Monday, June 5, 2017

cloudstack strongswan ipsec site to site s2s vpn configuration


This post explains about  the site to site (s2s) vpn configuration between two cloudstack vpcs.

1.  Two VPCs vpc1 and vpc2



2. vpc1 source nat public address

3. vpc2 source nat public address

4. vpc customer gateway path

5. Adding vpn customer gateway.
a. For vpc customer gateway configuration, add one customer gateway with the vpc1 details  like vpc1 source nat  public ip and vpc1 cidr
b. Add the second customer  gateway with the vpc2 details  like vpc2 source nat  public ip and vpc2 cidr



6. Click on the SITE TO SITE VPNS as shown in highlighted in the Router section for both vpc1 and vpc2









7.  Click on the VPN Connection drop down as shown below.

8. Click on the Create VPN Connection which is there on right top corner.


9. The below pop up will be shown. 
One important thing here is that for first vpn connection select the passive. For the second one do not check passive. For vpc1 vpn connection select the vpn customer gateway vpc2CG (which contations the details of the vpc2)
If passive is not selected then the vpn connection is initiated from the VR of that vpc.



10. VPN connection status after step 9,  the vpn is in connected state.


11.   vpc1 VR is - r-135-QA
        vpc2 VR is - r-136-QA

Below are strongswan vpn config, vpn connection status and logs are shown.




root@r-135-QA:~# ipsec --version
Linux strongSwan U5.2.1/K3.2.0-4-amd64
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
root@r-135-QA:~#

root@r-135-QA:~# cat /etc/ipsec.d/ipsec.vpn-10.147.52.102.conf
#conn for vpn-10.147.52.102
conn vpn-10.147.52.102
 left=10.147.46.108
 leftsubnet=10.1.0.0/16
 leftnexthop=10.147.46.1
 right=10.147.52.102
 rightsubnet=10.2.0.0/16
 type=tunnel
 authby=secret
 keyexchange=ike
 ike=aes128-sha1-modp1536
 ikelifetime=24h
 esp=aes128-sha1
 lifetime=1h
 pfs=no
 keyingtries=2
 auto=start
 forceencaps=no
root@r-135-QA:~#
root@r-135-QA:~# cat /etc/ipsec.d/ipsec.vpn-10.147.52.102.secrets
10.147.46.108 10.147.52.102 : PSK "123456789"
root@r-135-QA:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 0e:00:a9:fe:01:13 brd ff:ff:ff:ff:ff:ff
    inet 169.254.1.19/16 brd 169.254.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 1e:00:f9:00:00:14 brd ff:ff:ff:ff:ff:ff
    inet 10.147.46.108/24 brd 10.147.46.255 scope global eth1
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:29:c5:00:05 brd ff:ff:ff:ff:ff:ff
    inet 10.1.2.1/24 brd 10.1.2.255 scope global eth3
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:45:73:00:06 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.1/24 brd 10.1.1.255 scope global eth4
8: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 1e:00:2a:00:00:34 brd ff:ff:ff:ff:ff:ff
    inet 10.147.52.101/24 brd 10.147.52.255 scope global eth2
root@r-135-QA:~#
root@r-135-QA:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.2.0-4-amd64, x86_64):
  uptime: 51 minutes, since Jun 05 07:15:27 2017
  malloc: sbrk 675840, mmap 0, used 549904, free 125936
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem gcrypt af-alg fips-prf gmp xcbc cmac hmac ctr ccm curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
  169.254.1.19
  10.147.46.108
  10.1.2.1
  10.1.1.1
  10.147.52.101
Connections:
vpn-10.147.52.102:  10.147.46.108...10.147.52.102  IKEv1/2
vpn-10.147.52.102:   local:  [10.147.46.108] uses pre-shared key authentication
vpn-10.147.52.102:   remote: [10.147.52.102] uses pre-shared key authentication
vpn-10.147.52.102:   child:  10.1.0.0/16 === 10.2.0.0/16 TUNNEL
    L2TP-PSK:  172.26.0.151...%any  IKEv1
    L2TP-PSK:   local:  [172.26.0.151] uses pre-shared key authentication
    L2TP-PSK:   remote: uses pre-shared key authentication
    L2TP-PSK:   child:  dynamic[udp/l2f] === 0.0.0.0/0[udp] TRANSPORT
Security Associations (1 up, 0 connecting):
vpn-10.147.52.102[2]: ESTABLISHED 50 minutes ago, 10.147.46.108[10.147.46.108]...10.147.52.102[10.147.52.102]
vpn-10.147.52.102[2]: IKEv2 SPIs: 51aecc83ad55e205_i 8ed67b171663f02e_r*, pre-shared key reauthentication in 22 hours
vpn-10.147.52.102[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
vpn-10.147.52.102{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c636a5c6_i cd256516_o
vpn-10.147.52.102{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 35 minutes
vpn-10.147.52.102{1}:   10.1.0.0/16 === 10.2.0.0/16
root@r-135-QA:~#
root@r-135-QA:~#tail -f /var/log/cloud.log

