Solved

Site-to-Site VPN OpenSWAN in AWS VPC to a Sonicwall

Posted on 2016-11-03
5
111 Views
1 Endorsement
Last Modified: 2016-11-14
I am trying to create this site to site tunnel and Im not sure what I have done wrong.

1. The Amazon linux distro has an Elastic IP assigned.
2. I have allowed all traffic from the sonicwall IP in the security group.
3. I am using PSK on both sides.


Here is the IPSEC.conf file:

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=no
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        #keep_alive=60
        #force_keepalive=yes
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

#include /etc/ipsec.d/examples/no_oe.conf:wq!

## connection definition in Red Hat ##
conn AWS2SONICWALL
        authby=secret
        auto=start
        #aggrmode=yes
        ike=3des-md5
        ## phase 1 ##
        keyexchange=ike
        ikev2=no
        ## phase 2 ##
        phase2=esp
        phase2alg=3des-md5
        #esp=3des-md5
        #compress=no
        pfs=yes
        type=tunnel
        left=10.0.40.18
        leftsubnet=10.0.40.0/24
        leftnexthop=%defaultroute
        right="SONICWALL PUBLIC IP"
        rightsubnet=192.168.15.0/24


Here is the ipsec.secrets config

ELASTIC-IP  SONICWALL-IP :  PSK "testpsk123456"


I have changed and reloaded the sysctl file.

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0


# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
1
Comment
Question by:Cody Smith
  • 3
  • 2
5 Comments
 
LVL 13

Assisted Solution

by:Phil Phillips
Phil Phillips earned 500 total points
ID: 41875005
One thing that always gets me is making sure that "Source/Destination Check" is disabled on the VPN instance.  You can do this by right clicking on the instance and clicking "Networking"->"Change Source/Dest. Check".  On the popup, hit "Yes, Disable".

Apart from that, I don't see anything that jumps out at me (though I haven't done an ipsec config in a while..).  Though, since you're using ipsec, I'd actually recommend using a managed VPN connection (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html). I believe SonicWalls are on the list of supported hardware.
0
 
LVL 1

Author Comment

by:Cody Smith
ID: 41875066
Thanks for the response!  I couldn't find any issue, so I tore down this instance and spun up an Unbutu instance with StrongSWAN.  I have had success with getting the VPN Gateway to function on the VPC.  I am able to ping from the Ubuntu box, through the tunnel, to hosts on the other side of the sonic wall.  

However I am not able to ping to hosts beyond the Ubnutu VPN gateway from behind the Sonicwall.

I have been trying to configure iptables with masquerading but I dont know if it this will work with only the one subnet and one NIC on the Ubuntu box (Router on a stick without vlans).

10.0.40.192                           10.0.40.88            Public                                    Public                         192.168.15.3
Domain Controller ---------> Ubuntu VPN Gateway  ========Tunnel===>Sonicwall------->DomainController

What do I need to do on the Ubuntu Gateway to get it to route the .192 address  though the gateway and through the tunnel.
0
 
LVL 13

Accepted Solution

by:
Phil Phillips earned 500 total points
ID: 41875165
Two things to check:

1. Source/destination check is disabled (as mentioned above)
2. In the VPC route table for the subnet(s) that you have the other hosts in: make sure there's a route for 192.168.0.0/16 (make the netmask more specific if you'd like) that goes through the interface of the VPN instance.
0
 
LVL 1

Author Closing Comment

by:Cody Smith
ID: 41887211
Thank you!!!
0
 
LVL 1

Author Comment

by:Cody Smith
ID: 41887212
Source Destination check was the issue.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
centos linux 65 155
Review of OCA certificate policy 1 29
Linux mount of Windows Shared Now Fails 8 75
how to include conditional log rotate in liunx. 17 33
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question