Contents

AWS Linux LibreSwan VPN Part 2

We are ready to configure the IPSEC tunnel
There is a related Part 1 section. Please take a look at it if you want to see server preperation steps for Libreswan

Note
  • We are going to create an IPSEC tunnel between “SRC GW” and “DST GW”
  • SRC GW External IP: A.B.C.D
  • Network behind SRC GW: 10.111.0.0/16
  • DST GW External IP: X.Y.Z.W
  • Network bhind DST GW: 10.222.0.0/16
  • We use ikev2

SRC GW configuration

$ sudo cat /etc/ipsec.d/ALL.conf
conn TUN2DTS
  type=tunnel
  left=%defaultroute
  leftid=@SOURCE
  leftsubnet=10.111.0.0/16
  right=X.Y.Z.W --> target IP address or domain name
  rightid=@TARGET
  rightsubnets=10.222.0.0/16
  auto=start
  pfs=yes
  fragmentation=yes
  ikev2=insist
  authby=secret
  ike=AES_GCM_C_256-HMAC_SHA2_512;dh19
  esp=AES_GCM_16_256-NONE
  ikelifetime=28800s
  salifetime=3600s
  dpddelay=10
  dpdtimeout=30
  dpdaction=restart
  aggrmode=no
  rekey=yes

SRC GW secrets file

# cat /etc/ipsec.d/ALL.secrets 
@SOURCE @TARGET: PSK "DtM8NBFpLc4hC...WSRgwDeCXgcSW2APgtf8C"

DST GW configuration

$ sudo cat /etc/ipsec.d/ALL.conf
conn TUN2SRC
  type=tunnel
  left=%defaultroute
  leftid=@TARGET
  leftsubnets=10.222.0.0/16
  right=A.B.C.D --> target IP address or domain name
  rightid=@SOURCE
  rightsubnet=10.111.0.0/16
  auto=start
  pfs=yes
  ikev2=insist
  fragmentation=yes
  authby=secret
  ike=AES_GCM_C_256-HMAC_SHA2_512;dh19
  esp=AES_GCM_16_256-NONE
  ikelifetime=28800s
  salifetime=3600s
  dpddelay=10
  dpdtimeout=30
  dpdaction=restart
  aggrmode=no
  rekey=yes

DST GW secrets file

# cat /etc/ipsec.d/ALL.secrets 
@SOURCE @TARGET: PSK "DtM8NBFpLc4hC...WSRgwDeCXgcSW2APgtf8C"

ipsec status

Check tunnel status with “ipsec status” command

# ipsec status 
~~~
000  
000 Connection list:
000  
000 "TUN2DTS/0x1": 10.111.0.0/16===10.111.0.226<10.111.0.226>[@SOURCE]...X.Y.Z.W[@TARGET]===10.222.0.0/16; erouted; eroute owner: #2
000 "TUN2DTS/0x1":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "TUN2DTS/0x1":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "TUN2DTS/0x1":   our auth:secret, their auth:secret
000 "TUN2DTS/0x1":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "TUN2DTS/0x1":   sec_label:unset;
000 "TUN2DTS/0x1":   ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "TUN2DTS/0x1":   retransmit-interval: 500ms; retransmit-timeout: 60s; iketcp:no; iketcp-port:4500;
000 "TUN2DTS/0x1":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "TUN2DTS/0x1":   policy: IKEv2+PSK+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO;
000 "TUN2DTS/0x1":   v2-auth-hash-policy: none;
000 "TUN2DTS/0x1":   conn_prio: 16,16; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "TUN2DTS/0x1":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "TUN2DTS/0x1":   our idtype: ID_FQDN; our id=@SOURCE; their idtype: ID_FQDN; their id=@TARGET
000 "TUN2DTS/0x1":   dpd: action:restart; delay:10; timeout:30; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "TUN2DTS/0x1":   newest ISAKMP SA: #1; newest IPsec SA: #2; conn serial: $1;
000 "TUN2DTS/0x1":   aliases: TUN2DTS
000 "TUN2DTS/0x1":   IKE algorithms: AES_GCM_16_256-HMAC_SHA2_512-DH19
000 "TUN2DTS/0x1":   IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-DH19
000 "TUN2DTS/0x1":   ESP algorithms: AES_GCM_16_256-NONE
000 "TUN2DTS/0x1":   ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup=
000  
000 Total IPsec connections: loaded 1, active 1 --> There is one tunnel configuration inside config file and it's active
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000  
000 #1: "TUN2DTS/0x1":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); EVENT_SA_REKEY in 27409s; newest ISAKMP; idle;
000 #2: "TUN2DTS/0x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (IPsec SA established); EVENT_SA_REKEY in 2450s; newest IPSEC; eroute owner; isakmp#1; idle;
000 #2: "TUN2DTS/0x1" esp.3b302f18@X.Y.Z.W esp.1a7fdf14@10.111.0.226 tun.0@X.Y.Z.W tun.0@10.111.0.226 Traffic: ESPin=0B ESPout=0B! ESPmax=0B 
000  
000 Bare Shunt list:
000