Jun  5 08:40:46 localhost charon: 16[IKE] initiating IKE_SA vpn-10.147.52.102[3] to 10.147.52.102
Jun  5 08:40:48 localhost charon: 11[IKE] 10.147.52.102 is initiating an IKE_SA
Jun  5 08:40:48 localhost charon: 13[IKE] IKE_SA vpn-10.147.52.102[6] established between 10.147.46.108[10.147.46.108]...10.147.52.102[10.147.52.102]
Jun  5 08:40:48 localhost charon: 13[IKE] CHILD_SA vpn-10.147.52.102{4} established with SPIs cf36ee34_i c39bf95d_o and TS 10.1.0.0/16 === 10.2.0.0/16
Jun  5 08:40:55 localhost sshd[20622]: Accepted publickey for root from 169.254.0.1 port 55388 ssh2
Jun  5 08:40:55 localhost sshd[20622]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun  5 08:40:55 localhost sshd[20622]: pam_unix(sshd:session): session closed for user root
Jun  5 08:41:25 localhost sshd[20671]: Accepted publickey for root from 169.254.0.1 port 55393 ssh2
Jun  5 08:41:25 localhost sshd[20671]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun  5 08:41:25 localhost sshd[20671]: pam_unix(sshd:session): session closed for user root





root@r-136-QA:~# cat /etc/ipsec.d/ipsec.vpn-10.147.46.108.conf
#conn for vpn-10.147.46.108
conn vpn-10.147.46.108
 left=10.147.52.102
 leftsubnet=10.2.0.0/16
 leftnexthop=10.147.52.1
 right=10.147.46.108
 rightsubnet=10.1.0.0/16
 type=tunnel
 authby=secret
 keyexchange=ike
 ike=aes128-sha1-modp1536
 ikelifetime=24h
 esp=aes128-sha1
 lifetime=1h
 pfs=no
 keyingtries=2
 auto=start
 forceencaps=no
root@r-136-QA:~# cat /etc/ipsec.d/ipsec.vpn-10.147.46.108.secrets
10.147.52.102 10.147.46.108 : PSK "123456789"
root@r-136-QA:~#
root@r-136-QA:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 0e:00:a9:fe:01:6f brd ff:ff:ff:ff:ff:ff
    inet 169.254.1.111/16 brd 169.254.255.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 1e:00:53:00:00:35 brd ff:ff:ff:ff:ff:ff
    inet 10.147.52.102/24 brd 10.147.52.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:49:1b:00:02 brd ff:ff:ff:ff:ff:ff
    inet 10.2.1.1/24 brd 10.2.1.255 scope global eth2
root@r-136-QA:~# ipsec status
Security Associations (1 up, 0 connecting):
vpn-10.147.46.108[1]: ESTABLISHED 51 minutes ago, 10.147.52.102[10.147.52.102]...10.147.46.108[10.147.46.108]
vpn-10.147.46.108{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cd256516_i c636a5c6_o
vpn-10.147.46.108{1}:   10.2.0.0/16 === 10.1.0.0/16
root@r-136-QA:~#
root@r-136-QA:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.2.0-4-amd64, x86_64):
  uptime: 51 minutes, since Jun 05 07:15:48 2017
  malloc: sbrk 675840, mmap 0, used 549328, free 126512
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem gcrypt af-alg fips-prf gmp xcbc cmac hmac ctr ccm curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
  169.254.1.111
  10.147.52.102
  10.2.1.1
Connections:
vpn-10.147.46.108:  10.147.52.102...10.147.46.108  IKEv1/2
vpn-10.147.46.108:   local:  [10.147.52.102] uses pre-shared key authentication
vpn-10.147.46.108:   remote: [10.147.46.108] uses pre-shared key authentication
vpn-10.147.46.108:   child:  10.2.0.0/16 === 10.1.0.0/16 TUNNEL
    L2TP-PSK:  172.26.0.151...%any  IKEv1
    L2TP-PSK:   local:  [172.26.0.151] uses pre-shared key authentication
    L2TP-PSK:   remote: uses pre-shared key authentication
    L2TP-PSK:   child:  dynamic[udp/l2f] === 0.0.0.0/0[udp] TRANSPORT
Security Associations (1 up, 0 connecting):
