[Openswan Users] Openswan takes over connection to EC2 instance

[Amos Shapira]

Hi,

I managed to get OpenSwan 2.6.38-1 on Ubuntu 14.04 on EC2 instance to talk
to AWS Virtual GW and bring up BGP4 session using Quagga 0.99.22.4.

The problem is that as soon as the ipsec service is fired up, I lose direct
connection to the instance and it's only accessible through the ipsec
tunnel.

I'd like to be able to use the instance also as a NAT gateway for the rest
of the network.

In general, I want it to route all traffic to/from RFC-1918 networks except
the local VPC over the tunnel, but also leave non-RFC-1918 traffic out and
let it go directly to the Internet.

The configuration which works for me for now (but doesn't let me talk
directly to the instance outside the tunnel when ipsec is running) is the
following:

/etc/ipsec.conf:

config setup
        protostack=netkey
        nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        oe=off
include /etc/ipsec.d/*.conf


/etc/ipsec.d/vpn.conf:

conn vpn
    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=52.203.150.120
    leftsubnet=10.20.40.0/24
    right=52.71.186.227
    rightsubnet=10.20.30.0/24
    auth=esp
    phase2alg=aes128-sha1
    ike=aes128-sha1
    ikelifetime=28800s
    salifetime=3600s
    pfs=yes
    auto=start
    keyexchange=ike
    rekey=yes
    keyingtries=%forever
    dpddelay=10
    dpdtimeout=30
    dpdaction=restart_by_peer

/etc/quagga/bgpd.conf:

hostname bgp
password test
enable password test
!
log file /var/log/quagga/bgpd
debug bgp events
debug bgp zebra
debug bgp updates
!
router bgp 65500
bgp router-id 52.203.150.120
network 169.254.44.74/30
network 10.20.40.0/24
!
! aws tunnel #1 neighbour
neighbor 169.254.44.73 remote-as 7224
!
line vty

/etc/quagga/zebra.conf:

hostname Router
password zebra
enable password zebra
interface eth0
log file /var/log/quagga/zebra.log

I suspect that the issue is that the "right=0.0.0.0/0" turns the tunnel
into sort of "default route" so everything is sent through it, where in
fact I just want only legitimate traffic to/from RFC-1918 and the Virtual
GW "Internal IP Addresses" to go through the tunnel.

I tried to change the "rightnet=0.0.0.0/0" to "righsubnets={172.16.0.0/12
169.254.0.0/16}" (and changed "leftsubnet" to "leftsubnets") but though the
ipsec tunnel comes up the BGP session fails to initiate (and generally, the
other side of the tunnel's internal IP 169.254.44.73, which is where the
BGP is trying to connect, is not accessible).

The AWS support person who've been working on this with me suspects that "
0.0.0.0/0" holds a special meaning for ipsec where it means "use policy
based routing" and if I change it to anything else then ipsec changes to
something else to determine routing?

Is there a way to achieve what I want?

Thanks,

--Amos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160518/59a76d31/attachment.html>