About the Post

Author Information

Posted by: Lance Byrd

Post Information

Posted on: October 8, 2012
Posted in: EC2, Lance, SQLServerPedia Syndication, Video
Comments: 2 Comments

VIDEO: VPC to VPC with OpenSWAN

The information provided in this video is meant as a tutorial. It is not the final word on security or setup for your particular case. In Simpler terms: USE at your own risk. That said, I hope it helps.
Loading the player …


Notes for VPC-to-VPC-with-OpenSWAN:
yum install openswan
chkconfig ipsec on

***********************************************************

Singapore Setup

Singapore OpenSWAN config:

# /etc/ipsec.conf – Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

config setup
nat_traversal=yes
# we should exclude ourselves, but that’s dynamic.
# The other end should not be behind NAT anyway. If it is via port forward, avoid 10/8 that Amazon uses
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
# amazon kernels have no KLIPS support
protostack=netkey

conn singapore-tokyo
authby=secret
auto=start
type=tunnel
left=172.16.0.100
leftid=x.x.x.x(EIP singapore)
leftsubnet=172.16.0.0/16
right=y.y.y.y (EIP Tokyo)
rightsubnet=10.0.0.0/16
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048

————-/etc/ipsec.secrets

#include /etc/ipsec.d/*.secrets
x.x.x.x y.y.y.y: PSK “mysecret488″

*********************************************

Tokyo Setup

# /etc/ipsec.conf – Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

config setup
nat_traversal=yes
# we should exclude ourselves, but that’s dynamic.
# The other end should not be behind NAT anyway. If it is via port forward, avoid 10/8 that Amazon uses
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
# amazon kernels have no KLIPS support
protostack=netkey

conn singapore-tokyo
authby=secret
auto=start
type=tunnel
left=10.0.0.100
leftid=y.y.y.y (EIP Tokyo)
leftsubnet=10.0.0.0/16
right=x.x.x.x (EIP Singapore)
rightsubnet=172.16.0.0/16
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048

—- /etc/ipsec.secrets

#include /etc/ipsec.d/*.secrets
y.y.y.y x.x.x.x: PSK “mysecret488″

****************************************************

service ipsec start

echo 1 > /proc/sys/net/ipv4/ip_forward (add to /etc/rc.local)
iptables –table nat –append POSTROUTING -s 172.16.0.0/16 –out-interface eth0 -j MASQUERADE (add to /etc/rc.local)
(For Singapore 172.16.0.100 is you want this to be a NAT instance for access to the internet.)

iptables –table nat –append POSTROUTING -s 10.0.0.0/16 –out-interface eth0 -j MASQUERADE
(For Tokyo 10.16.0.100 is you want this to be a NAT instance for access to the internet.)

route add -net 10.0.0.0 netmask 255.255.0.0 gw 172.16.0.100 (For Tokyo instance in the same subnet as OpenSWAN instance)

Be sure to set SRC/DST to disabled on OpenSWAN instance. otherwise no forwarding to backend instances. To do this, right click on instance and select “Change Source/Dest Check”.

https://smattie-download.s3.amazonaws.com/OpenSWAN-Notes.txt

https://smattie-download.s3.amazonaws.com/VPC-to-VPC-via-OpenSWAN.png

Tags: , , , ,

2 Responses to “VIDEO: VPC to VPC with OpenSWAN”

  1. Crash #

    Just want to say THANK YOU. I spent about 14 hours troubleshooting what appeared to be an ip forwarding issue. Turns out it was because of the SRC/DST check on my openswan instance. Finally, I can sleep.

    October 12, 2012 at 8:04 PM Reply
  2. Venkata Ramana #

    Dear Scott,

    Awesome video tutorial … hats off !!!!
    Would like to request if you can share the downloadable video link

    Thanks Regards,

    S. Venkata Ramana.

    April 11, 2013 at 3:07 AM Reply

Leave a Reply

Copy Protected by Chetans WP-Copyprotect.