Last active
December 24, 2015 19:59
-
-
Save johnalvero/6854362 to your computer and use it in GitHub Desktop.
Auto start/install Amavon VPC IPSec.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Setup a VPC IPSEC connectivity | |
# Oct 5, 2013 | |
exec 2>&1 | |
error() { | |
echo "$@" >&2 | |
exit 1 | |
} | |
# Some basic checks | |
[ -z "$1" ] && error "Usage: $0 <generic-config-file-from-amazon.txt>" | |
[ -r "$1" ] || error "Could not read VPN config file $1." | |
[ "`id -u`" = 0 ] || error "You must be root to run this program." | |
# Install needed applications. Modify this line for CentOS. | |
apt-get install ipsec-tools racoon quagga | |
# Define user variables | |
# Amazon-side subnet | |
REMOTE_NET="10.10.20.0/24" | |
LOCAL_NET="192.168.0.0/24" | |
# Local WAN interface | |
WAN_INT="eth1" | |
SOFT_ROUTER_PASSWORD="testPassword" | |
# Extract IP / networks from generic amazon config file | |
T1_OIP_CG=$(cat $1 |grep -m 1 "\- Customer Gateway" | tail -1 | awk '{print $5}') | |
T1_OIP_PG=$(cat $1 |grep -m 1 "\- Virtual Private Gateway" | tail -1 | awk '{print $6}') | |
T1_IIP_CG=$(cat $1 |grep -m 2 "\- Customer Gateway" | tail -1 | awk '{print $5}') | |
T1_IIP_PG=$(cat $1 |grep -m 2 "\- Virtual Private Gateway" | tail -1 | awk '{print $6}') | |
T2_OIP_CG=$(cat $1 |grep -m 4 "\- Customer Gateway" | tail -1 | awk '{print $5}') | |
T2_OIP_PG=$(cat $1 |grep -m 3 "\- Virtual Private Gateway" | tail -1 | awk '{print $6}') | |
T2_IIP_CG=$(cat $1 |grep -m 5 "\- Customer Gateway" | tail -1 | awk '{print $5}') | |
T2_IIP_PG=$(cat $1 |grep -m 4 "\- Virtual Private Gateway" | tail -1 | awk '{print $6}') | |
T1_PSK=$(cat $1 | grep -m 1 "\- Pre-Shared Key" | tail -1 | awk '{print $5}') | |
T2_PSK=$(cat $1 | grep -m 2 "\- Pre-Shared Key" | tail -1 | awk '{print $5}') | |
T1_REMOTE_AS=$(cat $1 | grep -m 1 'Virtual Private Gateway ASN' | tail -1 | awk '{print $7}') | |
T2_REMOTE_AS=$(cat $1 | grep -m 2 'Virtual Private Gateway ASN' | tail -1 | awk '{print $7}') | |
T1_NEIGHBOR_IP=$(cat $1 | grep -m 1 "Neighbor IP Address" | tail -1 | awk '{print $6}') | |
T2_NEIGHBOR_IP=$(cat $1 | grep -m 2 "Neighbor IP Address" | tail -1 | awk '{print $6}') | |
CONNECTION_ID=$(cat $1 | grep 'Your VPN Connection ID' | awk '{print $6}') | |
# Check weather we got all the values | |
[ -z "$T1_OIP_CG" ] && error "Could not extract T1_OIP_CG from $1." | |
[ -z "$T1_OIP_PG" ] && error "Could not extract T1_OIP_PG from $1." | |
[ -z "$T1_IIP_CG" ] && error "Could not extract T1_IIP_CG from $1." | |
[ -z "$T1_IIP_PG" ] && error "Could not extract T1_IIP_PG from $1." | |
[ -z "$T2_OIP_CG" ] && error "Could not extract T2_OIP_CG from $1." | |
[ -z "$T2_OIP_PG" ] && error "Could not extract T2_OIP_PG from $1." | |
[ -z "$T2_IIP_CG" ] && error "Could not extract T2_IIP_CG from $1." | |
[ -z "$T2_IIP_PG" ] && error "Could not extract T2_IIP_PG from $1." | |
[ -z "$T1_PSK" ] && error "Could not extract T1_PSK from $1." | |
[ -z "$T2_PSK" ] && error "Could not extract T2_PSK from $1." | |
[ -z "$T1_REMOTE_AS" ] && error "Could not extract T1_REMOTE_AS from $1." | |
[ -z "$T2_REMOTE_AS" ] && error "Could not extract T2_REMOTE_AS from $1." | |
[ -z "$T1_NEIGHBOR_IP" ] && error "Could not extract T1_NEIGHBOR_IP from $1." | |
[ -z "$T2_NEIGHBOR_IP" ] && error "Could not extract T2_NEIGHBOR_IP from $1." | |
# Setkey config | |
cat << EOF > /etc/ipsec-tools.d/awsvpc.conf | |
flush; | |
spdflush; | |
spdadd $T1_IIP_CG $T1_IIP_PG any -P out ipsec | |
esp/tunnel/$T1_OIP_CG-$T1_OIP_PG/require; | |
spdadd $T1_IIP_PG $T1_IIP_CG any -P in ipsec | |
esp/tunnel/$T1_OIP_PG-$T1_OIP_CG/require; | |
spdadd $T2_IIP_CG $T2_IIP_PG any -P out ipsec | |
esp/tunnel/$T2_OIP_CG-$T2_OIP_PG/require; | |
spdadd $T2_IIP_PG $T2_IIP_CG any -P in ipsec | |
esp/tunnel/$T2_OIP_PG-$T2_OIP_CG/require; | |
spdadd $T1_IIP_CG $REMOTE_NET any -P out ipsec | |
esp/tunnel/$T1_OIP_CG-$T1_OIP_PG/require; | |
spdadd $REMOTE_NET $T1_IIP_CG any -P in ipsec | |
esp/tunnel/$T1_OIP_PG-$T1_OIP_CG/require; | |
spdadd $T2_IIP_CG $REMOTE_NET any -P out ipsec | |
esp/tunnel/$T2_OIP_CG-$T2_OIP_PG/require; | |
spdadd $REMOTE_NET $T2_IIP_CG any -P in ipsec | |
esp/tunnel/$T2_OIP_PG-$T2_OIP_CG/require; | |
# Needed for adding a private interface. Should only use 1 tunnel | |
# See https://forums.aws.amazon.com/thread.jspa?messageID=235268𹜄 | |
spdadd 0.0.0.0/0 $REMOTE_NET any -P out ipsec | |
esp/tunnel/$T1_OIP_CG-$T1_OIP_PG/require; | |
spdadd $REMOTE_NET 0.0.0.0/0 any -P in ipsec | |
esp/tunnel/$T1_OIP_PG-$T1_OIP_CG/require; | |
EOF | |
# Pre-shared key file | |
cat << EOF > /etc/racoon/$CONNECTION_ID.txt | |
# VPC IPSEC | |
$T1_OIP_PG $T1_PSK | |
$T2_OIP_PG $T2_PSK | |
EOF | |
# Racoon | |
cat << EOF > /etc/racoon/racoon.conf | |
# VPC IPSEC | |
log notify; | |
path pre_shared_key "/etc/racoon/$CONNECTION_ID.txt"; | |
remote $T2_OIP_PG { | |
exchange_mode main; | |
lifetime time 28800 seconds; | |
proposal { | |
encryption_algorithm aes128; | |
hash_algorithm sha1; | |
authentication_method pre_shared_key; | |
dh_group 2; | |
} | |
generate_policy off; | |
# my_identifier address $T2_OIP_CG; | |
# peers_identifier address $T2_OIP_PG; | |
} | |
remote $T1_OIP_PG { | |
exchange_mode main; | |
lifetime time 28800 seconds; | |
proposal { | |
encryption_algorithm aes128; | |
hash_algorithm sha1; | |
authentication_method pre_shared_key; | |
dh_group 2; | |
} | |
generate_policy off; | |
# my_identifier address $T1_OIP_CG; | |
# peers_identifier address $T1_OIP_PG; | |
} | |
sainfo address $T1_IIP_CG any address $T1_IIP_PG any { | |
pfs_group 2; | |
lifetime time 3600 seconds; | |
encryption_algorithm aes128; | |
authentication_algorithm hmac_sha1; | |
compression_algorithm deflate; | |
} | |
sainfo address $T2_IIP_CG any address $T2_IIP_PG any { | |
pfs_group 2; | |
lifetime time 3600 seconds; | |
encryption_algorithm aes128; | |
authentication_algorithm hmac_sha1; | |
compression_algorithm deflate; | |
} | |
EOF | |
# IP Alias for tunnel. Everything sent through this tunnel will be encrypted | |
ip a a $T1_IIP_CG dev $WAN_INT | |
ip a a $T2_IIP_CG dev $WAN_INT | |
# Enable zebra and bgpd | |
sed -i 's/zebra\=no/zebra=yes/' /etc/quagga/daemons | |
sed -i 's/bgpd\=no/bgpd=yes/' /etc/quagga/daemons | |
# bgpd config | |
cat << EOF > /etc/quagga/bgpd.conf | |
hostname ec2-vpn | |
password $SOFT_ROUTER_PASSWORD | |
enable password $SOFT_ROUTER_PASSWORD | |
! | |
log file /var/log/quagga/bgpd | |
!debug bgp events | |
!debug bgp zebra | |
debug bgp updates | |
! | |
router bgp 65000 | |
bgp router-id $T1_OIP_CG | |
network $T1_IIP_CG | |
network $T2_IIP_CG | |
!network 0.0.0.0/0 | |
! | |
! aws tunnel #1 neighbour | |
neighbor $T1_NEIGHBOR_IP remote-as $T1_REMOTE_AS | |
! | |
! aws tunnel #2 neighbour | |
neighbor $T2_NEIGHBOR_IP remote-as $T2_REMOTE_AS | |
! | |
line vty | |
EOF | |
# zebra config | |
cat << EOF > /etc/quagga/zebra.conf | |
hostname ec2-vpn | |
password $SOFT_ROUTER_PASSWORD | |
enable password $SOFT_ROUTER_PASSWORD | |
! | |
! list interfaces | |
interface $WAN_INT | |
interface lo | |
! | |
line vty | |
EOF | |
# start the services | |
service racoon restart | |
service setkey restart | |
service quagga restart | |
echo "You may now ping the following tunnel IPs $T1_IIP_PG and $T2_IIP_PG." | |
# IPTables Script, only needed when doing two interfaces / private. | |
#iptables -t nat -A POSTROUTING -s $REMOTE_NET -d $REMOTE_NET -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $REMOTE_NET -d $LOCAL_NET -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $REMOTE_NET -d $T1_IIP_CG -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $REMOTE_NET -d $T2_IIP_CG -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $LOCAL_NET -d $REMOTE_NET -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $LOCAL_NET -d $LOCAL_NET -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $LOCAL_NET -d $T1_IIP_CG -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $LOCAL_NET -d $T2_IIP_CG -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $T1_IIP_CG -d $REMOTE_NET -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $T1_IIP_CG -d $LOCAL_NET -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $T1_IIP_CG -d $T1_IIP_CG -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $T1_IIP_CG -d $T2_IIP_CG -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $T2_IIP_CG -d $REMOTE_NET -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $T2_IIP_CG -d $LOCAL_NET -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $T2_IIP_CG -d $T1_IIP_CG -j ACCEPT | |
#iptables -t nat -A POSTROUTING -s $T2_IIP_CG -d $T2_IIP_CG -j ACCEPT | |
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE | |
#iptables -t filter -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT | |
#iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
#iptables -t filter -A INPUT -s $LOCAL_NET -j ACCEPT | |
#iptables -t filter -A INPUT -s 125.60.148.242/32 -j ACCEPT | |
##iptables -t filter -A INPUT -s $LOCAL_NET -j LOG | |
##iptables -t filter -A INPUT -j DROP | |
#iptables -t filter -A INPUT -s $REMOTE_NET -j ACCEPT | |
#iptables -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT | |
#iptables -t filter -A FORWARD -s $REMOTE_NET -j ACCEPT | |
#iptables -t filter -A FORWARD -s $LOCAL_NET -j ACCEPT | |
#iptables -t filter -A FORWARD -s $T1_IIP_CG -j ACCEPT | |
#iptables -t filter -A FORWARD -s $T2_IIP_CG -j ACCEPT | |
#iptables -t filter -A FORWARD -s $T1_OIP_CG/32 -j ACCEPT | |
##iptables -t filter -A FORWARD -j LOG | |
##iptables -t filter -A FORWARD -j DROP | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment