Blog Layout

AWS: Using Openswan for site-to-site VPN

blsrdwdm • Aug 03, 2018

You’ve decided to join the growing group of smart, bold businesses trailblazers by moving your network operations to the “Cloud”. And, of course, you’ve done your homework and decided that AWS is the only way to go. Good for you! Now comes the big question—“How do I connect my on premise workstations to my AWS VPC (Virtual Private Cloud—click here if you need a quick VPC refresher). You can certainly get it done by using AWS’ managed VPN service. This service consists of creating a Virtual Private Gateway in your AWS VPC to establish a site-to-site connection with your on premise VPN firewall (don’t you just LOVE the smell of VPNs in the morning!!). While this is a solid solution, the rate of $0.05/VPN per hour (ouch!) can get a bit costly if you have more than one VPN tunnel running (think multiple remote offices, like a large real estate brokerage). A cheaper alternative is to use a “software VPN” like Openswan that runs on a Linux-based EC2 instance. Although the cost of an m4.large instance on a 3-year Reserved Instance convertible term is basically the same as the AWS managed firewall, you can manage several tunnels on a single Openswan instance, which results in a significant cost savings if you have multiple tunnels. If this sounds like something right up your alley (or, if you are the more adventurous type), we’ve put together a short “How to” that should have your Openswan VPN tunnels up and running in short order.

A note on sizing: We have tested using Openswan on several instance types. There was a significant amount of packet loss using any of the t2 instance types. After moving to an m4.large instance type, there was no packet loss. The different instance types have different underlying hardware so there could be a performance issue associated with the Linux kernel and/or hardware used for t2 instances.

Creating the AWS EC2 Instance

  1. The first step is to launch a new EC2 instance to run Openswan:
     a. Open the AWS console and navigate to EC2 under services.
     b. Launch a new EC2 instance.
     c. Choose your Linux distribution (In this guide, we will be using the Amazon Linux AMI but Openswan runs on most Linux distributions)
     d. We recommend a minimum size of m4.large instance. We have seen a large amount of dropped packets with any of the t2 series instances.
     e. Place the instance in a Public subnet.
     f. Add a Name Tag to help identify (i.e. “Openswan”)
     g. Create a new security group that is called “Openswan SG” and allow SSH from the Public IP of the admin machine you are using.
  2. Disable Source/Dest. Check.
     a. In the EC2 Instances section of the console select the newly created instance you are using to run Openswan.
     b. Click on Actions->Networking->Change Source/Dest. Check
     c. Click on Yes, Disable
  3. — Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a VPN instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the VPN instance. —
  4. Assign an EIP (Elastic IP) to the Openswan VPN instance.
     a. In the EC2 Instances section of the console click on Elastic IPs under Network & Security.
     b. If you do not have an EIP available click “Allocate new address”.
     c. Select the new address and click Actions->Associate Address
     d. In the Instance section select the Openswan instance you created in step 1 and click Associate.
  5. Modify the Openswan Security Group
     a. Open the necessary inbound ports from your VPC. This will be based on the type of traffic you are sending through the tunnel.
     b. Open UPD ports 4500 and UDP port 500 from the remote gateway you are establishing the tunnel with. This will allow the ipsec connection to be established.

