Connect Site-Site IPSEC VPN (Libreswan)
Tested on Rocky Linux 8
Additional Docs
Background:
need to setup VPN connection between 2 external servers
customer requirements
Setup
Rocky 8 should have libreswan (ipsec) installed
Will be setting up the following VPN between US (A) and UK (B) regions
Server A will be making Ping/Netcat/etc requests to Server B (private IP) via a VPN tunnel
The VPN tunnel is setup via Public IPs of the 2 servers, and routes requests to their internal IPs
serverA internal IP: 192.20.41.22 (eth0)
serverA public IP: 10.1.2.3
------------------------------------------------------------------
serverB internal IP: 10.44.17.5 (eth0)
serverB public IP: 20.4.5.6
on both Server A and Server B,
yum install libreswan
configure sysctl params
vi /etc/sysctl.d/libreswan.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
#net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
#net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
Load the new params
sysctl -p /etc/sysctl.d/libreswan.conf
Configure IPtables and AWS Security groups
both servers need to be able to talk to each other's public IPs
make sure you can netcat to each server from the other side
us> nc <public IP of UK> 22 -v
uk> nc <public IP of US> 22 -v
if not, update iptables to allow traffic from each host,
Connect 2 networks using a Password
Server US (A)
configure /etc/ipsec.conf
# version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
plutodebug=none
plutostderrlog=/var/log/pluto.log
protostack=netkey
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf
add a new connection to /etc/ipsec.d/us2uk.conf
conn us2uk
type=tunnel
authby=secret
auto=start
pfs=no
ike=aes256-sha1;dh5
esp=aes256-sha1
salifetime=28800
aggrmode=no
left=%defaultroute
leftid=<public IP of local server>
leftsubnet=172.31.23.0/24 # internal IP subnet of local region
# for multiple subnets use leftsubnets={172.31.23.0/24 192.168.10.0/24}
right=<public IP of remote server>
rightsubnet=172.25.12.0/24 # internal IP subnet of remote region
edit /etc/ipsec.d/us2uk.secrets
add a secret password or hash, use this to generate a hash,
openssl passwd -1 -salt xyz <your pw>
[root@xxx]# openssl passwd -1 -salt xyz goodisdumb
$1$xyz$uT1O7Nj8QIBiEzR76E9.X/
place the external public IP into the secrets
[root@xxx ]# vim /etc/ipsec.d/us2uk.secrets
<pub IP of US server> %any : PSK "$1$xyz$uT1O7Nj8QIBiEzR76E9.X/"
Server B
Repeat same steps on ServerB, but switch the IPs, add the same password hash to secrets file
run IPSEC verify
ipsec verify
fix any issues
restart ipsec
service ipsec restart
tail the pluto (ipsec) log,
tail -f /var/log/pluto.log
run ipsec status to see if any Open connections, should see this,
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #52858: "us2uk":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_v1_RETRANSMIT in 0s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #52857: "us2uk":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2598s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
000 Bare Shunt list:
CMD Reference
verify IPSEC status
ipsec verify
add a connection
ipsec auto --add <connection_name>
start connection
ipsec auto --up <connection_name>
stop connection
ipsec auto --down <conn name>
re-read secrets (run this on any new configuration)
ipsec auto --rereadsecrets
reload configs (if getting auth errors, run this command)
ipsec whack -listen
Troubleshooting
check TCPdump for connection info
tcpdump -n udp port 500 or udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:50:36.563890 IP 172.31.23.96.isakmp > 13.234.18.178.isakmp: isakmp: phase 1 I ident
14:50:48.970135 IP 13.234.18.178.isakmp > 172.31.23.96.isakmp: isakmp: phase 1 I ident
14:50:52.567668 IP 172.31.23.96.isakmp > 13.234.18.178.isakmp: isakmp: phase 1 I ident
14:51:20.978746 IP 13.234.18.178.isakmp > 172.31.23.96.isakmp: isakmp: phase 1 I ident
14:51:20.979698 IP 172.31.23.96.isakmp > 13.234.18.178.isakmp: isakmp: phase 1 R inf
14:51:21.480004 IP 13.234.18.178.isakmp > 172.31.23.96.isakmp: isakmp: phase 1 I ident
14:51:21.980739 IP 13.234.18.178.isakmp > 172.31.23.96.isakmp: isakmp: phase 1 I ident
Troubleshooting
if instances are EC2, check Network > Source/Dest check, make sure its turned off