Libreswan으로 AWS site-to-site VPN 연결하기

서로 다른 VPC를 활용하여 하나의 VPC를 On-prem으로 가정하고 Libreswan을 활용하여 AWS site-to-site VPN을 연결하고자 합니다. (openswan은 Ubuntu 18.04부터 포함되어있지 않아 apt-get을 활용하여 설치할 수 없기에 유사한 솔루션인 Libreswan을 테스트 함)

AWS VPN에서 Libreswan을 명시적으로 지원하지 않아 Openswan의 config를 다운 받아 설정에 활용합니다.

 

[목표]

구성도

[기본 환경]

• VPC 2개
  • 겹치지 않는 CIDR을 활용하여 2개 생성 (ex. 10.0.1.0/24, 10.0.2.0/24)
  • Public Subnet, Public route table 각각 생성
• EC2 2개
  • Libreswan용 EC2 + EIP
    • OS : Ubuntu 20.04
  • EC2 (통신 테스트용) + EIP
    • OS : Amazon Linux 2 (무관)
• CGW 생성 (Libreswan EC2의 EIP 활용)
• VGW 생성 및 VPC 연결
• site-to-site VPN 생성 (Static)

[상세 설정]

1. Libreswan 설치 [Libreswan EC2]

apt-get update
apt-get install -y libreswan

2. AWS site-to-site VPN config 다운로드

3. VPN config에 따라 설정 (본 게시글에서는 Tunnel1만 설정함)

[파일 예시]

Amazon Web Services
Virtual Private Cloud

AWS utilizes unique identifiers to manipulate the configuration of
a VPN Connection. Each VPN Connection is assigned an identifier and is
associated with two other identifiers, namely the
Customer Gateway Identifier and Virtual Private Gateway Identifier.

Your VPN Connection ID                  : vpn-06adadb5da14a58f3
Your Virtual Private Gateway ID         : vgw-06dab5ae44efe80b9
Your Customer Gateway ID                : cgw-0720a1e0ba8016e6f


This configuration consists of two tunnels. Both tunnels must be
configured on your Customer Gateway, but only one of those tunnels should be up at any given time.

At this time this configuration has only been tested for Openswan 2.6.38 or later, but may work with earlier versions.


--------------------------------------------------------------------------------------------------------------------
IPSEC Tunnel #1
--------------------------------------------------------------------------------------------------------------------

This configuration assumes that you already have a default openswan installation in place on the Amazon Linux operating system (but may also work with other distros as well)

1) Open /etc/sysctl.conf and ensure that its values match the following:
   net.ipv4.ip_forward = 1
   net.ipv4.conf.default.rp_filter = 0
   net.ipv4.conf.default.accept_source_route = 0

2) Apply the changes in step 1 by executing the command 'sysctl -p'

3) Open /etc/ipsec.conf and look for the line below. Ensure that the # in front of the line has been removed, then save and exit the file.
    #include /etc/ipsec.d/*.conf

4) Create a new file at /etc/ipsec.d/aws.conf if doesn't already exist, and then open it. Append the following configuration to the end in the file:
 #leftsubnet= is the local network behind your openswan server, and you will need to replace the <LOCAL NETWORK> below with this value (don't include the brackets). If you have multiple subnets, you can use 0.0.0.0/0 instead.
 #rightsubnet= is the remote network on the other side of your VPN tunnel that you wish to have connectivity with, and you will need to replace <REMOTE NETWORK> with this value (don't include brackets).

conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=35.xxx.xxx.244
right=18.xxx.xxx.31
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
auth=esp
keyingtries=%forever
keyexchange=ike
leftsubnet=<LOCAL NETWORK>
rightsubnet=<REMOTE NETWORK>
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer

5) Create a new file at /etc/ipsec.d/aws.secrets if it doesn't already exist, and append this line to the file (be mindful of the spacing!):
35.xxx.xxx.244 18.xxx.xxx.31: PSK "va26eLBxxxsDpV6xxxhJMC.CxxxvRd2H"


