Untangle IPsec Module to strongSwan on AWS?

[RERobbins]

I am growing tired of trying to get the Untangle IPsec module to work with AWS tooling for site to site VPNs.

Since the Untangle IPsec module is based on strongSwan I'm ready to take a shot at deploying a strongSwan instance in my Virtual Private Cloud and having it tunnel to the Untangle IPsec module.

My Untangle is an edge device, it does not sit behind another firewall. While it utilizes a dynamically assigned IP address, that address does not seem to change often, and I realize that if it does I expect I will need to reconfigure things. I'm just going to need to live with that unless the whole thing can be made to work via DDNS.

At any rate, before I start tilting at windmills yet again, can someone either provide general guidance or point me in the direction of useful guidance for connecting Untangle's current IPsec to a strongSwan server?

[dmorris]

At any rate, before I start tilting at windmills yet again, can someone either provide general guidance or point me in the direction of useful guidance for connecting Untangle's current IPsec to a strongSwan server?

My advice would be to back up and spend some time troubleshooting before trying yet another approach.
If I remember correctly you posted many times theory crafting about the best approach and then skipped ahead twenty steps and finally declared defeat saying "it doesn't work."
You need to troubleshoot. Just trying different approaches until you find something that works might work, but its just random and not likely to be efficient or ever get you to your goal.

[RERobbins]

Actually I posted only a few times, with one good soul being really helpful with his replies on one thread in particular. I realized at the outset that there were many ways to proceed so I sought some general advice. I guess that's what you mean by "theory crafting." I assumed that others had been down this path and could provide some general guidance. I was not inclined to just pick something and pound away in a mindless fashion. I believe in the old adage that you should measure twice and cut once.

I think Untangle is a fantastic offering and have found it to be a great tool over the past six months or so. It is easy to work with and I have been able to readily solve every challenge I've faced. I have gotten my hands dirty, so to speak. The point-to-site setup with OpenVPN has been amazingly wonderful. Far better than when I had a Sonicwall. I got the Sonicwall to work but Untangle/OpenVPN was effortless by comparison. But my experience with this particular site-to-site problem has been very different.

There is far more learning out there to get a pfSense or Vyetta/VyOS device working well with AWS. That the knowledge base to solve this on the Untangle front is so far behind is disappointing. I want to come up with something reasonable and then post lucid instructions for the benefit of the Untangle community. I am NOT looking for anyone to solve this for me, but I think it reasonable to ask general questions to the community to inform my efforts.

Based on everything I read and the feedback I received I decided that a very reasonable first approach was to focus on using the Amazon hardware VPN approach coupled with IPSec as offered via the Untangle module, i.e., stay within the box. After carefully reviewing the Amazon documentation and collateral material I was able to find, I went through the setup in a very methodical way. Sadly, I got to an error as flagged in a log that I can't begin to understand. A search on the internet was not illuminating. Others who might have helped me understand the error in question were unable to do so. I simply don't know what to attempt. And randomly changing settings in the hopes that I will strike gold is no way to proceed. I'm not in the mood to start reading source code. If you have actually looked at the give and take in the other thread and my questions on the error in the log file and have some ideas on where I might poke around, that would be great.

I have no idea what you mean when you say I skipped twenty steps ahead. Pray tell, do you have something concrete for me to try? If you think there's a more reasonable way for me to approach this, I'm all ears.

I posted a somewhat detailed description highlighting relevant parts of the generic AWS instructions for configuring an IPSec connection (without BGP) and a review of what I did. Things seem to line up, and where I've got a question or two, I asked the community.

After several solid days doing little else and lots of careful review, and armed with the understanding that Untangle now uses strongSwan and not OpenSwan, it seems like a very reasonable line of attack is to deploy strongSwan on AWS and continue to work with the Untangle module to get the tunnel up and running rather than trying to connect the AWS VPN tooling.

This is one of those cases where I think that the GUI gets in the way. It would be much easier to be able to just review strongSwan documentation and dial in the settings exactly as I want via configuration files. The Untangle GUI seems to be obscuring some of the underlying tool. That's the case with OpenVPN too. It's my growing sense that in an effort to pull things together in to a single system the power of what lies underneath is being diluted. But I would really like to try and get this working with the IPsec module.

