Solved

Site-to-Site VPN OpenSWAN in AWS VPC to a Sonicwall

Posted on 2016-11-03
5
226 Views
1 Endorsement
Last Modified: 2016-11-14
I am trying to create this site to site tunnel and Im not sure what I have done wrong.

1. The Amazon linux distro has an Elastic IP assigned.
2. I have allowed all traffic from the sonicwall IP in the security group.
3. I am using PSK on both sides.


Here is the IPSEC.conf file:

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=no
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        #keep_alive=60
        #force_keepalive=yes
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

#include /etc/ipsec.d/examples/no_oe.conf:wq!

## connection definition in Red Hat ##
conn AWS2SONICWALL
        authby=secret
        auto=start
        #aggrmode=yes
        ike=3des-md5
        ## phase 1 ##
        keyexchange=ike
        ikev2=no
        ## phase 2 ##
        phase2=esp
        phase2alg=3des-md5
        #esp=3des-md5
        #compress=no
        pfs=yes
        type=tunnel
        left=10.0.40.18
        leftsubnet=10.0.40.0/24
        leftnexthop=%defaultroute
        right="SONICWALL PUBLIC IP"
        rightsubnet=192.168.15.0/24


Here is the ipsec.secrets config

ELASTIC-IP  SONICWALL-IP :  PSK "testpsk123456"


I have changed and reloaded the sysctl file.

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0


# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
1
Comment
Question by:Cody Smith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 14

Assisted Solution

by:Phil Phillips
Phil Phillips earned 500 total points
ID: 41875005
One thing that always gets me is making sure that "Source/Destination Check" is disabled on the VPN instance.  You can do this by right clicking on the instance and clicking "Networking"->"Change Source/Dest. Check".  On the popup, hit "Yes, Disable".

Apart from that, I don't see anything that jumps out at me (though I haven't done an ipsec config in a while..).  Though, since you're using ipsec, I'd actually recommend using a managed VPN connection (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html). I believe SonicWalls are on the list of supported hardware.
0
 
LVL 1

Author Comment

by:Cody Smith
ID: 41875066
Thanks for the response!  I couldn't find any issue, so I tore down this instance and spun up an Unbutu instance with StrongSWAN.  I have had success with getting the VPN Gateway to function on the VPC.  I am able to ping from the Ubuntu box, through the tunnel, to hosts on the other side of the sonic wall.  

However I am not able to ping to hosts beyond the Ubnutu VPN gateway from behind the Sonicwall.

I have been trying to configure iptables with masquerading but I dont know if it this will work with only the one subnet and one NIC on the Ubuntu box (Router on a stick without vlans).

10.0.40.192                           10.0.40.88            Public                                    Public                         192.168.15.3
Domain Controller ---------> Ubuntu VPN Gateway  ========Tunnel===>Sonicwall------->DomainController

What do I need to do on the Ubuntu Gateway to get it to route the .192 address  though the gateway and through the tunnel.
0
 
LVL 14

Accepted Solution

by:
Phil Phillips earned 500 total points
ID: 41875165
Two things to check:

1. Source/destination check is disabled (as mentioned above)
2. In the VPC route table for the subnet(s) that you have the other hosts in: make sure there's a route for 192.168.0.0/16 (make the netmask more specific if you'd like) that goes through the interface of the VPN instance.
0
 
LVL 1

Author Closing Comment

by:Cody Smith
ID: 41887211
Thank you!!!
0
 
LVL 1

Author Comment

by:Cody Smith
ID: 41887212
Source Destination check was the issue.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Happy holidays! Your Ops team can pack their bags. IT management and IT management tools are dead. Or at least that’s according to a new blog from Tech Target on AWS’s new Managed Services (MS) offering.
Steps to create a PostgreSQL RDS instance in the Amazon cloud. We will cover some of the default settings and show how to connect to the instance once it is up and running.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question