This document outlines how we configure openswan as our VPN.
We got a some tips from this blog - but its not complete:
http://michaelwasham.com/2013/09/03/connecting-clouds-site-to-site-aws-azure/
1. Create a VPC in AWS (i gave it 10.0.0.0/16 as the VPC CIDR)
2. Launch an ubuntu instance into the new VPC.
3. Make sure theres a public ip address available. ours is xxx.xxx.xxx.xxx (your public ip)
4. Head to Azure and create a Local Network (Local Network in this case means the network on your local site.) So its Networks - Local Networks - New - Give it the CIDR from the VPC in AWS, and put in the VPN ip address (our public ip address of our ubuntu server)
5. Now to create a new Virtual Network (this is the Azure side of the network). Networks - Virtual Networks - New - Network Services - Virtual Network - Custom Create. Give it a name (mine is AzureNetwork), Hit Configure a Site to Site VPN and select the Local Network you've just created in step 4. You'll need to add a gateway network as well.
6. After thats built go into your vpn and click add gateway. It will give the public ip address of the gateway in azure. This takes a little while to complete. (its create gateway - static route)
7. Now head back to your ubuntu server in aws. Its time to configure this. Heres the command to install it:
sudo apt-get install openswan
Just press enter to accept all the defaults for all the questions it asks.
8. Edit ipsec.conf:
cd /etc
sudo vi ipsec.conf
change the config file to be this:
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/16
oe=off
include /etc/ipsec.d/*.conf
This sets the default protocol to be netkey. it should default to this anyway.
the virtual_private is the CIDR in AWS (the local part of the vpn as set in step 1)
save that.
9. create a new vpn conf file
cd ipsec.d
sudo vi amazonazurevpn.conf
change the config file to this:
conn amazonazurevpn
authby=secret
auto=start
type=tunnel
left=10.0.0.238 (this is the private ip address of the openswan server)
leftsubnet=10.0.0.0/16 (this is the CIDR of the network in AWS-left is local, right is public)
leftnexthop=%defaultroute
right=xxx.xxx.xxx.xxx (this is the ip address of the gateway which was created in azure)
rightsubnet=10.1.0.0/16 (this is the CIDR of the virtual network created in azure)
ike=aes128-sha1-modp1024
esp=aes128-sha1
pfs=no
Save that.
10. We need to use the key in the ipsec.secrets file:
cd /etc
sudo vi ipsec.secrets
Add the following line:
10.0.0.238 xxx.xxx.xxx.xxx : PSK "Azure Gateway Key"
(10.0.0.238 is the private address of the openswan server)
(xxx.xxx.xxx.xxx is the gateway address in azure)
"Azure Gateway Key" is the key from the gateway in azure. You can get this by clicking on manage key. Put it in quotes.
Save that.
11. Need to enable ip forwarding now.
sudo vi /etc/sysctl.conf
uncomment this line:
net.ipv4.ip_forward=1
save that
apply the saved config:
sudo sysctl -p /etc/sysctl.conf
12. Disable source and destination checking on the openswan server (right click on it in aws, select "Change source/dest check" and click 'Yes - Disable"
13. In the Amazon Management console, in AWS, edit the security group and add in 2 inbound udp rules, one for 500 and one for 4500, from a specific ip address - the azure gateway - with /32 at the end:xxx.xxx.xxx.xxx/32
14. Restart ipsec on the openswan server:
sudo service ipsec restart
15. Thats it. The VPN should now be configured. You can do some troubleshooting on the openswan config by looking here:
http://codeidol.com/unix/linux-fix/Configuring-Linux-VPNs/Troubleshooting-Openswan/
16. We need to add a route to AWS to point to the network in Azure:
Go to VPC in AWS, select Route Tables and add in the subnet of the virtual network in azure (10.1.0.0/16). Select the id of the openswan server as the target.
17. Now we just need to launch instances in each of azure and aws, onto the networks that we've created in each.
And guess what - they dont ping.
At this point i've rebuilt and restarted and reconfigured and tried different things to get this vpn up and running for three weeks. Today, i got them to ping. so the final action:
18. Open up icmp traffic on the inbound rule on the security group in AWS. Then they'll ping. You can see the openswan passing the icmp traffic by running a tcpdump on there:
sudo tcpdump -n -i eth0 icmp
So thats it. Now we have our VPN (although i'm going to rebuild it again - and assign an elastic ip to the openswan server - as that absolutely needs a static ip)
Making good progress this week.
Next - scripts to Check what capacity we're using.
Richie
No comments:
Post a Comment