Configuration files for connecting Fedora Linux to Amazon Virtual Private Cloud

README

Configuration files for connecting Fedora Linux to Amazon Virtual Private Cloud
=====

This Gist contains the config files that I have used to successfully connect Fedora 15 (as the "Customer Gateway" in AWS terms) to Amazon's Virtual Private Cloud VPN.  These files were pulled from a working environment but I have obfuscated the public IP addresses involved.  I have found IPsec to be one of the more complicated technologies to get running successfully, as there are a lot of moving parts and subtle configuration settings involved.  I post this here in the hope it might be of some help to others.

I received a lot of help from this blog post: http://openfoo.org/blog/amazon_vpc_with_linux.html .  Besides IPsec, VPC requires BGP; I used basically the same config files shown there.  They use Ubuntu, and I am running Fedora, but the upstream software packages used are the same.  They call for installing a couple Ubuntu packages; the equivalent on Fedora 15 is:

  yum install quagga ipsec-tools

You can read about the IPsec tools used here (setkey and racoon) at http://ipsec-tools.sourceforge.net/ .

Note: All config lines here regarding IPv6 are irrelevant to VPC.  In addition to VPC, I already had IPv6 IPsec transport mode set up between two Linux servers, so I have included that config here to demonstrate it.

Relevant IP's (IPv4 and IPv6):
  2600::1
    Linux server A's (not real) public IPv6 address.  Used as an IPsec transport mode (i.e., non-tunneled) endpoint.
  2001::2
    Linux server B (the IPsec endpoint that 2600::1 talks to)
  96.0.0.1
    Linux server A (not real) public IPv4 address.  For Amazon VPC, this is the IP of the "customer gateway" as configured at Amazon.  This IP appears in the header  of the "outer" IP packet for tunnel traffic.
  72.0.0.2 and 72.0.0.3
    Amazon's two public IP's of their VPN tunnel endpoints.  Note that VPC actually uses two IPsec tunnels simultaneously (see Amazon VPC docs for details).  The "first tunnel" terminates on .2; the "second tunnel" terminates on .3.
  169.254.255.2
    Linux server A's private, tunnel-only IP -- first tunnel (public peer is 72.0.0.2).  This IP is configured as an "alias" on interface eth0, where 96.0.0.1 is the primary address.
  169.254.255.6
    Linux server A's private, tunnel-only IP -- second tunnel (public peer is 72.0.0.3).  This IP is configured as an "alias" on interface eth0, where 96.0.0.1 is the primary address.
  169.254.255.1
    Amazon VPN gateway's private, tunnel-only IP -- first tunnel
  169.254.255.5
    Amazon VPN gateway's private, tunnel-only IP -- second tunnel
  10.0.0.0/24
    The IP network address for the VPC instance.  All EC2 instances are within this network.

Files:
  /etc/setkey.conf (here, _etc_setkey.conf)
    This contains the config settings needed to tell the Linux kernel what IP traffic to tunnel and how to encapsulate it.  To load these settings into the kernel, make this file executable (chmod a+x /etc/setkey.conf) and then execute it.  Alternately, run "setkey -f /etc/setkey.conf" -- this is the exact same outcome.  "setkey" is a tool to manipulate and dump the Linux kernel's Security Policy Database (SPD) and Security Association Database (SAD).

  /etc/psk.conf
    Contains the pre-shared keys, i.e., "passwords", for each peer that we communicate with.

  /etc/racoon.conf
    Config file for Racoon, an Internet Key Exchange (IKE) daemon for automatically keying IPsec connections.

_etc_racoon_psk.conf

# file for pre-shared keys used for IKE authentication
# format is:  'identifier' 'key'
# For example:
#
#  10.1.1.1		flibbertigibbet
#  www.example.com      12345
#  foo@www.example.com  micropachycephalosaurus
2600::1 abcdef01234567890abcdef012345678
2001::2 abcdef01234567890abcdef012345678

72.0.0.2 5678abcdef01234567890abcdef01234
72.0.0.3 678abcdef01234567890abcdef012345

_etc_racoon_racoon.conf

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

listen {
  isakmp 2600::1;
  isakmp 96.0.0.1;
}

# START Connection to other Linux server
remote 2001::2 {
        exchange_mode main;
        lifetime time 24 hour;
        proposal
        {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo address 2600::1 any address 2001::2 any
{
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

sainfo address 2001::2 any address 2600::1 any
{
        lifetime time 1 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
# END Connection to other Linux server

# START Amazon VPC demo
remote 72.0.0.2 {
	exchange_mode main;
	lifetime time 28800 seconds;
	proposal {
		encryption_algorithm aes128;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
	generate_policy off;
}

remote 72.0.0.3 {
	exchange_mode main;
	lifetime time 28800 seconds;
	proposal {
		encryption_algorithm aes128;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
	generate_policy off;
}

sainfo address 169.254.255.2/30 any address 169.254.255.1/30 any {
	pfs_group 2;
	lifetime time 3600 seconds;
	encryption_algorithm aes128;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}

sainfo address 169.254.255.6/30 any address 169.254.255.5/30 any {
        pfs_group 2;
        lifetime time 3600 seconds;
        encryption_algorithm aes128;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}
# END Amazon VPC demo

_etc_setkey.conf

#!/sbin/setkey -f

flush;
spdflush;

spdadd 2600::1 2001::2 any -P out ipsec esp/transport//require ah/transport//require;

spdadd 2001::2 2600::1 any -P in ipsec esp/transport//require ah/transport//require;


spdadd 169.254.255.2/30 169.254.255.1/30 any -P out ipsec
   esp/tunnel/96.0.0.1-72.0.0.2/require;

spdadd 169.254.255.1/30 169.254.255.2/30 any -P in ipsec
   esp/tunnel/72.0.0.2-96.0.0.1/require;

spdadd 169.254.255.6/30 169.254.255.5/30 any -P out ipsec
   esp/tunnel/96.0.0.1-72.0.0.3/require;

spdadd 169.254.255.5/30 169.254.255.6/30 any -P in ipsec
   esp/tunnel/72.0.0.3-96.0.0.1/require;


spdadd 169.254.255.2/30 10.0.0.0/16 any -P out ipsec
   esp/tunnel/96.0.0.1-72.0.0.2/require;

spdadd 10.0.0.0/16 169.254.255.2/30 any -P in ipsec
   esp/tunnel/72.0.0.2-96.0.0.1/require;

spdadd 169.254.255.6/30 10.0.0.0/16 any -P out ipsec
   esp/tunnel/96.0.0.1-72.0.0.3/require;

spdadd 10.0.0.0/16 169.254.255.6/30 any -P in ipsec
   esp/tunnel/72.0.0.3-96.0.0.1/require;


spdadd 0.0.0.0/0 10.0.0.0/16 any -P out ipsec
   esp/tunnel/72.0.0.3-96.0.0.1/require;

spdadd 10.0.0.0/16 0.0.0.0/0 any -P in ipsec
   esp/tunnel/96.0.0.1-72.0.0.3/require;