vpn-10.147.46.108[1]: ESTABLISHED 51 minutes ago, 10.147.52.102[10.147.52.102]...10.147.46.108[10.147.46.108]
vpn-10.147.46.108[1]: IKEv2 SPIs: 51aecc83ad55e205_i* 8ed67b171663f02e_r, pre-shared key reauthentication in 22 hours
vpn-10.147.46.108[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
vpn-10.147.46.108{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cd256516_i c636a5c6_o
vpn-10.147.46.108{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 35 minutes
vpn-10.147.46.108{1}:   10.2.0.0/16 === 10.1.0.0/16
root@r-136-QA:~#
root@r-136-QA:~# tail -f /var/log/cloud.log
Jun  5 08:40:48 localhost sudo:     root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/sbin/ip route flush cache
Jun  5 08:40:48 localhost sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jun  5 08:40:48 localhost sudo: pam_unix(sudo:session): session closed for user root
Jun  5 08:40:48 localhost ipsec_starter[5036]: # deprecated keyword 'leftnexthop' in conn 'vpn-10.147.46.108'
Jun  5 08:40:48 localhost ipsec_starter[5036]: # deprecated keyword 'pfs' in conn 'vpn-10.147.46.108'
Jun  5 08:40:48 localhost ipsec_starter[5036]:   PFS is enabled by specifying a DH group in the 'esp' cipher suite
Jun  5 08:40:48 localhost ipsec_starter[5036]: # deprecated keyword 'leftnexthop' in conn 'L2TP-PSK'
Jun  5 08:40:48 localhost ipsec_starter[5036]: # deprecated keyword 'pfs' in conn 'L2TP-PSK'
Jun  5 08:40:48 localhost ipsec_starter[5036]:   PFS is enabled by specifying a DH group in the 'esp' cipher suite
Jun  5 08:40:48 localhost ipsec_starter[5036]: ### 4 parsing errors (0 fatal) ###
Jun  5 08:40:48 localhost charon: 12[IKE] initiating IKE_SA vpn-10.147.46.108[4] to 10.147.46.108
Jun  5 08:40:48 localhost charon: 03[IKE] establishing CHILD_SA vpn-10.147.46.108
Jun  5 08:40:48 localhost charon: 06[IKE] IKE_SA vpn-10.147.46.108[4] established between 10.147.52.102[10.147.52.102]...10.147.46.108[10.147.46.108]
Jun  5 08:40:48 localhost charon: 06[IKE] CHILD_SA vpn-10.147.46.108{4} established with SPIs c39bf95d_i cf36ee34_o and TS 10.2.0.0/16 === 10.1.0.0/16
Jun  5 08:40:48 localhost sshd[10785]: pam_unix(sshd:session): session closed for user root
Jun  5 08:40:57 localhost sshd[10965]: Accepted publickey for root from 169.254.0.1 port 60094 ssh2
Jun  5 08:40:57 localhost sshd[10965]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun  5 08:40:57 localhost sshd[10965]: pam_unix(sshd:session): session closed for user root










management server logs to the vpn status


2017-06-05 14:14:24,367 DEBUG [c.c.a.t.Request] (RouterStatusMonitor-1:ctx-08a339dd) (logid:5714e848) Seq 1-9087982573056951593: Executing:  { Cmd , MgmtId: 4278190080, via: 1(xenserver-jokbbgbq), Ver: v1, Flags: 100111, [{"com.cloud.agent.api.CheckS2SVpnConnectionsCommand":{"vpnIps":["10.147.52.102"],"accessDetails":{"router.name":"r-135-QA","router.ip":"169.254.1.19"},"wait":30}}] }



2017-06-05 14:14:25,829 DEBUG [c.c.a.t.Request] (DirectAgent-410:ctx-12f6917b) (logid:5714e848) Seq 1-9087982573056951593: Processing:  { Ans: , MgmtId: 4278190080, via: 1(xenserver-jokbbgbq), Ver: v1, Flags: 110, [{"com.cloud.agent.api.CheckS2SVpnConnectionsAnswer":{"ipToConnected":{"10.147.52.102":true},"ipToDetail":{"10.147.52.102":"IPsec SA found;Site-to-site VPN have connected"},"details":"10.147.52.102:0:IPsec SA found;Site-to-site VPN have connected&","result":true,"wait":0}}] }

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)