Created
November 6, 2016 22:28
-
-
Save psychosquirrel85/a84842a377348d90a060ebb5ad1144df to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
#This script will install OpenSwan and configure ipsec.conf | |
#and ipsec.secrets for the purpose of establishing an IPSec | |
#VPN with your VPC on Amazon Web Services. | |
# | |
#This works with RHEL CentOS Ubuntu and Linux Mint | |
#The script uses "lsb_release -si" to determine the "flavor" | |
#If Not able to determine the flavor, the ipsec.{conf,secrets} | |
#will be written, and you just manually install openswan using | |
#your favorite package manager. | |
# | |
#Learn more about setting up a VPC VPN and the different options | |
#available at: | |
#http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn-connections.html | |
#------------------ START OF CUSTOMIZATION ---------------- # | |
#Customer Gateway (On premise) IP address | |
cgw="XXX.XXX.XXX.XXX" | |
#Customer Gateway (On premise) network mask (CIDR Format) | |
cgw_net="XXX.XXX.XXX.XXX/XX" | |
#VPC Network mask (CIDR Format) | |
vpc_net="XXX.XXX.XXX.XXX/XX" | |
#First Virtual Gateway/PSK | |
vgw1="XXX.XXX.XXX.XXX" | |
psk_vgw1="psk 1 from file you have downloaded" | |
#Second Virtual Gateway/PSK | |
vgw2="XXX.XXX.XXX.XXX" | |
psk_vgw2="psk 2 from file you have downloaded" | |
#------------------- END OF CUSTOMIZATION ----------------- # | |
echo "Begin Setting up OpenSwan" | |
for vpn in /proc/sys/net/ipv4/conf/* | |
do | |
echo 0 > $vpn/accept_redirects | |
echo 0 > $vpn/send_redirects | |
done | |
cat << EOF >> /etc/sysctl.conf | |
net.ipv4.ip_forward = 1 | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv4.conf.all.send_redirects = 0 | |
EOF | |
iptables -t nat -A POSTROUTING -s $vpc_net -j MASQUERADE | |
os=$(lsb_release -si) | |
case $os in | |
LinuxMint) | |
apt-get -qq -y install openswan iptables-persistent | |
;; | |
Ubuntu) | |
apt-get -qq -y install openswan | |
;; | |
RedHat) | |
yum -y install openswan | |
;; | |
CentOS) | |
yum -y install openswan | |
;; | |
*) | |
echo "Not adequately able to determine the operating system type. However, ipsec.conf and ipsec.secrets will be written" | |
;; | |
esac | |
sleep 3 | |
cat << EOF > /etc/ipsec.conf | |
version 2.0 # conforms to second version of ipsec.conf specification | |
config setup | |
dumpdir=/var/run/pluto/ | |
nat_traversal=yes | |
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 | |
oe=off | |
protostack=netkey | |
conn pdx-gw-1 | |
type=tunnel | |
authby=secret | |
left=%defaultroute | |
leftid=$cgw | |
leftnexthop=%defaultroute | |
leftsubnet=$cgw_net | |
right=$vgw1 | |
rightsubnet=$vpc_net | |
phase2=esp | |
phase2alg=aes128-sha1 | |
ike=aes128-sha1 | |
ikelifetime=28800s | |
salifetime=3600s | |
pfs=yes | |
auto=start | |
rekey=yes | |
keyingtries=%forever | |
dpddelay=10 | |
dpdtimeout=60 | |
dpdaction=restart_by_peer | |
conn pdx-gw-2 | |
type=tunnel | |
authby=secret | |
left=%defaultroute | |
leftid=$cgw | |
leftnexthop=%defaultroute | |
leftsubnet=$cgw_net | |
right=$vgw2 | |
rightsubnet=$vpc_net | |
phase2=esp | |
phase2alg=aes128-sha1 | |
ike=aes128-sha1 | |
ikelifetime=28800s | |
salifetime=3600s | |
pfs=yes | |
auto=start | |
rekey=yes | |
keyingtries=%forever | |
dpddelay=10 | |
dpdtimeout=60 | |
dpdaction=restart_by_peer | |
EOF | |
sleep 3 | |
cat << EOF > /etc/ipsec.secrets | |
$cgw $vgw1 : PSK "$psk_vgw1" | |
$cgw $vgw2 : PSK "$psk_vgw2" | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment