It creates the needed vti interfaces and sets some iptables stuff. Here is
mine in it's entirety.
#!/bin/bash
while [[ $# > 1 ]]; do
case ${1} in
-ln|--link-name)
TUNNEL_NAME="${2}"
TUNNEL_PHY_INTERFACE="${PLUTO_INTERFACE}"
shift
;;
-ll|--link-local)
TUNNEL_LOCAL_ADDRESS="${2}"
TUNNEL_LOCAL_ENDPOINT="${PLUTO_ME}"
shift
;;
-lr|--link-remote)
TUNNEL_REMOTE_ADDRESS="${2}"
TUNNEL_REMOTE_ENDPOINT="${PLUTO_PEER}"
shift
;;
-m|--mark)
TUNNEL_MARK="${2}"
shift
;;
-r|--static-route)
TUNNEL_STATIC_ROUTE="${2}"
shift
;;
*)
echo "${0}: Unknown argument \"${1}\"" >&2
;;
esac
shift
done
command_exists() {
type "$1" >&2 2>&2
}
create_interface() {
ip link add ${TUNNEL_NAME} type vti local ${TUNNEL_LOCAL_ENDPOINT}
remote ${TUNNEL_REMOTE_ENDPOINT} key ${TUNNEL_MARK}
ip addr add ${TUNNEL_LOCAL_ADDRESS} remote ${TUNNEL_REMOTE_ADDRESS} dev
${TUNNEL_NAME}
ip link set ${TUNNEL_NAME} up mtu 1419
}
configure_sysctl() {
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.${TUNNEL_NAME}.rp_filter=2
sysctl -w net.ipv4.conf.${TUNNEL_NAME}.disable_policy=1
sysctl -w net.ipv4.conf.${TUNNEL_PHY_INTERFACE}.disable_xfrm=1
sysctl -w net.ipv4.conf.${TUNNEL_PHY_INTERFACE}.disable_policy=1
}
add_route() {
IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}"
for i in "${route[@]}"; do
ip route add ${i} dev ${TUNNEL_NAME} metric ${TUNNEL_MARK}
done
iptables -t mangle -A FORWARD -o ${TUNNEL_NAME} -p tcp --tcp-flags
SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A INPUT -p esp -s ${TUNNEL_REMOTE_ENDPOINT} -d
${TUNNEL_LOCAL_ENDPOINT} -j MARK --set-xmark ${TUNNEL_MARK}
ip route flush table 220
}
cleanup() {
IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}"
for i in "${route[@]}"; do
ip route del ${i} dev ${TUNNEL_NAME} metric ${TUNNEL_MARK}
done
iptables -t mangle -D FORWARD -o ${TUNNEL_NAME} -p tcp --tcp-flags
SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D INPUT -p esp -s ${TUNNEL_REMOTE_ENDPOINT} -d
${TUNNEL_LOCAL_ENDPOINT} -j MARK --set-xmark ${TUNNEL_MARK}
ip route flush cache
}
delete_interface() {
ip link set ${TUNNEL_NAME} down
ip link del ${TUNNEL_NAME}
}
# main execution starts here
command_exists ip || echo "ERROR: ip command is required to execute the script,
check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2
command_exists iptables || echo "ERROR: iptables command is required to execute
the script, check if you are running as root, mostly to do with path, /sbin/"
>&2 2>&2
command_exists sysctl || echo "ERROR: sysctl command is required to execute the
script, check if you are running as root, mostly to do with path, /sbin/" >&2
2>&2
case "${PLUTO_VERB}" in
up-client)
create_interface
configure_sysctl
add_route
;;
down-client)
cleanup
delete_interface
;;
esac
Doug Tucker
Sr. Director of Networking & Linux Operations
o: 817.975.5832 | m: 817.975.5832
e: doug.tuc...@navigaglobal.com
[cid:image001.png@01D4FEC7.F32F3010]<https://navigaglobal.com/>
[cid:image002.png@01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal>
[cid:image003.png@01D4FEC7.F32F3010] <https://twitter.com/navigaglobal>
[cid:image004.png@01D4FEC7.F32F3010]
<https://www.linkedin.com/company/navigaglobal/about/>
Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments
are intended solely for the addressee(s) and may contain confidential and/or
privileged information and may be legally protected from disclosure. If you are
not the intended recipient of this message or their agent, or if this message
has been addressed to you in error, please immediately alert the sender by
reply email and then delete this message and any attachments. If you are not
the intended recipient, you are hereby notified that any use, dissemination,
copying, or storage of this message or its attachments is strictly prohibited.
