Amazon VPC + ipsec + racoon + quagga

Posted on January 25, 2012 by admin

This scenario has been succesfully tested and is working on following configuration:

Debian 6 with one ethernet card with public IP  (no NAT), Amazon VPC network 10.0.0.0/16 with 2 subnets (10.0.0.0/24 public and 10.0.1.0/24 private), ipsec-tools 1:0.8.0-9, racoon 1:0.8.0-9, quagga 0.99.20-3

VPC components on Amazon side can be created by using Scenario number 3 (http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_Scenario3.html) and configuration can be obtained from AWS Management console by right click on VPN configuration -> download). Also, you need to setup security groups for SSH which is also explained in Scenario3.

Example configuration files are following (change your parameters, in this example public IP is 1.1.1.1 and Virtual Private Gateways are 2.2.2.2 and 3.3.3.3, change them and other parameters accordingly):

Tunnel 1:

Pre-Shared Key           : AAAA

Outside IP Addresses:
- Customer Gateway                : 1.1.1.1
- Virtual Private Gateway         : 2.2.2.2
Inside IP Addresses
- Customer Gateway              : 169.254.248.10/30
- Virtual Private Gateway       : 169.254.248.9/30

– Customer Gateway ASN              : 65000
- Virtual Private  Gateway ASN          : 7224
- Neighbor IP Address               : 169.254.248.9

Tunnel 2:

Pre-Shared Key : BBBB

Outside IP Addresses:
- Customer Gateway                 : 1.1.1.1
- Virtual Private Gateway           : 3.3.3.3
Inside IP Addresses
- Customer Gateway                 : 169.254.248.14/30
- Virtual Private Gateway           : 169.254.248.13/30

– Customer Gateway ASN              : 65000
- Virtual Private  Gateway ASN          : 7224
- Neighbor IP Address               : 169.254.248.13

On Debian server, we need to install following packages (as root):

$ apt-get install ipsec-tools racoon quagga

After installing packages, we need to setup following configuration files:

/etc/racoon/psk.txt:

(change secret keys to your own)

2.2.2.2   AAAA

3.3.3.3   BBBB

/etc/racoon/racoon.conf:

(change needed addresses):

remote 2.2.2.2 {

exchange_mode main;

lifetime time 28800 seconds;

proposal {

encryption_algorithm aes128;

hash_algorithm sha1;

authentication_method pre_shared_key;

dh_group 2;

}

generate_policy off;

}

remote 3.3.3.3 {

exchange_mode main;

lifetime time 28800 seconds;

proposal {

encryption_algorithm aes128;

hash_algorithm sha1;

authentication_method pre_shared_key;

dh_group 2;

}

generate_policy off;

}

sainfo address 169.254.248.10/30 any address 169.254.248.9/30 any {

pfs_group 2;

lifetime time 3600 seconds;

encryption_algorithm aes128;

authentication_algorithm hmac_sha1;

compression_algorithm deflate;

}

sainfo address 169.254.248.14/30 any address 169.254.248.13/30 any {

pfs_group 2;

lifetime time 3600 seconds;

encryption_algorithm aes128;

authentication_algorithm hmac_sha1;

compression_algorithm deflate;

}

/etc/ipsec-tools.conf

(change needed addresses):

flush;

spdflush;

spdadd 169.254.248.10/30 169.254.248.9/30 any -P out ipsec

esp/tunnel/1.1.1.1-2.2.2.2/require;

spdadd 169.254.248.9/30 169.254.248.10/30 any -P in ipsec

esp/tunnel/2.2.2.2-1.1.1.1/require;

spdadd 169.254.248.14/30 169.254.248.13/30 any -P out ipsec

esp/tunnel/1.1.1.1-3.3.3.3/require;

spdadd 169.254.248.13/30 169.254.248.14/30 any -P in ipsec

esp/tunnel/3.3.3.3-1.1.1.1/require;

spdadd 169.254.248.10/30 10.0.0.0/16 any -P out ipsec

esp/tunnel/1.1.1.1-2.2.2.2/require;

spdadd 10.0.0.0/16 169.254.248.10/30 any -P in ipsec

esp/tunnel/2.2.2.2-1.1.1.1/require;

spdadd 169.254.248.14/30 10.0.0.0/16 any -P out ipsec

esp/tunnel/1.1.1.1-3.3.3.3/require;

spdadd 10.0.0.0/16 169.254.248.14/30 any -P in ipsec

esp/tunnel/3.3.3.3-1.1.1.1/require;

/etc/quagga/bgpd.conf:

(here you can choose your own password, and change needed addresses)

hostname ec2-vpn

password passWord

enable password passWord

!

log file /var/log/quagga/bgpd

!debug bgp events

!debug bgp zebra

debug bgp updates

!

router bgp 65000

bgp router-id 1.1.1.1

network 169.254.248.10/30

network 169.254.248.14/30

network 0.0.0.0/0

!

! aws tunnel #1 neighbour

neighbor 169.254.248.9 remote-as 7224

!

! aws tunnel #2 neighbour

neighbor 169.254.248.13 remote-as 7224

!

line vty

/etc/quagga/zebra.conf:

(put password you have choosen in bgpd.conf):

hostname ec2-vpn

password passWord

enable password passWord

!

! list interfaces

interface eth0

interface lo

!

line vty

/etc/quagga/daemons:

zebra=yes

bgpd=yes

After setting up configuration files, some changes needs to be done on files permissions / ownership:

$ chmod 640 /etc/quagga/bgpd.conf

$ chmod 640 /etc/quagga/zebra.conf

$ chmod 640 /etc/quagga/debian.conf

$ chown quagga.quaggavty /etc/quagga/*.onf

$ chown quagga.quaggavty /etc/quagga/*.conf

Also, inside IP addresses needs to be setup on interface:

$ ip a a 169.254.248.10/30 dev eth0
$ ip a a 169.254.248.14/30 dev eth0

Starting services and checking:

(following is useful for racoon debugging):

$ racoon -d -v -F -f /etc/racoon/racoon.conf

or via init script:

$ /etc/init.d/racoon start

$ /etc/init.d/setkey start

$/etc/init.d/quagga start

Checking bgp and logs:

$ ip address

$ nc localhost 2605

$ show ip bgp

$ tail -f /var/log/syslog

$ route -v

$ ip route

Basically, after this setup, you should be able to login to your VPC instances via SSH which are in private subnet and which have routing tables towards VirtualGateway.

This entry was posted in Linux, amazon-aws, cisco. Bookmark the permalink.

Leave a Reply