LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 02-13-2013, 08:38 AM   #1
romeo_tango
Member
 
Registered: Nov 2006
Distribution: Mint
Posts: 148

Rep: Reputation: 15
Questions about Amazon VPC - Cisco ASA connectivity


Hi!

Sorry but before I am being judged, let me state this first, yes I have read the documentations in amazon sites but I still don't understand few things. So please do help or give me any additional links at least.

What I want to create :

Code:
office local net - office internet - internet - amazon ec2
What I already did :

Code:
office local net - office internet - Cisco ASA - internet - amazon vpc
The VPN Connection in the Amazon VPC section states that IPSEC is UP but tunnel is still down.

The questions is what should I do after the VPC setup?

- I already created an EC2 instance in VPC network following this steps
- This EC2vpc instance still can not directly connect to the office local net by default and I figured perhaps I should use any software VPN then.
- I tried using IPSEC just like the example in
Code:
http://aws.amazon.com/articles/8800869755706543#_Toc331594720
but still no good results.

From the EC2 system log, the last line was :
Code:
Feb 13 14:19:30 ip-1-1-1-139 ipsec__plutorun: 104 "vpc-to-asa" #1: STATE_MAIN_I1: initiate
Did I miss something?
 
Old 02-14-2013, 10:56 AM   #2
bigearsbilly
Senior Member
 
Registered: Mar 2004
Location: england
Distribution: FreeBSD, Debian, Mint, Puppy
Posts: 3,269

Rep: Reputation: 165Reputation: 165
You are welcome to try this...
I spent a week connecting a virtual environment to a data provider behind a cisco router.

note it uses mksh but bash may work if you change that line.
It uses ipsec-tools and racoon (the preferred method now) you may need to install them.
You will need to put the racoon.conf files in a sensible place.


Code:
#!/bin/mksh
set -o errexit
set -o nounset
trap usage ERR

usage()
{
exec >&2
cat <<EOF

# this script attempts to set up most of what you need for an
# IPSec tunnel VPN, it has worked in a production environment
# against a Cisco router
#
# it will  create 3 files for each host, 6 in total
#	1. a file suitable for 'setkey'
#	2. a file suitable for setting up the tap device and routing
#	3. a racoon.conf file

# 	If you set DO_RUN=y and MASTER_HOST
#	The script will attempt to put it all in place.


# This is what your VPN looks like:
# HOST_A should be *your* host and HOST_B the other
# MASTER_HOST should be set to *your* hostname
#
#                                       +----------+
#               + > > > > > > > > > > > | TUNNEL_A | virtual address
#               .                       |          |
#               .                       +----------+
#               .                            ||
#               .                            ||
#          +--------+                        ||
#          | HOST_A |real address            ||
#          |        |                        ||
#          +--------+                        ||
#               |
#               | Plain
#               | IP                         IPSec Tunnel
#               |
#               |
#               |
#          +--------+                        ||
#          | HOST_B |real address            ||
#          |        |                        ||
#          +--------+                        ||
#               .                            ||
#               .                            ||
#               .                       +----------+
#               + > > > > > > > > > > > | TUNNEL_B | virtual address
#                                       |          |
#                                       +----------+



# ENVIRONMENT VARIABLES YOU NEED TO SET:
#
# HOST_A	-	'real' ip address 
# HOST_B	-	'real' ip address 
#
# TUNNEL_A	-	tunnel "entrance" for the machine, a 'virtual' ip adress
# TUNNEL_B	-	ditto

# OPTIONAL ENVIRONMENT VARIABLES:
#
# DO_RUN	-	y/n will execute commands using the config files
# MASTER_HOST	-	needed if DO_RUN is set, needs to be IDENTICAL 	on both machines
#			at the ends of the tunnel to ensure the configs are reversed correctly.
#			It needs to be the hostname of A or B
#			it does not matter which host you choose, it can be A or B but
#			you must set the _same_ on both machines
#			because the configurations are basically the same but reversed
#			on each end of the tunnel
EOF
}

CONF_A=ipsec.A.conf
CONF_B=ipsec.B.conf

SHELL_A=devices.A.sh
SHELL_B=devices.B.sh

RACOON_A=racoon.A.conf
RACOON_B=racoon.B.conf


do_setkey()
{
cat <<EOF
flush;
spdflush;

spdadd $LOCAL_TUNNEL $OTHER_TUNNEL any -P out ipsec
        esp/tunnel/$LOCAL_HOST-$OTHER_HOST/require;

spdadd $OTHER_TUNNEL  $LOCAL_TUNNEL any -P in ipsec
        esp/tunnel/$OTHER_HOST-$LOCAL_HOST/require;

EOF
}
set_racoon()
{


cat <<EOF
# using pre-shared key
remote anonymous
{
        exchange_mode main,aggressive,base;

        dpd_delay 0; # doesn't do owt anyway it seems
        lifetime time 86400 seconds;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
        generate_policy off;
}
 
sainfo anonymous
{
        #pfs_group modp768;
        #pfs_group 2;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
EOF


}

set_device()
{
cat <<EOF
ip tuntap del dev vpn mode tap 
ip tuntap add dev vpn mode tap 
ip addr add dev vpn $LOCAL_TUNNEL
ip link set vpn up
ip route del dev vpn $OTHER_TUNNEL || true
ip route add dev vpn $OTHER_TUNNEL
EOF
}

do_it()
{

case $1 in

	A)
	LOCAL_HOST=$HOST_A
	OTHER_HOST=$HOST_B

	LOCAL_TUNNEL=$TUNNEL_A
	OTHER_TUNNEL=$TUNNEL_B

	;;

	B)
	LOCAL_HOST=$HOST_B
	OTHER_HOST=$HOST_A

	LOCAL_TUNNEL=$TUNNEL_B
	OTHER_TUNNEL=$TUNNEL_A

	;;

	*)
	>&2 echo what host is this? should be 'A' or 'B'
	exit 1
	;;
esac
case $2 in
    setkey)
	do_setkey
    ;;
    device)
	set_device
    ;;
    racoon)
	set_racoon
    ;;
	*)
	>&2 echo what command is this? should be 'setkey' or 'device'
	exit 1
	;;
esac

}


do_it A setkey | tee $CONF_A
do_it B setkey | tee  $CONF_B

do_it A device > $SHELL_A
do_it B device > $SHELL_B

do_it A racoon > $RACOON_A
do_it B racoon > $RACOON_B

[[ "$DO_RUN" = [yY] ]] || exit


    cat <<EOF

    * Attention *
    MASTER_HOST=$MASTER_HOST

    If this is wrong you may not get results
    It should be HOST_A in the diagram

EOF


case $(hostname) in 

    $MASTER_HOST)
	 setkey -f $CONF_A
	 /bin/sh $SHELL_A
	;;
	*)
	setkey -f $CONF_B
	/bin/sh $SHELL_B
	;;
esac


service racoon restart

Last edited by bigearsbilly; 02-14-2013 at 10:57 AM.
 
Old 02-19-2013, 09:18 PM   #3
romeo_tango
Member
 
Registered: Nov 2006
Distribution: Mint
Posts: 148

Original Poster
Rep: Reputation: 15
Hi @bigearsbilly

Thank you for replying, however I have succesfully connected the VPN using at the moment using the same documentation from AWS.

The problem was on the CISCO configuration.

Anyway once again. Thank you.
 
Old 02-20-2013, 02:00 AM   #4
bigearsbilly
Senior Member
 
Registered: Mar 2004
Location: england
Distribution: FreeBSD, Debian, Mint, Puppy
Posts: 3,269

Rep: Reputation: 165Reputation: 165
good, it's fun ain't it!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up Amazon VPC ram_rajavarapu Linux - Security 2 01-14-2013 02:05 PM
Help connecting to Cisco ASA with Openswan? Jazsnap Linux - Security 5 12-18-2011 02:31 PM
Cisco ASA 5505 and OpenVPN karnac01 Linux - Networking 1 05-21-2011 08:35 AM
site2site vpn with openswan to cisco asa 5500 kloenie Linux - Security 2 12-02-2010 08:54 AM
How to create a site2site with OpenSwan and Cisco ASA 5510 OdinnBurkni Linux - Security 16 09-07-2008 12:05 PM


All times are GMT -5. The time now is 06:59 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration