Results 1 to 7 of 7
  1. #1
    Untangler
    Join Date
    Oct 2011
    Location
    Berlin
    Posts
    42

    Default Amazon VPC IPSec

    Hi guys,

    Have anyone successfully connected Untangle IPSec to Amazon IPSec? If so do you have any pointers?

    Thanks
    Petter

  2. #2
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,050

    Default

    Hi Petterolsson,

    You have some samples in the wiki
    http://wiki.untangle.com/index.php/IPsec_VPN
    None of them are for Amazon IPsec but they might help you anyway.

  3. #3
    Untangler
    Join Date
    Oct 2011
    Location
    Berlin
    Posts
    42

    Default

    Hi guys,

    I decided to try this again since I will have to replace the Untangle with either Juniper of Cisco otherwise.

    It is very clear that you can not get this working with the simple GUI that Untangle provides as it simply do not provide the options needed. After much poking arounf in the ipsec.conf file I was able to establish a Tunnel to Amazon Hardware VPN but there is still some missing pieces. In order for the routing to work there seems to be a need for some tunnel configuration and BGP configuration. In this area I am completely new and was hoping someone might have some input. Here is a copy of the instructions from Amazon:

    #3: Tunnel Interface Configuration

    Your Customer Gateway must be configured with a tunnel interface that is
    associated with the IPSec tunnel. All traffic transmitted to the tunnel
    interface is encrypted and transmitted to the Virtual Private Gateway.

    Additionally, the Virtual Private Gateway and Customer Gateway establish the BGP
    peering from your tunnel interface.

    The Customer Gateway and Virtual Private Gateway each have two addresses that relate
    to this IPSec tunnel. Each contains an outside address, upon which encrypted
    traffic is exchanged. Each also contain an inside address associated with
    the tunnel interface.

    The Customer Gateway outside IP address was provided when the Customer Gateway
    was created. Changing the IP address requires the creation of a new
    Customer Gateway.

    The Customer Gateway inside IP address should be configured on your tunnel
    interface.

    Outside IP Addresses:
    - Customer Gateway : 217.110.52.178
    - Virtual Private Gateway : 87.238.85.40

    Inside IP Addresses
    - Customer Gateway : 169.254.254.2/30
    - Virtual Private Gateway : 169.254.254.1/30

    Configure your tunnel to fragment at the optimal size:
    - Tunnel interface MTU : 1436 bytes

    #4: Border Gateway Protocol (BGP) Configuration:

    The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside
    IP addresses, to exchange routes from the VPC to your home network. Each
    BGP router has an Autonomous System Number (ASN). Your ASN was provided
    to AWS when the Customer Gateway was created.

    BGP Configuration Options:
    - Customer Gateway ASN : 65000
    - Virtual Private Gateway ASN : 9059
    - Neighbor IP Address : 169.254.254.1
    - Neighbor Hold Time : 30

    Configure BGP to announce routes to the Virtual Private Gateway. The gateway
    will announce prefixes to your customer gateway based upon the prefix you
    assigned to the VPC at creation time.
    Any ideas around this would be Welcome, if it seems like a doomed project please let me know and I'll hunker down and buy that other device :-(

    Thanks
    Petter

  4. #4
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,022

    Default

    You should check out vyatta.org

    Untangle was never intended for this sort of application.

    But you've got a slog ahead of you if you don't know how to configure the tunnel or BGP.
    m.
    <BR>
    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.
    <BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com<B>

  5. #5
    Untangler
    Join Date
    Oct 2011
    Location
    Berlin
    Posts
    42

    Default

    Looks like the Amazon NAT instance have openswan in the repo. Is it as simple as copying the ipsec.conf and ipsec.secrets file to the instance from Untangle? I did try this and I am getting a:

    May 3 07:32:31 ip-10-254-0-10 ipsec__plutorun: 022 "UT0_Amazon": We cannot identify ourselves with either end of this connection.

    Any input?

    Thanks
    Petter

  6. #6
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,022

    Default

    Quote Originally Posted by mrunkel View Post
    You should check out vyatta.org

    Untangle was never intended for this sort of application.
    Not to be a smartass, but this guy gave you some good advice. . You are going to be pushing a boulder up a big hill to get this done.

    Even if you get it working once, there is no BGP daemon on the untangle.

    And then, it's going to break when you upgrade the unit.
    m.
    <BR>
    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.
    <BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com<B>

  7. #7
    Untangler
    Join Date
    Oct 2011
    Location
    Berlin
    Posts
    42

    Default

    In the end I will take the advice about a different devoce. Simply because there will too much hacking of the Untangle to get this working. I did in the end get the IPSec up and running and it is now showing Green on AWS :-)

    I will go with Astaro that is an officially supported AWS devoce for VPN and is something I just tested and just works!

    I appreciate the input here regardless and I will revisit Untangle when I switch jobs again in the future...

    Thanks
    Petter

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2