LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Blogs > Musings on technology, philosophy, and life in the corporate world
Reload this Page OpenBSD /etc/ipsec.conf for AWS VPC VPN
User Name
Password

Notices


Hi. I'm jon.404, a Unix/Linux/Database/Openstack/Kubernetes Administrator, AWS/GCP/Azure Engineer, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: *nix.
Rate this Entry

OpenBSD /etc/ipsec.conf for AWS VPC VPN

Posted 02-16-2015 at 10:57 PM by rocket357
Updated 02-18-2015 at 11:11 AM by rocket357
Disclaimer: I am an AWS employee. This blogpost is my own configuration and does not reflect a supported configuration for AWS VPC VPN. This *should* work for you, but YMMV.

I've been testing a configuration for ipsec between an OpenBSD-5.6 (STABLE) machine and AWS VPC VGW. One thing to keep in mind is that OpenBSD's ipsec implementation is policy-based, whereas AWS is route-based, so you'll run into some issues when leveraging dynamic routing. For the time-being, I'll stick to a 100% statically routed config. (Perhaps in the future I'll dig deeper into the dynamic routing...but that's for another blog post).

To get started, create a VPC (say, 192.168.0.0/16) and create a subnet within said VPC (say, 192.168.0.0/24). If you want external (non-vpn) connectivity, create an IGW and attach it to your VPC. Check your route tables to ensure they're consistent. Once that is done, create a VGW and attach it to your VPC. This is the AWS side of the VPN tunnel. Create a CGW next (your OpenBSD machine). Make sure your CGW is set for static routing!

Once that is complete, create a statically routed VPN within the AWS console. Once it is up and running, download the config for a Cisco ASA 5500 for IOS 8.2+.

Pop open the Cisco config in one terminal, then open the OpenBSD machine's /etc/ipsec.conf in another terminal. Put the following in the OpenBSD /etc/ipsec.conf:

Code:
ike esp from $OPENBSD_NETWORK/MASK to $VPC_NETWORK/MASK \
        local $LOCAL_PUBLIC_IP peer $TUNNEL1_IP \
        main auth hmac-sha1 enc aes group modp1024 lifetime $PHASE1_LIFETIME \
        quick auth hmac-sha1 enc aes group modp1024 lifetime $PHASE2_LIFETIME \
        srcid $LOCAL_PUBLIC_IP \
        psk "$TUNNEL1_PSK" \
        tag amazon-vpc
ike esp from $OPENBSD_NETWORK/MASK to $VPC_NETWORK/MASK \
        local $LOCAL_PUBLIC_IP peer $TUNNEL2_IP \
        main auth hmac-sha1 enc aes group modp1024 lifetime $PHASE1_LIFETIME \
        quick auth hmac-sha1 enc aes group modp1024 lifetime $PHASE2_LIFETIME \
        srcid $LOCAL_PUBLIC_IP \
        psk "$TUNNEL2_PSK" \
        tag amazon-vpc
You can find the above variables in the Cisco config as such:

Code:
! Amazon Web Services
! Virtual Private Cloud
!
! AWS utilizes unique identifiers to manipulate the configuration of 
! a VPN Connection. Each VPN Connection is assigned an identifier and is 
! associated with two other identifiers, namely the 
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
!
! Your VPN Connection ID                  : vpn-0example
! Your Virtual Private Gateway ID         : vgw-1example
! Your Customer Gateway ID                : cgw-2example
!
!
! This configuration consists of two tunnels. Both tunnels must be 
! configured on your Customer Gateway. Only a single tunnel will be up at a 
! time to the VGW.
! 
! You may need to populate these values throughout the config based on your setup:
! <outside_interface> - External interface of the ASA
! <outside_access_in> - Inbound ACL on the external interface
! <amzn_vpn_map> - Outside crypto map
! <vpc_subnet> and <vpc_subnet_mask> - VPC address range
! <local_subnet> and <local_subnet_mask> - Local subnet address range
! <sla_monitor_address> - Target address that is part of acl-amzn to run SLA monitoring

! --------------------------------------------------------------------------------
! IPSec Tunnels
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption, 
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by 
! sequence number. This policy is defined as #201, which may conflict with
! an existing policy using the same or lower number depending on 
! the encryption type. If so, we recommend changing the sequence number to 
! avoid conflicts and overlap.
!
crypto isakmp identity address 
crypto isakmp enable <outside_interface>
crypto isakmp policy 201
  encryption aes
  authentication pre-share
  group 2
  lifetime $PHASE1_LIFETIME
  hash sha
exit
!
! The tunnel group sets the Pre Shared Key used to authenticate the 
! tunnel endpoints.
!
tunnel-group $TUNNEL1_IP type ipsec-l2l
tunnel-group $TUNNEL1_IP ipsec-attributes
   pre-shared-key $TUNNEL1_PSK
!
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
   isakmp keepalive threshold 10 retry 3
exit
!
tunnel-group $TUNNEL2_IP type ipsec-l2l
tunnel-group $TUNNEL2_IP ipsec-attributes
   pre-shared-key $TUNNEL2_PSK
!
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
   isakmp keepalive threshold 10 retry 3
exit

! --------------------------------------------------------------------------------
! #2: Access List Configuration
!
! Access lists are configured to permit creation of tunnels and to send applicable traffic over them.
! This policy may need to be applied to an inbound ACL on the outside interface that is used to manage control-plane traffic. 
! This is to allow VPN traffic into the device from the Amazon endpoints.
!
access-list <outside_access_in> extended permit ip host $TUNNEL1_IP host $LOCAL_PUBLIC_IP
access-list <outside_access_in> extended permit ip host $TUNNEL2_IP host $LOCAL_PUBLIC_IP
! The following access list named acl-amzn specifies all traffic that needs to be routed to the VPC. Traffic will
! be encrypted and transmitted through the tunnel to the VPC. Association with the IPSec security association
! is done through the "crypto map" command.
!
! This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet.
! If you do not wish to use the "any" source, you must use a single access-list entry for accessing the VPC range.
! If you specify more than one entry for this ACL without using "any" as the source, the VPN will function erratically.
! The any rule is also used so the security association will include the ASA outside interface where the SLA monitor
! traffic will be sourced from.
! See section #4 regarding how to restrict the traffic going over the tunnel
!
!
access-list acl-amzn extended permit ip any <vpc_subnet> <vpc_subnet_mask>

!---------------------------------------------------------------------------------
! #3: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
! The crypto map references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime. The mapping is created
! as #1, which may conflict with an existing crypto map using the same
! number. If so, we recommend changing the mapping number to avoid conflicts.
!
crypto map <amzn_vpn_map> 1 match address acl-amzn
crypto map <amzn_vpn_map> 1 set pfs group2
crypto map <amzn_vpn_map> 1 set peer  $TUNNEL1_IP $TUNNEL2_IP
crypto map <amzn_vpn_map> 1 set transform-set transform-amzn
!
! Only set this if you do not already have an outside crypto map, and it is not applied:
!
crypto map <amzn_vpn_map> interface <outside_interface>
!
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! Set security association lifetime until it is renegotiated.
crypto ipsec security-association lifetime seconds $PHASE2_LIFETIME
!
! This option instructs the firewall to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear-df <outside_interface>
!
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
!
! This option instructs the firewall to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption <outside_interface>
!
! This option causes the firewall to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
sysopt connection tcpmss 1387
!
! In order to keep the tunnel in an active or always up state, the ASA needs to send traffic to the subnet
! defined in acl-amzn. SLA monitoring can be configured to send pings to a destination in the subnet and
! will keep the tunnel active. This traffic needs to be sent to a target that will return a response.
! This can be manually tested by sending a ping to the target from the ASA sourced from the outside interface.
! A possible destination for the ping is an instance within the VPC. For redundancy multiple SLA monitors 
! can be configured to several instances to protect against a single point of failure.
!
! The monitor is created as #1, which may conflict with an existing monitor using the same
! number. If so, we recommend changing the sequence number to avoid conflicts.
!
sla monitor 1
   type echo protocol ipIcmpEcho <sla_monitor_address> interface <outside_interface>
   frequency 5
exit
sla monitor schedule 1 life forever start-time now
!
! The firewall must allow icmp packets to use "sla monitor" 
icmp permit any <outside_interface>

