Skip to content

Amazon ec2 example

Jump to bottom Edit New page
Leo Fischer edited this page Mar 2, 2014 · 4 revisions

Amazon EC2

When using Amazon EC2 your instance is getting a random internal IP address that changes every time you reboot. If you want to make your instance reachable on a static IP, you request what Amazon calls an “elastic IP”. What happens is that Amazon forwards traffic for that “elastic IP” to your instance, and traffic from your instance is source-NATed on the way out. On top of this, the Amazon internal cloud does not route IPsec packets that use the ESP protocol. So you need to force NAT-Traversal encapsulation. Another way is to switch from EC2 to VPC as the ESP protocol is allowed inbound and outbound there (see page 4 of this unofficial document).

A lot of the stock Amazon EC2 instance images have older openswan versions that have bugs related to NETKEY. Be sure to run a modern openswan, preferably 2.6.32 or up. If your tunnel fails to work with no obvious error, check “ip xfrm state”. If you see “mode transport” then your openswan version is too old.

In this example, we have an instance IP of 10.2.3.4. We have an elastic IP of 184.1.2.3. We have a remote endpoint with 193.110.157.131. We are using preshared keys (PSK) with no IDs for maximum compatibility with IPsec devices. If your other end is openswan as well, you should be using raw RSA keys using authby=rsasigkey with leftid=amazonXXX and rightid=YourHomeName, and proper leftrsasigkey= and rightrsasigkey= lines.

# /etc/ipsec.conf on Amazon EC2 instance
version 2.0 

config setup
     nat_traversal=yes
     # we should exclude ourselves, but that's dynamic.
     # The other end should not be behind NAT anyway. If it is via port forward, avoid 10/8 that Amazon uses
     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
     # amazon kernels have no KLIPS support
     protostack=netkey

conn amazonec2
     # preshared key
     authby=secret
     # load connection and initiate it on startup
     auto=start
     forceencaps=yes
     # use %defaultroute to find our local IP, since it is dynamic
     left=%defaultroute
     # set our ID to our elastic IP
     leftid=184.1.2.3
     # set our desired source IP to the Elastic IP. Openswan will create interface address and route
     leftsourceip=184.1.2.3
     right=193.110.157.131

Then you need to put the preshared key (PSK) in /etc/ipsec.secrets:

# if you have multiple sites with different PSKs, you need to be a bit more subtle here
# We use 0.0.0.0 for our local IP because the instance IP is dynamic and we want to avoid
# hardcoding it into the configuration if possible.
193.110.157.131 0.0.0.0 %any: PSK "mysecret"

older openswan versions

On older openswan versions, the leftsourceip= trick is missing. If you cannot upgrade, then you have to manually get your instance to send packets with the source address of your elastic IP for all communication. This is done in a way to avoid hardcoding any instance IP in your configuration. You could do this with SNAT or MASQUERADING but NAT and IPsec is tricky, especially with NETKEY, so instead we will just define the elastic IP address and tell the kernel to route any packets to remote IPsec endpoints with a different source IP:

ifconfig eth0:elastic 184.1.2.3
ip route add 193.110.157.131/32 src 184.1.2.3/32 dev eth0

You should put these two lines somewhere in the startup scripts. On Debian/Ubuntu that would be /etc/network/interfaces or /etc/rc.local. If you need your amazon endpoint to talk to a subnet instead of a host, the same configuration as above applies, except you add the rightsubnet= line, and you change the ip route add line to use the subnet instead of the remote host IP. Due to bug #1295, if you use rightsubnets= (note the s) you have to also ensure you have leftsubnet=184.1.2.3/32 on the Amazon side.

remote endpoint config

The remote endpoint is a pretty basic configuration, but we’ll show them here anyway:

# /etc/ipsec.conf on remote (non-amazon) server
version 2

config setup
     nat_traversal=yes
     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24

conn amazonXXX
     authby=secret
     left=184.1.2.3
     leftid=184.1.2.3
     leftnexthop=%defaultroute
     right=193.110.157.131
     # optional subnet - if used it should also be defined on the amazon endpoint.
     # rightsubnet=192.168.1.0/24
     # do not initiate or rekey towards amazon instance machines behind NAT - let the amazon end rekey.
     rekey=no
     auto=add

And a very simple /etc/ipsec.secrets file containing:

184.1.2.3 193.110.157.131: PSK "yoursecret"
Add a custom footer
Add a custom sidebar
Clone this wiki locally