Cody Smith
asked on
Site-to-Site VPN OpenSWAN in AWS VPC to a Sonicwall
I am trying to create this site to site tunnel and Im not sure what I have done wrong.
1. The Amazon linux distro has an Elastic IP assigned.
2. I have allowed all traffic from the sonicwall IP in the security group.
3. I am using PSK on both sides.
Here is the IPSEC.conf file:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=no
virtual_private=%v4:10.0.0 .0/8,%v4:1 92.168.0.0 /16,%v4:17 2.16.0.0/1 2
oe=off
plutodebug=all
plutostderrlog=/var/log/pl uto.log
#keep_alive=60
#force_keepalive=yes
# Enable this if you see "failed to find any available worker"
nhelpers=0
#include /etc/ipsec.d/examples/no_o e.conf:wq!
## connection definition in Red Hat ##
conn AWS2SONICWALL
authby=secret
auto=start
#aggrmode=yes
ike=3des-md5
## phase 1 ##
keyexchange=ike
ikev2=no
## phase 2 ##
phase2=esp
phase2alg=3des-md5
#esp=3des-md5
#compress=no
pfs=yes
type=tunnel
left=10.0.40.18
leftsubnet=10.0.40.0/24
leftnexthop=%defaultroute
right="SONICWALL PUBLIC IP"
rightsubnet=192.168.15.0/2 4
Here is the ipsec.secrets config
ELASTIC-IP SONICWALL-IP : PSK "testpsk123456"
I have changed and reloaded the sysctl file.
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_r edirects = 0
net.ipv4.conf.all.send_red irects = 0
net.ipv4.conf.default.send _redirects = 0
net.ipv4.conf.default.acce pt_redirec ts = 0
# Controls source route verification
net.ipv4.conf.default.rp_f ilter = 1
# Do not accept source routing
net.ipv4.conf.default.acce pt_source_ route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
1. The Amazon linux distro has an Elastic IP assigned.
2. I have allowed all traffic from the sonicwall IP in the security group.
3. I am using PSK on both sides.
Here is the IPSEC.conf file:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=no
virtual_private=%v4:10.0.0
oe=off
plutodebug=all
plutostderrlog=/var/log/pl
#keep_alive=60
#force_keepalive=yes
# Enable this if you see "failed to find any available worker"
nhelpers=0
#include /etc/ipsec.d/examples/no_o
## connection definition in Red Hat ##
conn AWS2SONICWALL
authby=secret
auto=start
#aggrmode=yes
ike=3des-md5
## phase 1 ##
keyexchange=ike
ikev2=no
## phase 2 ##
phase2=esp
phase2alg=3des-md5
#esp=3des-md5
#compress=no
pfs=yes
type=tunnel
left=10.0.40.18
leftsubnet=10.0.40.0/24
leftnexthop=%defaultroute
right="SONICWALL PUBLIC IP"
rightsubnet=192.168.15.0/2
Here is the ipsec.secrets config
ELASTIC-IP SONICWALL-IP : PSK "testpsk123456"
I have changed and reloaded the sysctl file.
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_r
net.ipv4.conf.all.send_red
net.ipv4.conf.default.send
net.ipv4.conf.default.acce
# Controls source route verification
net.ipv4.conf.default.rp_f
# Do not accept source routing
net.ipv4.conf.default.acce
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you!!!
ASKER
Source Destination check was the issue.
ASKER
However I am not able to ping to hosts beyond the Ubnutu VPN gateway from behind the Sonicwall.
I have been trying to configure iptables with masquerading but I dont know if it this will work with only the one subnet and one NIC on the Ubuntu box (Router on a stick without vlans).
10.0.40.192 10.0.40.88 Public Public 192.168.15.3
Domain Controller ---------> Ubuntu VPN Gateway ========Tunnel===>Sonicwal
What do I need to do on the Ubuntu Gateway to get it to route the .192 address though the gateway and through the tunnel.