I was asked to assist on setting up a Site-to-Site (S2S) VPN between an Amazon Web Service AC2 environment and a Cisco IPSEC router. Instead of working on the customer’s production environment, I decided to setup my Cisco 2821 router as an IPSEC endpoint and try to do it from home. There is a fair amount of instructions on the internet on how to do this. But, it seems no matter what I tried, I wasn’t able to get it to work. The biggest hurdle was the fact that my Cisco IPSEC router was behind a NATing firewall. Please note, the IP addresses have been changed on my example to some randoms.
I relied heavily on this post titled CONNECTING TO A CISCO ASA VPN VIA AMAZON EC2/VPC to get the basis on how to do this. It took me about two days to get everything the way I wanted it, so I’m going to tackle the instructions on my own as well.
Here is a quick and dirty diagram:
Start a Amazon VPC Instance
- Go to the VPC tab.
- I chose a Ubuntu 64 Bit AMD64 server, micro instance.
- Click Network & Security –> Elastic IPs
- Allocate New Address, associate the new address to the new micro instance.
- I didn’t setup the Amazon firewall initially.
- Test SSH into your instance, you should get a UNIX prompt.
Before you begin installing and configuring your Cisco device or Openswan, you need to gather some information:
Private IP: 10.96.42.55
Elastic IP: 22.214.171.124
Private Network: 126.96.36.199/24
Router Public IP: 192.168.1.5
Firewall Public IP: 188.8.131.52
Install and Configure Openswan
- From the command prompt, run sudo apt-get install openswan openswan-doc ipsec-tools
- Edit /etc/sysctl.conf:
net.ipv4.ip_forward = 1
- Run sudo ipsec verify (note any issues)
- Edit /etc/ipsec.conf
- Run sudo ipsec verify (all issues should be resolved or have N/A,WARNING)
- Run sudo service ipsec restart
Edit /etc/ipsec.d/home.conf (new file)
Edit /etc/ipsec.d/home.secrets (new file)
192.168.1.5 184.108.40.206 : PSK “cisco123”
Configure the Cisco Router
crypto isakmp policy 10
crypto isakmp key cisco123 address 220.127.116.11
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set AMAZON-TRANSFORM-SET esp-3des esp-md5-hmac
crypto map INTERNET-CRYPTO 11 ipsec-isakmp
description Amazon EC2 instance
set peer 18.104.22.168
set transform-set AMAZON-TRANSFORM-SET
match address 111
ip address 192.168.1.5 255.255.255.0
no ip route-cache cef
no ip route-cache
crypto map INTERNET-CRYPTO
ip address 22.214.171.124 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
access-list 111 permit ip 126.96.36.199 0.0.0.255 host 10.96.42.55
- I setup my home router/firewall to create the 192.168.1.5 IP address as a DMZ. This means that I didn’t need to setup any type of port forwarding or firewall rules, it was forwarding all traffic from my external IP address to the internal IP address. Your mileage may vary.
- Note the “right” and “rightid” calls in the home.conf file. right=external IP at home, rightid=actual Cisco router IP. This is important. Because I was behind a NATing firewall, these settings came into play. IPSEC doesn’t play very well in NAT and even though I was using NAT-traversal, those settings were key.
- This was just a simple IP to network test. You’ll need to modify the ACLs as appropriate to access your devices.
- I had a devil of a time matching the isakmp policies and transform-set settings on the Cisco with the Openswan. Both platforms use different terms for the same thing. Some commands to know and love:
- Openswan — sudo ipsec auto –status
- Openswan — sudo ipsec whack –status
- Ubuntu Logs — /var/log/auth.log
- Cisco — debug crypto isakmp
- Cisco — debug crypto ipsec
- Cisco — debug crypto isakmp error
- Cisco — debug crypto ipsec error