amos-hub-1":     myip=unset; hisip=unset;*
*000 "amos-spoke-c-amos-hub-1":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0*
*000 "amos-spoke-c-amos-hub-1":   policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
interface: eth0;*
*000 "amos-spoke-c-amos-hub-1":   newest ISAKMP SA: #12; newest IPsec SA:
#10;*
*000 "amos-spoke-c-amos-hub-1":   IKE algorithm newest:
AES_CBC_128-SHA1-MODP2048*
*000 "amos-spoke-c-amos-hub-2":
10.20.50.0/24===10.20.50.15[52.4.101.228]---169.254.44.209...54.173.211.136
<http://10.20.50.0/24===10.20.50.15[52.4.101.228]---169.254.44.209...54.173.211.136><54.173.211.136>===10.20.30.0/24
<http://10.20.30.0/24>; unrouted; eroute owner: #0*
*000 "amos-spoke-c-amos-hub-2":     myip=169.254.44.210; hisip=unset;*
*000 "amos-spoke-c-amos-hub-2":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0*
*000 "amos-spoke-c-amos-hub-2":   policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
interface: eth0;*
*000 "amos-spoke-c-amos-hub-2":   newest ISAKMP SA: #11; newest IPsec SA:
#0;*
*000 "amos-spoke-c-amos-hub-2":   IKE algorithm newest:
AES_CBC_128-SHA1-MODP2048*
*000*
*000 #12: "amos-spoke-c-amos-hub-1":4500 STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_REPLACE in 2393s; newest ISAKMP; lastdpd=0s(seq in:0
out:0); idle; import:admin initiate*
*000 #10: "amos-spoke-c-amos-hub-1":4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 820s; newest IPSEC; eroute owner;
isakmp#9; idle; import:admin initiate*
*000 #10: "amos-spoke-c-amos-hub-1" esp.481523e2 at 52.7.165.219
<esp.481523e2 at 52.7.165.219> esp.fdb3b3d8 at 10.20.50.15
<esp.fdb3b3d8 at 10.20.50.15> tun.0 at 52.7.165.219 <tun.0 at 52.7.165.219>
tun.0 at 10.20.50.15 <tun.0 at 10.20.50.15> ref=0 refhim=4294901761*
*000 #9: "amos-spoke-c-amos-hub-1":4500 STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_EXPIRE in 454s; lastdpd=151s(seq in:0 out:0); idle;
import:admin initiate*
*000 #11: "amos-spoke-c-amos-hub-2":4500 STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_REPLACE in 2162s; newest ISAKMP; lastdpd=730s(seq
in:0 out:0); idle; import:admin initiate*
*000 #8: "amos-spoke-c-amos-hub-2":4500 STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_EXPIRE in 3s; lastdpd=3587s(seq in:0 out:0); idle;
import:admin initiate*

I notice that the first tunnel (the one which comes up) has *"myip=unset;
hisip=unset;"* is this significant? The other tunnel probably has "myip"
set because I set leftsourceip as part of my experiments.

On 19 February 2016 at 12:58, Amos Shapira <amos.shapira at gmail.com> wrote:

> Hello,
>
> I got OpenSwan talking to AWS Virtual Gateway just fine, and can now route
> directly between two VPC's using static routes.
> But I have to switch to BGP routing in order to do smarter routing (e.g.
> have a Virtual Gateway act as a hub between multiple VPC's and non-VPC
> networks).
>
> I tried configuring bgpd from Quagga but it fails to initiate the
> connection, and I suspect that it might be related to the IPSec tunnel not
> having routable end-points(?)
> (I might be talking rubbish here, I'm a noob when it comes to ipsec).
>
> Here is the configuration I have in a test network. It's a VPC running
> OpenSwan on Ubuntu 14.04 on EC2 with a subnet of 10.20.50/24 and connecting
> to a Virtual GW in another VPC (the test "Hub") which has a subnet of
> 10.20.30/24).
>
> *version 2.0*
> *config setup*
> * dumpdir=/var/run/pluto/*
> * nat_traversal=yes*
> *
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.20.50.0/24*
> * oe=off*
> * protostack=netkey*
> * interfaces=%defaultroute*
> *include /etc/ipsec.d/*.conf*
> *conn amos-spoke-c-amos-hub-1*
> *    type=tunnel*
> *    authby=secret*
> *    forceencaps=yes*
> *    auto=start*
> *    left=%defaultroute*
> *    leftid=52.4.101.228*
> *    leftnexthop=%defaultroute*
> *    leftsubnet=10.20.50.0/24 <http://10.20.50.0/24>*
> *    right=52.7.165.219*
> *    rightid=52.7.165.219*
> *    rightsubnet=10.20.30.0/24 <http://10.20.30.0/24>*
>
>
> bgpd.conf:
>
> *!*
> *! Zebra configuration saved from vty*
> *!   2016/02/18 05:51:54*
> *!*
> *hostname ip-10-20-50-15*
> *password zebra*
> *log stdout*
> *!*
> *debug bgp events*
> *debug bgp keepalives*
> *debug bgp updates*
> *debug bgp fsm*
> *debug bgp filters*
> *!*
> *router bgp 65102*
> * bgp router-id 0.0.0.0*
> * neighbor 169.254.44.121 remote-as 7224*
> * neighbor 169.254.44.121 timers 10 30*
> * neighbor 169.254.44.121 timers connect 30*
> * neighbor 169.254.44.121 soft-reconfiguration inbound*
> *!*
> *line vty*
> *!*
>
> The VirtualGateway configuration in generic format is below (I tried to
> keep only relevant parts). I suspect that the issue boils down to that my
> configuration doesn't mention any of the "*Inside IP Addresses*" from
> that file, but I don't know how am I supposed to do that.
>
> Could you please explain to me what should I change?
>
> Thanks.
>
> *Amazon Web Services*
> *Virtual Private Cloud*
>
> *IPSec Tunnel #1*
>
> *================================================================================*
> *#1: Internet Key Exchange Configuration*
> *...*
> *The Customer Gateway and Virtual Private Gateway each have two addresses
> that relate*
> *to this IPSec tunnel. Each contains an outside address, upon which
> encrypted*
> *traffic is exchanged. Each also contain an inside address associated with*
> *the tunnel interface.*
>
> *The Customer Gateway outside IP address was provided when the Customer
> Gateway*
> *was created. Changing the IP address requires the creation of a new*
> *Customer Gateway.*
>
> *The Customer Gateway inside IP address should be configured on your
> tunnel*
> *interface. *
>
> *Outside IP Addresses:*
> *  - Customer Gateway        : 52.4.101.228 *
> *  - Virtual Private Gateway        : 52.7.165.219*
> *Inside IP Addresses*
> *  - Customer Gateway         : 169.254.44.122/30
> <http://169.254.44.122/30>*
> *  - Virtual Private Gateway             : 169.254.44.121/30
> <http://169.254.44.121/30>*
>
> *Configure your tunnel to fragment at the optimal size:*
> *  - Tunnel interface MTU     : 1436 bytes*
>
> *#4: Border Gateway Protocol (BGP) Configuration:*
>
> *The Border Gateway Protocol (BGPv4) is used within the tunnel, between
> the inside*
> *IP addresses, to exchange routes from the VPC to your home network. Each*
> *BGP router has an Autonomous System Number (ASN). Your ASN was provided *
> *to AWS when the Customer Gateway was created.*
>
> *BGP Configuration Options:*
> *  - Customer Gateway ASN          : 65102 *
> *  - Virtual Private  Gateway ASN          : 7224*
> *  - Neighbor IP Address      : 169.254.44.121*
> *  - Neighbor Hold Time       : 30*
>
> *Configure BGP to announce routes to the Virtual Private Gateway. The
> gateway*
> *will announce prefixes to your customer gateway based upon the prefix
> you *
> *assigned to the VPC at creation time.*
>
> *...*
> *(Tunnel 2 configuration removed)*
>
>
>


-- 
<http://au.linkedin.com/in/gliderflyer>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160219/253150a9/attachment-0001.html>

More information about the Users mailing list