________________________________
From: Users <users-boun...@lists.strongswan.org> on behalf of Dominik
<dr896...@gmail.com>
Sent: Thursday, September 17, 2020 9:32 AM
To: users@lists.strongswan.org <users@lists.strongswan.org>
Subject: Re: [strongSwan] Connection to AWS-VPC
Thanks Doug,
what does the aws-updown.sh do?
Kind regards
Dominik
On 16.09.20 17:28, Doug Tucker wrote:
ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
# Site network admin:
# basic configuration
config setup
# strictcrlpolicy=yes
uniqueids = no
# charondebug = "ike 2,chd 3, enc 2"
# Add connections here.
############################################################
## Common configuration
############################################################
conn Tunnel1
auto=start
left=%defaultroute
leftid=1.1.1.1
right=2.2.2.2
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes256-sha1-modp1024
ikelifetime=8h
esp=aes256-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
mark=100
leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel1 -ll 169.254.x.x/30 -lr
169.254.x.x/30 -m 100 -r 10.x.x.0/20"
conn Tunnel2
auto=start
left=%defaultroute
leftid=1.1.1.1
right=2.2.2.2
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes128-sha1-modp1024
ikelifetime=8h
esp=aes128-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
mark=200
leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel2 -ll 169.254.x.x/30 -lr
169.254.x.x/30 -m 200 -r 10.x.x.0/20"
Let me know if there is more you would like to see.
Doug Tucker
Sr. Director of Networking & Linux Operations
o: 817.975.5832 | m: 817.975.5832
e: doug.tuc...@navigaglobal.com
[cid:image001.png@01D4FEC7.F32F3010]<https://navigaglobal.com/>
[cid:image002.png@01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal>
[cid:image003.png@01D4FEC7.F32F3010] <https://twitter.com/navigaglobal>
[cid:image004.png@01D4FEC7.F32F3010]
<https://www.linkedin.com/company/navigaglobal/about/>
Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/>
CONFIDENTIALITY NOTICE: The contents of this email message and any attachments
are intended solely for the addressee(s) and may contain confidential and/or
privileged information and may be legally protected from disclosure. If you are
not the intended recipient of this message or their agent, or if this message
has been addressed to you in error, please immediately alert the sender by
reply email and then delete this message and any attachments. If you are not
the intended recipient, you are hereby notified that any use, dissemination,
copying, or storage of this message or its attachments is strictly prohibited.
________________________________
From: Users
<users-boun...@lists.strongswan.org><mailto:users-boun...@lists.strongswan.org>
on behalf of Dominik Reusser <dr896...@gmail.com><mailto:dr896...@gmail.com>
Sent: Tuesday, September 15, 2020 1:19 AM
To: users@lists.strongswan.org<mailto:users@lists.strongswan.org>
<users@lists.strongswan.org><mailto:users@lists.strongswan.org>
Subject: [strongSwan] Connection to AWS-VPC
NCS WARNING: External email. Please verify sender before opening attachments or
clicking on links.
Has anyone successfully connected to AWS VPC? My connection is established and
ICMP-Pakets are routed through the AWS cloud. However, UDP and TCP packets -
while being sent towards the AWS server (from tcp dump on the client side) - do
not appear in the logs of the VPC.
With a corresponding setup with OpenSwan I get a working connection. However, I
would prefer to use strong Swan.
If you have successfully connected to AWS VPC, could you please share your
configuration files?
Thanks
Kind regards
Dominik
