Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Site-to-Site VPN OpenSWAN in AWS VPC to a Sonicwall

Posted on 2016-11-03
5
Medium Priority
?
277 Views
1 Endorsement
Last Modified: 2016-11-14
I am trying to create this site to site tunnel and Im not sure what I have done wrong.

1. The Amazon linux distro has an Elastic IP assigned.
2. I have allowed all traffic from the sonicwall IP in the security group.
3. I am using PSK on both sides.


Here is the IPSEC.conf file:

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=no
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        #keep_alive=60
        #force_keepalive=yes
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

#include /etc/ipsec.d/examples/no_oe.conf:wq!

## connection definition in Red Hat ##
conn AWS2SONICWALL
        authby=secret
        auto=start
        #aggrmode=yes
        ike=3des-md5
        ## phase 1 ##
        keyexchange=ike
        ikev2=no
        ## phase 2 ##
        phase2=esp
        phase2alg=3des-md5
        #esp=3des-md5
        #compress=no
        pfs=yes
        type=tunnel
        left=10.0.40.18
        leftsubnet=10.0.40.0/24
        leftnexthop=%defaultroute
        right="SONICWALL PUBLIC IP"
        rightsubnet=192.168.15.0/24


Here is the ipsec.secrets config

ELASTIC-IP  SONICWALL-IP :  PSK "testpsk123456"


I have changed and reloaded the sysctl file.

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0


# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
1
Comment
Question by:Cody Smith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 14

Assisted Solution

by:Phil Phillips
Phil Phillips earned 2000 total points
ID: 41875005
One thing that always gets me is making sure that "Source/Destination Check" is disabled on the VPN instance.  You can do this by right clicking on the instance and clicking "Networking"->"Change Source/Dest. Check".  On the popup, hit "Yes, Disable".

Apart from that, I don't see anything that jumps out at me (though I haven't done an ipsec config in a while..).  Though, since you're using ipsec, I'd actually recommend using a managed VPN connection (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html). I believe SonicWalls are on the list of supported hardware.
0
 
LVL 1

Author Comment

by:Cody Smith
ID: 41875066
Thanks for the response!  I couldn't find any issue, so I tore down this instance and spun up an Unbutu instance with StrongSWAN.  I have had success with getting the VPN Gateway to function on the VPC.  I am able to ping from the Ubuntu box, through the tunnel, to hosts on the other side of the sonic wall.  

However I am not able to ping to hosts beyond the Ubnutu VPN gateway from behind the Sonicwall.

I have been trying to configure iptables with masquerading but I dont know if it this will work with only the one subnet and one NIC on the Ubuntu box (Router on a stick without vlans).

10.0.40.192                           10.0.40.88            Public                                    Public                         192.168.15.3
Domain Controller ---------> Ubuntu VPN Gateway  ========Tunnel===>Sonicwall------->DomainController

What do I need to do on the Ubuntu Gateway to get it to route the .192 address  though the gateway and through the tunnel.
0
 
LVL 14

Accepted Solution

by:
Phil Phillips earned 2000 total points
ID: 41875165
Two things to check:

1. Source/destination check is disabled (as mentioned above)
2. In the VPC route table for the subnet(s) that you have the other hosts in: make sure there's a route for 192.168.0.0/16 (make the netmask more specific if you'd like) that goes through the interface of the VPN instance.
0
 
LVL 1

Author Closing Comment

by:Cody Smith
ID: 41887211
Thank you!!!
0
 
LVL 1

Author Comment

by:Cody Smith
ID: 41887212
Source Destination check was the issue.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question