!---------------------------------------------------------------------------------------
! #4: VPN Filter
! The VPN Filter will restrict traffic that is permitted through the tunnels. By default all traffic is denied.
! The first entry provides an example to include traffic between your VPC Address space and your office.
! You may need to run 'clear crypto isakmp sa', in order for the filter to take effect.
!
! access-list amzn-filter extended permit ip <vpc_subnet> <vpc_subnet_mask> <local_subnet> <local_subnet_mask>
access-list amzn-filter extended deny ip any any
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
tunnel-group $TUNNEL1_IP general-attributes
default-group-policy filter
exit
tunnel-group $TUNNEL2_IP general-attributes
default-group-policy filter
exit

!---------------------------------------------------------------------------------------
! #5: NAT Exemption
! If you are performing NAT on the ASA you will have to add a nat exemption rule.
! This varies depending on how NAT is set up.  It should be configured along the lines of:
! object network obj-SrcNet
!   subnet 0.0.0.0 0.0.0.0
! object network obj-amzn
!   subnet <vpc_subnet> <vpc_subnet_mask>
! nat (inside,outside) 1 source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
! If using version 8.2 or older, the entry would need to look something like this:
! nat (inside) 0 access-list acl-amzn
! Or, the same rule in acl-amzn should be included in an existing no nat ACL.
!
!---------------------------------------------------------------------------------------
!  Additional Notes and Questions
!  - Amazon Virtual Private Cloud Getting Started Guide: 
!       http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
!  - Amazon Virtual Private Cloud Network Administrator Guide: 
!       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
!  - Troubleshooting Cisco ASA Customer Gateway Connectivity:
!       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA_Troubleshooting.html
!  - XSL Version: 2009-07-15-1119716
Testing the config:

echo 'isakmpd_flags="-4 -K"' >> /etc/rc.conf.local
echo 'ipsec=YES' >> /etc/rc.conf.local

isakmpd -4Kd # for testing, to run the service do: /etc/rc.d/isakmpd start

In another terminal after isakmpd has started up:

ipsecctl -nf /etc/ipsec.conf
ipsecctl -f /etc/ipsec.conf

ipsecctl -sa # check that one of the tunnels is up (only one will be up at a time). May take a few moments to establish the tunnel

# verify routes once the tunnel is up:
netstat -rnf encap

Fire up an instance in your vpc and ping the instance's private ip from a machine on the OpenBSD private network to verify security groups and ACLs.

Enjoy!

Edit - this is sufficient to get the tunnel up and running, however, it does not cover the Cisco SLA monitor. In short, the active tunnel will need "interesting" traffic (i.e. traffic that gets routed via the active tunnel) to keep the active tunnel alive. I've been testing with an MTR trace from my local network to an instance in the VPC, and that has been sufficient to keep the tunnel alive for a few days thus far.
Posted in Uncategorized
Views 5530 Comments 1
« Prev     Main     Next »
Total Comments 1

Comments

  1. Old Comment
    I forgot to mention, for failover purposes, you should put the following in /etc/ipsec.conf:

    include "/etc/ipsec/aws-$TUNNEL1-IP.conf"
    include "/etc/ipsec/aws-$TUNNEL2-IP.conf"

    Then put each tunnel in its own "/etc/ipsec/aws-$TUNNEL#-IP.conf" file. To failover from tunnel 1 to tunnel 2, then, you can:

    ipsecctl -df /etc/ipsec/aws-$TUNNEL1-IP.conf && ipsecctl -f /etc/ipsec/aws-$TUNNEL2-IP.conf

    Testing on my side shows the failover occurs in ~4-6 seconds.
    Posted 02-17-2015 at 06:36 PM by rocket357 rocket357 is offline
 

  



All times are GMT -5. The time now is 04:41 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration