Connect Site-Site IPSEC VPN (Libreswan)

Tested on Rocky Linux 8

Additional Docs

https://gist.github.com/perfecto25/56a47fc541a327f921737bba5cbe18ee

Background:

need to setup VPN connection between 2 external servers

customer requirements

Setup

Rocky 8 should have libreswan (ipsec) installed

Will be setting up the following VPN between US (A) and UK (B) regions

Server A will be making Ping/Netcat/etc requests to Server B (private IP) via a VPN tunnel

The VPN tunnel is setup via Public IPs of the 2 servers, and routes requests to their internal IPs

serverA internal IP: 192.20.41.22 (eth0)

serverA public IP: 10.1.2.3

------------------------------------------------------------------

serverB internal IP: 10.44.17.5 (eth0)

serverB public IP: 20.4.5.6

on both Server A and Server B,

yum install libreswan

configure sysctl params

vi /etc/sysctl.d/libreswan.conf

net.ipv4.ip_forward = 1

net.ipv4.conf.all.send_redirects = 0

#net.ipv4.conf.lo.send_redirects = 0

net.ipv4.conf.eth0.send_redirects = 0

#net.ipv4.conf.ip_vti0.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.rp_filter = 0

net.ipv4.conf.default.rp_filter = 0

net.ipv4.conf.eth0.rp_filter = 0

net.ipv4.conf.ip_vti0.rp_filter = 0

Load the new params

sysctl -p /etc/sysctl.d/libreswan.conf

Configure IPtables and AWS Security groups

both servers need to be able to talk to each other's public IPs

make sure you can netcat to each server from the other side
us> nc <public IP of UK> 22 -v
uk> nc <public IP of US> 22 -v

if not, update iptables to allow traffic from each host,

Connect 2 networks using a Password

Server US (A)

configure /etc/ipsec.conf

# version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup

plutodebug=none

plutostderrlog=/var/log/pluto.log

protostack=netkey

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.

include /etc/ipsec.d/*.conf

add a new connection to /etc/ipsec.d/us2uk.conf

conn us2uk

type=tunnel

authby=secret
auto=start
pfs=no
ike=aes256-sha1;dh5
esp=aes256-sha1
salifetime=28800
aggrmode=no
left=%defaultroute
leftid=<public IP of local server>
leftsubnet=172.31.23.0/24 # internal IP subnet of local region
# for multiple subnets use leftsubnets={172.31.23.0/24 192.168.10.0/24}

right=<public IP of remote server>

rightsubnet=172.25.12.0/24 # internal IP subnet of remote region

edit /etc/ipsec.d/us2uk.secrets

add a secret password or hash, use this to generate a hash,

openssl passwd -1 -salt xyz <your pw>

[root@xxx]# openssl passwd -1 -salt xyz goodisdumb
$1$xyz$uT1O7Nj8QIBiEzR76E9.X/

place the external public IP into the secrets

[root@xxx ]# vim /etc/ipsec.d/us2uk.secrets

<pub IP of US server> %any : PSK "$1$xyz$uT1O7Nj8QIBiEzR76E9.X/"

Server B

Repeat same steps on ServerB, but switch the IPs, add the same password hash to secrets file

run IPSEC verify
ipsec verify

fix any issues

restart ipsec
service ipsec restart

tail the pluto (ipsec) log,

tail -f /var/log/pluto.log

run ipsec status to see if any Open connections, should see this,

000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #52858: "us2uk":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 0s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #52857: "us2uk":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2598s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
000 Bare Shunt list:

CMD Reference

verify IPSEC status
ipsec verify

add a connection
ipsec auto --add <connection_name>

start connection
ipsec auto --up <connection_name>

stop connection
ipsec auto --down <conn name>

re-read secrets (run this on any new configuration)
ipsec auto --rereadsecrets

reload configs (if getting auth errors, run this command)
ipsec whack -listen

Troubleshooting

check TCPdump for connection info

tcpdump -n udp port 500 or udp port 4500

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

14:50:36.563890 IP 172.31.23.96.isakmp > 13.234.18.178.isakmp: isakmp: phase 1 I ident

14:50:48.970135 IP 13.234.18.178.isakmp > 172.31.23.96.isakmp: isakmp: phase 1 I ident

14:50:52.567668 IP 172.31.23.96.isakmp > 13.234.18.178.isakmp: isakmp: phase 1 I ident

14:51:20.978746 IP 13.234.18.178.isakmp > 172.31.23.96.isakmp: isakmp: phase 1 I ident

14:51:20.979698 IP 172.31.23.96.isakmp > 13.234.18.178.isakmp: isakmp: phase 1 R inf

14:51:21.480004 IP 13.234.18.178.isakmp > 172.31.23.96.isakmp: isakmp: phase 1 I ident

14:51:21.980739 IP 13.234.18.178.isakmp > 172.31.23.96.isakmp: isakmp: phase 1 I ident

Troubleshooting

if instances are EC2, check Network > Source/Dest check, make sure its turned off