I very much appreciate any guidance that I may receive and once I get things working smoothly I look forward to providing a somewhat detailed configuration account for others to use in the future.

[dmorris]

Great post, however, it still doesn't define the issue you are having.

If you want to use strongswan, go for it. No need to use the IPsec app.

Sadly, I got to an error as flagged in a log that I can't begin to understand.

What was the error? Are you just going off the log?
Are you referencing "plugin 'ha': failed to load - ha_plugin_create returned NULL" ?
It always says that. You can ignore that. Was your only concern seeing that in the log? If so I just wouldn't look at the log. It has tons of very obscure stuff.

However, if you actually have something that isn't working, start here:
What do you see on your screen that makes your brain say "That was not what I wanted or expected."?
Are you pinging some host from some host? If so, what host are you pinging? from what host?
How is your network configured?
Are you just checking that the tunnel is connected? On Untangle or Amazon? Is it connected? Does it fail to connect? What does the other end say?
Are you just reading the logs and seeing something you don't like?
These are the kind of troubleshooting questions you need to ask yourself.

Maybe another approach would be to just configure it just like you want it (Untangle to Amazon) and just tell us what with great detail what is not working or what is not working like you expect it to work.

I'm not saying I can help you. I don't know much about IPsec.
I'm just trying to point out that for all your eloquent posts there is very little content with which to make suggestions.

[RERobbins]

Thanks. I didn't want to replicate here what I had placed in the other thread, which I think is the sort of thing you are talking about.

Take a look at replies 16 and 19 in this thread. The first contains snippets from my log file and the second is my attempt to reconcile the AWS guidance with the settings I selected. If anything jumps out as being clearly wrong I'd be thrilled to know about it.

https://forums.untangle.com/networki...e-cloud-2.html

There, I included the relevant excerpt from the log file with the error you reference plus the details on how I had configured things, showing on the one hand what AWS instructed me to do and what I put in the Untangle module. I was hoping that someone might jump up and point to an obvious error.

I am not able to get the tunnels to show up as being active on either end at all and, not surprisingly, am not able to ping anything across what I had hoped would be working tunnels.

I believe that the problem might be a routing problem outside of the IPSec configuration proper.

Here are more particulars on my network configuration.

On the VPC side I have:

10.0.0.0/16 as my private network.
52.a.b.c as the public address of Tunnel 1
52.d.e.f as the public address of Tunnel 2

On my lab side I have:
24.g.h.i as the public address of my gateway device (the Untangle appliance)
198.j.k.i/24 as my private network

The Amazon settings make reference to some addresses that I do not begin to comprehend, namely one pair of inside IP addresses for the customer gateway and virtual private gateway for each of the two IPSec tunnels that AWS has configured. These are of the form 169.254.45.a and 169.245.45.b for Tunnel #1 and 169.254.44.c and 169.254.44.d for Tunnel #2. The instructions for each tunnel say

"To route traffic between your internel network and your VPC, you will need a static route added to your router.

Static route configuration options: -Next hop : [private address of virtual private gateway]

You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over the tunnels."

Given that I'm trying to route from the 198.j.k.i/24 private network to the 10.0.0.0/16 network and there are two tunnels being specified what do I use as the next hop for the route? If I point the route at the inside IP address of one end of one of the tunnels, then how would the other tunnel ever be used?

[RERobbins]

I took another run at the AWS VPN this morning and finally managed to get one working tunnel. I worked from a summary found at http://www.mynameistoby.com/ and using the commentary about the linux client to inform how I approached the Untangle IPSec module. I need to clean some things up and try to get routing working, but having both Untangle and AWS report a working tunnel is a major step forward. If I succeed I will post a complete summary. If I get stuck with routing I will circle back with a succinct summary and clear questions.

[RERobbins]

Per my note above, I have managed to get a tunnel up, but I can't seem to do anything with it. As an aside, and consistent with what I've read in other places, I see that only one of the two Amazon tunnels is up at any time. So I'm not troubled by that.

I'm going to lay out some of what I hope are relevant details below in the hope that if anything is obviously wrong someone will point that out.