Installing and Configuring Openswan

  1. Connect to the EC2 instance and install Openswan
     a. SSH into the new instance
     b. Install Openswan: sudo yum install openswan
  2. Edit the IPSec configuration file
     a. Run the following command: sudo nano /etc/ipsec.conf
     b. You will need to uncomment the last line: include /etc/ipsec.d/*.conf
     c. Save and exit the file
  3. Command — Addison, TX — Red One Network Solutions
  4. Create a VPN configuration file: sudo nano /etc/ipsec.d/{vpnname}.conf
    You will create a configuration file for each VPN tunnel you are establishing. You should name the configuration file something to help you identify the client that this connects to. Be sure to set the connection name to the same thing to keep things clean and easy to manage.
     a. Paste the following text and fill in all variables with your values: conn {vpnname} #This is the name of the VPN connection
    type=tunnel
    authby=secret
    auto=start
    left=%defaultroute
    leftid={EIP} #This is your Openswan EIP
    leftsubnet={AWS VPC subnet} #This is the subnet you are allowing VPN access to
    leftnexthop=%defaultroute
    right={Remote IP} #This is the public IP of the Remote VPN device
    rightsubnet={Remote Subnet} #This is the remote subnet
    pfs=yes #Perfect Forward Security
    ike=aes128-sha1;modp1024 #IKE Encryption Policy and Diffie-Hellman Group
    ikelifetime=28800s #IKE Lifetime
    esp=aes128-sha1;modp1024 #ESP Encryption Policy and Diffie-Hellman Group
    salifetime=28800s # IPSec Lifetime
     b. For the IKE and ESP encryption policies be sure to match the proposals that we will set on the remote device. Modp1024 is DH Group 2. To set to Group 5 you would use modp1536.
  5. Create a Secrets File: sudo nano /etc/ipsec.d/{vpnname}.secrets
    The name of the secrets file must match the name of the configuration file. This file will contain your EIP, the remote device’s public IP and the secret passphrase you will use to establish the tunnel. Paste the following into the secrets file and fill with your values:
     a. {EIP} {Remote Public IP} : PSK “TheSecretPassphraseYouWantToUse”
     b. Save the file and Exit
     c. Be sure to include the “ ” around the secret passphrase.
  6. Start Openswan: sudo service ipsec start
  7. Set Openswan to start when the machine starts: sudo chkconfig ipsec on
  8. Enable IP Forwarding: sudo nano /etc/sysctl.conf
     a. Change the value of net.ipv4.ip_forward from 0 to 1
  9. Restart the Network service: sudo service network restart

If the tunnel was already configured on the remote device you will now have a working VPN connection. If not, you will need to configure the remote device and your tunnel should come up.

Some Helpful Openswan Commands

  1. To check the status of the Openswan service: sudo service ipsec status
    This will tell you if the service is running and how many tunnels are currently active.
  2. For a more detailed view of your tunnel connections: sudo ipsec auto –status
    This will give detail on the negotiation of each tunnel. You will want to look for the connection name in “ ” and the phrase “(ISAKMP SA established)”. This will let you know that the tunnel for that connection completed properly. If the tunnel fails to come up this command will also let you know what part of the negotiation failed.
  3. To add a new tunnel you will add a new config file and secrets file in the /etc/ipsec.d/ directory. Once added you would either need to restart the ipsec service (which would bounce all existing tunnels) or run the following commands:
     a. sudo ipsec auto –add connection name
     b. sudo ipsec auto –rereadsecrets
     c. sudo ipsec auto –status
    You should now see the additional connection with it’s status.
    4. The following commands will allow you to “bounce” an existing tunnel:
     a. sudo ipsec auto –down connection name  
     b. sudo ipsec auto –up connection name

Trouleshooting

There are typically only a few things that can cause this process to not work correctly:

 

1. Your tunnels are not connecting properly.
a. Run sudo ipsec auto –status and see where the negotiation is failing.
b. Verify that the proposals are the exact same on both ends of the tunnel.
c. Verify that you have allowed UDP 4500 and UDP 500 from the remote public IP on the Openswan Security Group.
2. Tunnels are up but you are not passing traffic
a. Verify that you have the appropriate ports open from your AWS VPC on your Openswan Security Group.
b. Verify that you have the appropriate ports open from the remote network on your instance security groups.
c. Verify that you have added a route to the remote network on your routing tables that point to your Openswan instance.

 

The process of setting up an Openswan instance to manage all of your VPN tunnels is fairly simple. As stated previously, the cost of a single managed AWS VPN tunnel using AWS VPN Gateway is $0.05/hour. And while the cost of an m4.large instance on a 3-year Reserved Instance convertible term is also $0.05/per hour, you can manage several tunnels on a single Openswan instance. Thus, the cost savings will be substantial if you have multiple tunnels.

Additonal resources:
Ipsec options: https://linux.die.net/man/5/ipsec.conf
Additonal ipsec auto commands: https://linux.die.net/man/8/ipsec_auto

By Thomas Torres 13 Oct, 2023
Centralized Analytics in Video Surveillance: Efficiency and Insight
By Thomas Torres 06 Oct, 2023
Video Surveillance Analytics: A Smart Upgrade for Enhanced Security and Efficiency
Cloud security concept — Addison, TX — Red One Network Solutions
By blsrdwdm 15 Jun, 2020
Is the Cloud Secure? According to the Flexera 2020 State of the Cloud Report, Security remains the top concern of enterprises thinking about moving to the Cloud. This isn’t all that surprising. Intuitively, the idea of storing your company’s data and running mission-critical applications in a location beyond your organization’s physical control seems like a […] The post What is Cloud Computing? Part 8 – Cloud Security appeared first on Red One Network Solutions.
Body temperature cameras — Addison, TX — Red One Network Solutions
By blsrdwdm 17 Apr, 2020
In a post shutdown world, providing a healthy workplace will be a critical responsibility for employers. One way to achieve this goal is to prevent symptomatic individuals from entering the building. Toward this end, passive body temperature cameras can be used to notify security personnel when individuals with elevated temperatures are attempting to enter the […] The post Body Temperature Cameras appeared first on Red One Network Solutions.
VoIP concept — Addison, TX — Red One Network Solutions
By blsrdwdm 17 Apr, 2020
An SMB Perspective “VoIP” is one of the most commonly used and widely misunderstood acronyms in the IT industry. VoIP stands for “Voice over Internet Protocol”. Self-explanatory, right? Unless you are an IT geek, maybe not so much. So what is VoIP? And how do you know if you have it or need it? Fundamentally, […] The post What is VoIP? appeared first on Red One Network Solutions.
Cat next to a laptop — Addison, TX — Red One Network Solutions
By blsrdwdm 05 Apr, 2020
With the recent developments associated with the COVID-19 virus, many companies are directing their employees to work from home for the next several weeks. As usual, most large companies (500+ employees) have developed this capability for their workforce to a greater or lesser extent. But for small businesses, this may be a bigger challenge. Many […] The post Crossroads–Where Business Continuity and Work From Home Meet appeared first on Red One Network Solutions.
Building after the disaster — Addison, TX — Red One Network Solutions
By blsrdwdm 26 Feb, 2020
Business Continuity So far in this series about Cloud Computing, we have explored exactly what Cloud Computing means for small and medium sized businesses (SMBs) and taken a look at Thin Client/Cloud Services architecture and how it can be a powerful equalizer for these companies. Now we will take a look at an equally important […] The post What is Cloud Computing Part 7 – Business Continuity appeared first on Red One Network Solutions.
The cost of cloud — Addison, TX — Red One Network Solutions
By blsrdwdm 10 Oct, 2019
We continue our discussion of Cloud Computing by taking a look at one of its more universally accepted benefits—scale on demand architecture. Much of the conversation about this aspect of cloud computing focuses on the advantages for application development and hosted applications (if this seems like a theme, that’s because it is). The following article […] The post What is Cloud Computing Part 6 – Scale on Demand Architecture appeared first on Red One Network Solutions.
Cloud computing concept — Addison, TX — Red One Network Solutions
By blsrdwdm 22 Jul, 2019
In the first 4 parts of this series, we defined the Cloud and discussed some of its many advantages. Which brings up an interesting question—“Are there any potential pitfalls of migrating your business to a Cloud Computing environment?” We’ll explore that issue in this post. One issue that has to be addressed when planning a […] The post What is Cloud Computing? Part 5 – Cloud Challenges appeared first on Red One Network Solutions.
Fingerprint scanner with cloud integrated — Addison, TX — Red One Network Solutions
By blsrdwdm 20 Jun, 2019
I suppose if we are going to talk about Cloud Computing, then we need to define the term “Cloud”. The following animation provides a simple and somewhat amusing explanation of the Cloud. However, after watching this video, you might get the impression that the Cloud is simply a good place to store your data. While […] The post What is Cloud Computing? Part 4 – “The Cloud” appeared first on Red One Network Solutions.
More Posts
Share by: