Solved

Site-to-Site VPN OpenSWAN in AWS VPC to a Sonicwall

Posted on 2016-11-03
5
161 Views
1 Endorsement
Last Modified: 2016-11-14
I am trying to create this site to site tunnel and Im not sure what I have done wrong.

1. The Amazon linux distro has an Elastic IP assigned.
2. I have allowed all traffic from the sonicwall IP in the security group.
3. I am using PSK on both sides.


Here is the IPSEC.conf file:

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=no
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        #keep_alive=60
        #force_keepalive=yes
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

#include /etc/ipsec.d/examples/no_oe.conf:wq!

## connection definition in Red Hat ##
conn AWS2SONICWALL
        authby=secret
        auto=start
        #aggrmode=yes
        ike=3des-md5
        ## phase 1 ##
        keyexchange=ike
        ikev2=no
        ## phase 2 ##
        phase2=esp
        phase2alg=3des-md5
        #esp=3des-md5
        #compress=no
        pfs=yes
        type=tunnel
        left=10.0.40.18
        leftsubnet=10.0.40.0/24
        leftnexthop=%defaultroute
        right="SONICWALL PUBLIC IP"
        rightsubnet=192.168.15.0/24


Here is the ipsec.secrets config

ELASTIC-IP  SONICWALL-IP :  PSK "testpsk123456"


I have changed and reloaded the sysctl file.

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0


# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
1
Comment
Question by:Cody Smith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 14

Assisted Solution

by:Phil Phillips
Phil Phillips earned 500 total points
ID: 41875005
One thing that always gets me is making sure that "Source/Destination Check" is disabled on the VPN instance.  You can do this by right clicking on the instance and clicking "Networking"->"Change Source/Dest. Check".  On the popup, hit "Yes, Disable".

Apart from that, I don't see anything that jumps out at me (though I haven't done an ipsec config in a while..).  Though, since you're using ipsec, I'd actually recommend using a managed VPN connection (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html). I believe SonicWalls are on the list of supported hardware.
0
 
LVL 1

Author Comment

by:Cody Smith
ID: 41875066
Thanks for the response!  I couldn't find any issue, so I tore down this instance and spun up an Unbutu instance with StrongSWAN.  I have had success with getting the VPN Gateway to function on the VPC.  I am able to ping from the Ubuntu box, through the tunnel, to hosts on the other side of the sonic wall.  

However I am not able to ping to hosts beyond the Ubnutu VPN gateway from behind the Sonicwall.

I have been trying to configure iptables with masquerading but I dont know if it this will work with only the one subnet and one NIC on the Ubuntu box (Router on a stick without vlans).

10.0.40.192                           10.0.40.88            Public                                    Public                         192.168.15.3
Domain Controller ---------> Ubuntu VPN Gateway  ========Tunnel===>Sonicwall------->DomainController

What do I need to do on the Ubuntu Gateway to get it to route the .192 address  though the gateway and through the tunnel.
0
 
LVL 14

Accepted Solution

by:
Phil Phillips earned 500 total points
ID: 41875165
Two things to check:

1. Source/destination check is disabled (as mentioned above)
2. In the VPC route table for the subnet(s) that you have the other hosts in: make sure there's a route for 192.168.0.0/16 (make the netmask more specific if you'd like) that goes through the interface of the VPN instance.
0
 
LVL 1

Author Closing Comment

by:Cody Smith
ID: 41887211
Thank you!!!
0
 
LVL 1

Author Comment

by:Cody Smith
ID: 41887212
Source Destination check was the issue.
0

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Fine Tune your automatic Updates for Ubuntu / Debian
In this series, we will discuss common questions received as a database Solutions Engineer at Percona. In this role, we speak with a wide array of MySQL and MongoDB users responsible for both extremely large and complex environments to smaller singl…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question