LinkBack URL
About LinkBacksHi guys,
Have anyone successfully connected Untangle IPSec to Amazon IPSec? If so do you have any pointers?
Thanks
Petter
Amazon VPC IPSec
Hi guys,
Have anyone successfully connected Untangle IPSec to Amazon IPSec? If so do you have any pointers?
Thanks
Petter
Hi Petterolsson,
You have some samples in the wiki
http://wiki.untangle.com/index.php/IPsec_VPN
None of them are for Amazon IPsec but they might help you anyway.
Hi guys,
I decided to try this again since I will have to replace the Untangle with either Juniper of Cisco otherwise.
It is very clear that you can not get this working with the simple GUI that Untangle provides as it simply do not provide the options needed. After much poking arounf in the ipsec.conf file I was able to establish a Tunnel to Amazon Hardware VPN but there is still some missing pieces. In order for the routing to work there seems to be a need for some tunnel configuration and BGP configuration. In this area I am completely new and was hoping someone might have some input. Here is a copy of the instructions from Amazon:
Any ideas around this would be Welcome, if it seems like a doomed project please let me know and I'll hunker down and buy that other device :-(#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPSec tunnel. All traffic transmitted to the tunnel
interface is encrypted and transmitted to the Virtual Private Gateway.
Additionally, the Virtual Private Gateway and Customer Gateway establish the BGP
peering from your tunnel interface.
The Customer Gateway and Virtual Private Gateway each have two addresses that relate
to this IPSec tunnel. Each contains an outside address, upon which encrypted
traffic is exchanged. Each also contain an inside address associated with
the tunnel interface.
The Customer Gateway outside IP address was provided when the Customer Gateway
was created. Changing the IP address requires the creation of a new
Customer Gateway.
The Customer Gateway inside IP address should be configured on your tunnel
interface.
Outside IP Addresses:
- Customer Gateway : 217.110.52.178
- Virtual Private Gateway : 87.238.85.40
Inside IP Addresses
- Customer Gateway : 169.254.254.2/30
- Virtual Private Gateway : 169.254.254.1/30
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes
#4: Border Gateway Protocol (BGP) Configuration:
The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside
IP addresses, to exchange routes from the VPC to your home network. Each
BGP router has an Autonomous System Number (ASN). Your ASN was provided
to AWS when the Customer Gateway was created.
BGP Configuration Options:
- Customer Gateway ASN : 65000
- Virtual Private Gateway ASN : 9059
- Neighbor IP Address : 169.254.254.1
- Neighbor Hold Time : 30
Configure BGP to announce routes to the Virtual Private Gateway. The gateway
will announce prefixes to your customer gateway based upon the prefix you
assigned to the VPC at creation time.
Thanks
Petter
You should check out vyatta.org
Untangle was never intended for this sort of application.
But you've got a slog ahead of you if you don't know how to configure the tunnel or BGP.
m.
<BR>
Big Frickin Disclaimer:
While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.<BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com<B>
Looks like the Amazon NAT instance have openswan in the repo. Is it as simple as copying the ipsec.conf and ipsec.secrets file to the instance from Untangle? I did try this and I am getting a:
May 3 07:32:31 ip-10-254-0-10 ipsec__plutorun: 022 "UT0_Amazon": We cannot identify ourselves with either end of this connection.
Any input?
Thanks
Petter
Not to be a smartass, but this guy gave you some good advice.Originally Posted by mrunkel
. You are going to be pushing a boulder up a big hill to get this done.
Even if you get it working once, there is no BGP daemon on the untangle.
And then, it's going to break when you upgrade the unit.
m.
<BR>
Big Frickin Disclaimer:
While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.<BR>It often helps troubleshooting if you have a good network map. Look <A HREF="http://forums.untangle.com/tip-day/5407-how-draw-network-diagram.html">here</A> if you want my advice on how to draw one. <BR> <B>Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
If you need Untangle support please call or email support@untangle.com<B>
In the end I will take the advice about a different devoce. Simply because there will too much hacking of the Untangle to get this working. I did in the end get the IPSec up and running and it is now showing Green on AWS :-)
I will go with Astaro that is an officially supported AWS devoce for VPN and is something I just tested and just works!
I appreciate the input here regardless and I will revisit Untangle when I switch jobs again in the future...
Thanks
Petter
Posting Permissions
