[Openswan Users] Openswan takes over connection to EC2 instance
Amos Shapira
amos.shapira at gmail.com
Wed May 18 07:23:46 EDT 2016
Hi,
I managed to get OpenSwan 2.6.38-1 on Ubuntu 14.04 on EC2 instance to talk
to AWS Virtual GW and bring up BGP4 session using Quagga 0.99.22.4.
The problem is that as soon as the ipsec service is fired up, I lose direct
connection to the instance and it's only accessible through the ipsec
tunnel.
I'd like to be able to use the instance also as a NAT gateway for the rest
of the network.
In general, I want it to route all traffic to/from RFC-1918 networks except
the local VPC over the tunnel, but also leave non-RFC-1918 traffic out and
let it go directly to the Internet.
The configuration which works for me for now (but doesn't let me talk
directly to the instance outside the tunnel when ipsec is running) is the
following:
/etc/ipsec.conf:
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
include /etc/ipsec.d/*.conf
/etc/ipsec.d/vpn.conf:
conn vpn
type=tunnel
authby=secret
left=%defaultroute
leftid=52.203.150.120
leftsubnet=10.20.40.0/24
right=52.71.186.227
rightsubnet=10.20.30.0/24
auth=esp
phase2alg=aes128-sha1
ike=aes128-sha1
ikelifetime=28800s
salifetime=3600s
pfs=yes
auto=start
keyexchange=ike
rekey=yes
keyingtries=%forever
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
/etc/quagga/bgpd.conf:
hostname bgp
password test
enable password test
!
log file /var/log/quagga/bgpd
debug bgp events
debug bgp zebra
debug bgp updates
!
router bgp 65500
bgp router-id 52.203.150.120
network 169.254.44.74/30
network 10.20.40.0/24
!
! aws tunnel #1 neighbour
neighbor 169.254.44.73 remote-as 7224
!
line vty
/etc/quagga/zebra.conf:
hostname Router
password zebra
enable password zebra
interface eth0
log file /var/log/quagga/zebra.log
I suspect that the issue is that the "right=0.0.0.0/0" turns the tunnel
into sort of "default route" so everything is sent through it, where in
fact I just want only legitimate traffic to/from RFC-1918 and the Virtual
GW "Internal IP Addresses" to go through the tunnel.
I tried to change the "rightnet=0.0.0.0/0" to "righsubnets={172.16.0.0/12
169.254.0.0/16}" (and changed "leftsubnet" to "leftsubnets") but though the
ipsec tunnel comes up the BGP session fails to initiate (and generally, the
other side of the tunnel's internal IP 169.254.44.73, which is where the
BGP is trying to connect, is not accessible).
The AWS support person who've been working on this with me suspects that "
0.0.0.0/0" holds a special meaning for ipsec where it means "use policy
based routing" and if I change it to anything else then ipsec changes to
something else to determine routing?
Is there a way to achieve what I want?
Thanks,
--Amos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160518/59a76d31/attachment.html>
More information about the Users
mailing list