--------------------------------------------------------------------------------------------------------------------
IPSEC Tunnel #2
--------------------------------------------------------------------------------------------------------------------

This configuration assumes that you already have a default openswan installation in place on the Amazon Linux operating system (but may also work with other distros as well)

1) Open /etc/sysctl.conf and ensure that its values match the following:
   net.ipv4.ip_forward = 1
   net.ipv4.conf.default.rp_filter = 0
   net.ipv4.conf.default.accept_source_route = 0

2) Apply the changes in step 1 by executing the command 'sysctl -p'

3) Open /etc/ipsec.conf and look for the line below. Ensure that the # in front of the line has been removed, then save and exit the file.
    #include /etc/ipsec.d/*.conf

4) Create a new file at /etc/ipsec.d/aws.conf if doesn't already exist, and then open it. Append the following configuration to the end in the file:
 #leftsubnet= is the local network behind your openswan server, and you will need to replace the <LOCAL NETWORK> below with this value (don't include the brackets). If you have multiple subnets, you can use 0.0.0.0/0 instead.
 #rightsubnet= is the remote network on the other side of your VPN tunnel that you wish to have connectivity with, and you will need to replace <REMOTE NETWORK> with this value (don't include brackets).

conn Tunnel2
authby=secret
auto=start
left=%defaultroute
leftid=35.xxx.xxx.244
right=54.xxx.xxx.164
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
auth=esp
keyingtries=%forever
keyexchange=ike
leftsubnet=<LOCAL NETWORK>
rightsubnet=<REMOTE NETWORK>
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer

5) Create a new file at /etc/ipsec.d/aws.secrets if it doesn't already exist, and append this line to the file (be mindful of the spacing!):
35.xxx.xxx.244 54.xxx.xxx.164: PSK "va26eLBxxxsDpV6xxxhJMC.CxxxvRd2H"


--------------------------------------------------------------------------------------------------------------------
(OPTIONAL CONFIG) Tunnel Healthcheck and Failover
--------------------------------------------------------------------------------------------------------------------

Openswan does not provide a built-in tunnel failover functionality. However, there are some third-party workarounds to this.

=== DISCLAIMER ===
Please be aware that AWS is in no way responsible for any of the use, management, maintenance, or potential issues you may encounter with the third-party workarounds. It is strongly recommended that you thoroughly test any failover solution prior to implementing it into your production environment



  Additional Notes and Questions
  - Amazon Virtual Private Cloud Getting Started Guide:
        http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
  - Amazon Virtual Private Cloud Network Administrator Guide:
        http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide

(1) /etc/sysctl.conf 수정

vi /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0

(2) 적용

sudo sysctl -p

(3) /etc/ipsec.d/aws.conf 파일 생성

vi /etc/ipsec.d/aws.conf

conn Tunnel1
	authby=secret
	auto=start
	left=%defaultroute
	leftid=35.xxx.xxx.244
	right=18.xxx.xxx.31
	type=tunnel
	ikelifetime=8h
	keylife=1h
	phase2alg=aes128-sha1;modp1024
	ike=aes128-sha1;modp1024
	keyingtries=%forever
	keyexchange=ike
	leftsubnet=<LOCAL NETWORK> -> On-prem 가정 VPC IP CIDR
	rightsubnet=<REMOTE NETWORK> -> AWS VPC IP CIDR
	dpddelay=10
	dpdtimeout=30
	dpdaction=restart_by_peer

(4) /etc/ipsec.d/aws.secrets 파일 생성

vi /etc/ipsec.d/aws.secrets

35.xxx.xxx.244 18.xxx.xxx.31: PSK "va26eLBxxxsDpV6xxxhJMC.CxxxvRd2H"

(5) ipsec 재시작 및 상태 확인

sudo ipsec restart
sudo ipsec status

(6) AWS 콘솔 Tunnel Up 확인 및 양방향 ping test 수행

 

참고 자료 : https://blog.bespinglobal.com/post/aws-site-to-site-vpn-with-openswam/