[Swan] Libreswan on RHEL 7.4 as a VPN hub in an AWS TransitVPC

James Macomber macombej at macomber.biz
Wed Nov 22 19:54:04 UTC 2017


Hi,

I am trying to setup a transitvpc in AWS to connect my customer.  I am
building a RHEL7.4/Libreswan VPN system to create a VPN to my customer and
then VPNs to other AWS regions.  The RHEL instance would also be used to
handle VPCPeer connectivity from the transitVPC to the other VPCs in the
region (US East 1 at this point).

The endpoint for my customer is a Cisco 5525 ASA.  We are attempting to
implement a PSK IPSEC VPN.  It is giving us fits.  Unfortunately, I and the
my customer's network person have never implemented this configuration.  I
am trying to see if anyone  can vet my work and make sure I am not missing
anything obvious.

Current secret file:

include /etc/ipsec.d/*.secrets
X.X.63.50 X.X.10.4 : PSK "<PSK hidden>"

Current ipsec config file:

config setup
    protostack=netkey
conn aws-customer
    subnet also=aws-customer
    leftsubnet=X.X.0.0/14
    rightsubnet=X.X.0.0/15
conn aws-customer
    remote_peer_type=cisco
    ike=aes128-sha;modp1536
    esp=aes128-sha;modp1536
#  phase2alg=aes128-sha;modp1536
    encapsulation=yes
    leftid=aws
#  left=X.X.63.50
    left=X.X.254.42
    rightid=customer
    right=X.X.10.4
    authby=secret
    auto=add
#  use auto=start when done testing the tunnel

ipsec verify shows some red elements in its return, but it is unclear if
that would prevent the connections or are just recommended for security or
some other reason.

[root at ip-X-X-254-42 ~]# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.20 (netkey) on 3.10.0-693.5.2.el7.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or
cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects                  [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on
or cause sending of bogus ICMP redirects!

         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Two or more interfaces found, checking IP forwarding    [FAILED]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/ip_vti0/rp_filter              [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OK]

ipsec verify: encountered 11 errors - see 'man ipsec_verify' for help


When I "up" the connection, I get the following in a loop:

I expect to see something similar to:

104 "mytunnel" #1: STATE_MAIN_I1: initiate
003 "mytunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
106 "mytunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mytunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mytunnel" #1: received Vendor ID payload [CAN-IKEv2]
004 "mytunnel" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP2048}
117 "mytunnel" #2: STATE_QUICK_I1: initiate
004 "mytunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=passive}

But am seeing:

002 "aws-customersubnet" #370: initiating Main Mode
104 "aws-customersubnet" #370: STATE_MAIN_I1: initiate
002 "aws-customersubnet" #370: transition from state STATE_MAIN_I1 to state
STATE_MAI
N_I2
106 "aws-customersubnet" #370: STATE_MAIN_I2: sent MI2, expecting MR2
003 "aws-customersubcustomernet" #370: ignoring unknown Vendor ID payload
[aa53590b1da04b22f0
ceb9c7bae1cd1e]
002 "aws-customersubnet" #370: transition from state STATE_MAIN_I2 to state
STATE_MAI
N_I3
108 "aws-customersubnet" #370: STATE_MAIN_I3: sent MI3, expecting MR3
002 "aws-customersubnet" #370: Main mode peer ID is ID_IPV4_ADDR: 'X.X.10.4'
002 "aws-customersubnet" #370: transition from state STATE_MAIN_I3 to state
STATE_MAI
N_I4
004 "aws-customersubnet" #370: STATE_MAIN_I4: ISAKMP SA established
{auth=PRESHARED_K
EY cipher=aes_128 integ=sha group=MODP1536}
002 "aws-DOcustomersubnet" #371: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_
ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#370
msgid:b8b4
cd3e proposal=AES(12)_128-SHA1(2) pfsgroup=MODP1536}
117 "aws-customersubnet" #371: STATE_QUICK_I1: initiate
002 "aws-customersubnet" #372: initiating Main Mode
104 "aws-customersubnet" #372: STATE_MAIN_I1: initiate
002 "aws-customersubnet" #371: deleting state (STATE_QUICK_I1)
002 "aws-customersubnet" #372: transition from state STATE_MAIN_I1 to state
STATE_MAI
N_I2

The last 3 lines are the IPSEC service terminating the setup and starting
over.  This repeats until I down the VPN connection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171122/0374f35b/attachment.html>


More information about the Swan mailing list