From the Untangle perspective the left hand private network is 198.183.xxx.0/24 and the right hand private network (the Amazon side) is 10.0.0.0/16

The public address of the Untangle is 24.15.bbb.ccc -- it's on the edge of the network, i.e., it's not behind another firewall
The public address of Tunnel 1 is 52.70.99.47
The public address of Tunnel 2 is 52.71.217.179

Tunnel 1 Inside IP Addresses - Untangle : 169.254.45.214/30 and Amazon Gateway : 169.254.45.213/30
Tunnel 2 Inside IP Addresses - Untangle : 169.254.44.38/30 and Amazon Gateway : 169.254.44.37/30

I haven't the foggiest what to do with or how to make use of those IPSec tunnel inside addresses. They don't appear in any of the configuration files and I'm not sure if I am supposed to be able to use them to ping from one side of a tunnel to the other or if they are relevant for static routes that I need to add to the Untangle and AWS route tables.

Here's a snippet from the log file upon creation of the tunnel:

Feb 14 18:16:50 gateway charon: 10[ENC] parsed QUICK_MODE response 1913846101 [ HASH SA No KE ID ID ]
Feb 14 18:16:50 gateway charon: 10[NET] received packet: from 52.70.99.47[4500] to 24.15.bbb.ccc[4500] (300 bytes)
Feb 14 18:16:50 gateway charon: 01[NET] sending packet: from 24.15.bbb.ccc[4500] to 52.71.217.179[4500] (60 bytes)
Feb 14 18:16:50 gateway charon: 01[ENC] generating QUICK_MODE request 2162070937 [ HASH ]
Feb 14 18:16:50 gateway charon: 01[IKE] CHILD_SA UT2_Amazon-Web-Services----Tunnel-2{1} established with SPIs c52ec607_i0b705c74_o and TS 198.183.xxx.0/24 === 10.0.0.0/16
Feb 14 18:16:50 gateway charon: 01[IKE] CHILD_SA UT2_Amazon-Web-Services----Tunnel-2{1} established with SPIs c52ec607_i0b705c74_o and TS 198.183.xxx.0/24 === 10.0.0.0/16

followed by many entries of the following pattern:

Feb 14 18:31:20 gateway charon: 09[ENC] parsed INFORMATIONAL_V1 request 1462223390 [ HASH N(DPD_ACK) ]
Feb 14 18:31:20 gateway charon: 09[NET] received packet: from 52.70.99.47[4500] to 24.15.bbb.ccc[4500] (92 bytes)
Feb 14 18:31:20 gateway charon: 06[ENC] parsed INFORMATIONAL_V1 request 1114736938 [ HASH N(DPD_ACK) ]
Feb 14 18:31:20 gateway charon: 06[NET] received packet: from 52.71.217.179[4500] to 24.15.bbb.ccc[4500] (92 bytes)
Feb 14 18:31:20 gateway charon: 16[NET] sending packet: from 24.15.bbb.ccc[4500] to 52.71.217.179[4500] (92 bytes)
Feb 14 18:31:20 gateway charon: 13[NET] sending packet: from 24.15.bbb.ccc[4500] to 52.70.99.47[4500] (92 bytes)
Feb 14 18:31:20 gateway charon: 16[ENC] generating INFORMATIONAL_V1 request 763038914 [ HASH N(DPD) ]
Feb 14 18:31:20 gateway charon: 13[ENC] generating INFORMATIONAL_V1 request 1574634586 [ HASH N(DPD) ]
Feb 14 18:31:20 gateway charon: 16[IKE] sending DPD request
Feb 14 18:31:20 gateway charon: 13[IKE] sending DPD request

The IPSec policy tab shows the following:

src 10.0.0.0/16 dst 198.183.xxx.0/24
dir fwd priority 2915 ptype main
tmpl src 52.71.217.179 dst 24.15.bbb.ccc
proto esp reqid 1 mode tunnel
src 10.0.0.0/16 dst 198.183.xxx.0/24
dir in priority 2915 ptype main
tmpl src 52.71.217.179 dst 24.15.bbb.ccc
proto esp reqid 1 mode tunnel
src 198.183.xxx.0/24 dst 10.0.0.0/16
dir out priority 2915 ptype main
tmpl src 24.15.54.137 dst 52.71.217.179
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main

Shouldn't the routing described above make some use of those inside IP addresses?

[RERobbins]

I've got things working now and will post the steps I took shortly. I have a working AWS VPC site to site connection from my AWS VPC to my lab network using the Amazon hardware VPN to the IPSec module on my untangle. Thanks to those who helped me.