Linux IPSec Site-to-Site VPN: AWS VPC & Vyatta Firewall

In this tutorial, we will use the Site-to-Site VPN scenario with the modification and one of the customer site that is using Vyatta firewall, which is also acting as gateway for LAN plus the vpn gateway while from the AWS side, we are using the exact same Ubuntu Linux router.

Please review the previous tutorial before starting this tutorial, as I’ll use the previous tutorial as the base for this one.

vyatta-vpn-sNote: Please don’t waste your time in hacking, all these public devices and IP(s) are Temporary, I have destroyed them after finished this tutorial.

VPN Configuration on Vyatta Site:

First, we need to configure 2 NAT rules, to exclude the traffic between AWS VPC Private Subnet(s) and LAN to be NAT’d, Please place these rules above all other NAT rules:

set nat source rule 5 destination address '172.30.30.0/24'
set nat source rule 5 source address '10.100.0.0/16'
set nat source rule 5 outbound-interface 'eth0'
set nat source rule 5 'exclude'

1

set nat source rule 7 source address '172.30.30.0/24'
set nat source rule 7 destination address '10.100.0.0/16'
set nat source rule 7 outbound-interface 'eth0'
set nat source rule 7 'exclude'

2

In the next step, we need to define the Phase 1 and 2 policies:

set vpn ipsec ike-group IKE-AWS-POLICY lifetime '28800'
set vpn ipsec ike-group IKE-AWS-POLICY proposal 1 encryption 'aes128'
set vpn ipsec ike-group IKE-AWS-POLICY proposal 1 hash 'sha1'
set vpn ipsec ike-group IKE-AWS-POLICY proposal 1 dh-group '2'

3

set vpn ipsec esp-group ESP-AWS-POLICY lifetime '3600'
set vpn ipsec esp-group ESP-AWS-POLICY pfs disable
set vpn ipsec esp-group ESP-AWS-POLICY proposal 1 encryption 'aes128'
set vpn ipsec esp-group ESP-AWS-POLICY proposal 1 hash 'sha1'

4

Next step is VPN configuration, i.e assignment of previously created policies and shared secret etc.

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 54.219.146.242 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 54.219.146.242 authentication pre-shared-secret '$VER_SEC_PSK'
set vpn ipsec site-to-site peer 54.219.146.242 default-esp-group 'ESP-AWS-POLICY'
set vpn ipsec site-to-site peer 54.219.146.242 ike-group 'IKE-AWS-POLICY'
set vpn ipsec site-to-site peer 54.219.146.242 local-address '102.162.166.94'
set vpn ipsec site-to-site peer 54.219.146.242 tunnel 1 local prefix '172.30.30.0/24'
set vpn ipsec site-to-site peer 54.219.146.242 tunnel 1 remote prefix '10.100.0.0/16'

5

Finally, don’t forget to adjust your firewall rules as per your requirement:

set firewall name INSIDE-FW rule 10 action 'accept'
set firewall name INSIDE -FW rule 10 destination address '10.100.0.0/16'
set firewall name INSIDE-FW rule 10 source address '172.30.30.0/24'

6

set firewall name OUTSIDE-FW rule 10 action 'accept'
set firewall name OUTSIDE-FW rule 10 ipsec 'match-ipsec'

7

VPN Configuration on AWS VPC:

Also allow the ICMP packet on internal subnet security group from the remote LAN for testing purpose:

1

Edit the ipsec.conf file:

vi /etc/ipsec.conf

2

Here is the addition to the ipsec.conf file (please refer to the ipsec.conf file from previous tutorial):

conn AWS2VyattaConnection
 left=10.100.10.10
 leftsubnets=10.100.0.0/16
 leftid=54.219.146.242
 leftsourceip=10.100.10.10
 right=102.162.166.94
 rightsubnets=172.30.30.0/24
 rightid=102.162.166.94
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

3

Edit the shared secret file:

vi /etc/ipsec.secrets

4

Mine ipsec.secrets file as an example:

5

Restart the IPSec Service & verify the Tunnel status on both Sides:

Restart the IPSec service on Ubuntu at AWS VPC:

service ipsec restart

6

Reset the vpn tunnel on Vyatta:

reset vpn ipsec-peer 54.219.146.242

9

Verify the status of IPSec Tunnel on Ubuntu at AWS VPC:

service ipsec status

7

Verify the status of IPSec Tunnel on Vyatta:

show vpn ipsec sa

8

Verify the Route Table on both servers:

route -n

8

show ip route

12

Verify that the Traffic is passing through the Tunnel:

Ping from AWS VPC private Subnet to Vyatta’s LAN for verification:

9

Ping from Vyatta’s LAN  to AWS VPC private Subnet for verification:

10

11

Please Remember me in your prayers!

Enjoy 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: