Solved

Site-to-Site VPN OpenSWAN in AWS VPC to a Sonicwall

Posted on 2016-11-03
5
40 Views
1 Endorsement
Last Modified: 2016-11-14
I am trying to create this site to site tunnel and Im not sure what I have done wrong.

1. The Amazon linux distro has an Elastic IP assigned.
2. I have allowed all traffic from the sonicwall IP in the security group.
3. I am using PSK on both sides.


Here is the IPSEC.conf file:

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=no
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        #keep_alive=60
        #force_keepalive=yes
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

#include /etc/ipsec.d/examples/no_oe.conf:wq!

## connection definition in Red Hat ##
conn AWS2SONICWALL
        authby=secret
        auto=start
        #aggrmode=yes
        ike=3des-md5
        ## phase 1 ##
        keyexchange=ike
        ikev2=no
        ## phase 2 ##
        phase2=esp
        phase2alg=3des-md5
        #esp=3des-md5
        #compress=no
        pfs=yes
        type=tunnel
        left=10.0.40.18
        leftsubnet=10.0.40.0/24
        leftnexthop=%defaultroute
        right="SONICWALL PUBLIC IP"
        rightsubnet=192.168.15.0/24


Here is the ipsec.secrets config

ELASTIC-IP  SONICWALL-IP :  PSK "testpsk123456"


I have changed and reloaded the sysctl file.

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0


# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
1
Comment
Question by:Cody Smith
  • 3
  • 2
5 Comments
 
LVL 12

Assisted Solution

by:Phil Phillips
Phil Phillips earned 500 total points
ID: 41875005
One thing that always gets me is making sure that "Source/Destination Check" is disabled on the VPN instance.  You can do this by right clicking on the instance and clicking "Networking"->"Change Source/Dest. Check".  On the popup, hit "Yes, Disable".

Apart from that, I don't see anything that jumps out at me (though I haven't done an ipsec config in a while..).  Though, since you're using ipsec, I'd actually recommend using a managed VPN connection (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html). I believe SonicWalls are on the list of supported hardware.
0
 
LVL 1

Author Comment

by:Cody Smith
ID: 41875066
Thanks for the response!  I couldn't find any issue, so I tore down this instance and spun up an Unbutu instance with StrongSWAN.  I have had success with getting the VPN Gateway to function on the VPC.  I am able to ping from the Ubuntu box, through the tunnel, to hosts on the other side of the sonic wall.  

However I am not able to ping to hosts beyond the Ubnutu VPN gateway from behind the Sonicwall.

I have been trying to configure iptables with masquerading but I dont know if it this will work with only the one subnet and one NIC on the Ubuntu box (Router on a stick without vlans).

10.0.40.192                           10.0.40.88            Public                                    Public                         192.168.15.3
Domain Controller ---------> Ubuntu VPN Gateway  ========Tunnel===>Sonicwall------->DomainController

What do I need to do on the Ubuntu Gateway to get it to route the .192 address  though the gateway and through the tunnel.
0
 
LVL 12

Accepted Solution

by:
Phil Phillips earned 500 total points
ID: 41875165
Two things to check:

1. Source/destination check is disabled (as mentioned above)
2. In the VPC route table for the subnet(s) that you have the other hosts in: make sure there's a route for 192.168.0.0/16 (make the netmask more specific if you'd like) that goes through the interface of the VPN instance.
0
 
LVL 1

Author Closing Comment

by:Cody Smith
ID: 41887211
Thank you!!!
0
 
LVL 1

Author Comment

by:Cody Smith
ID: 41887212
Source Destination check was the issue.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Checking the Alert Log in AWS RDS Oracle can be a pain through their user interface.  I made a script to download the Alert Log, look for errors, and email me the trace files.  In this article I'll describe what I did and share my script.
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Steps to create a PostgreSQL RDS instance in the Amazon cloud. We will cover some of the default settings and show how to connect to the instance once it is up and running.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now