Wednesday, October 27, 2010

Amazon EC2 IPsec tunnel to Cisco IOS router - Update!

This is an update to the Amazon EC2 IPsec tunnel to Cisco IOS router post I made several weeks ago.  Amazon has changed the offering a bit, and not all of the commands, nor the distribution I previously used is still available.

Launch an Instance
  • Click the "Launch Instance" button
  • Choose "Basic 32-bit Amazon Linux AMI 1.0"
  • Set "Micro" instance type
  • Download a new SSH key (or use an existing one)
  • Configure a security group (this is the firewall service) like this:

Configure OpenSwan on the EC2 Instance
  • Connect to the instance using the directions found here.
  • Install IPsec packages:
sudo yum -y update
sudo yum -y install openswan openswan-doc ipsec-tools
  • Set some variables that will be useful later
# The private IP address assigned to your EC2 instance.
EC2PRIVATE=`/sbin/ifconfig eth0|grep Bcast|cut -d: -f 2|cut -d\  -f 1`

# The public IP address assigned to your EC2 instance.
EC2PUBLIC=`curl -s`

# The public IP address of the home router

# The private address space in use at home

# Generate a secret key
PSK=`< /dev/urandom tr -dc a-zA-Z0-9_ | head -c30`
  •  Configure the 'home' openswan connection.  The leading whitespace is important here.
echo "conn home" > /tmp/home.conf
echo "  left=%defaultroute" >> /tmp/home.conf
echo "  leftsubnet=$EC2PRIVATE/32" >> /tmp/home.conf
echo "  leftid=$EC2PUBLIC" >> /tmp/home.conf
echo "  right=$HOMEPUBLIC" >> /tmp/home.conf
echo "  rightid=$HOMEPUBLIC" >> /tmp/home.conf
echo "  rightsubnet=$HOMEPRIVATE" >> /tmp/home.conf
echo "  authby=secret" >> /tmp/home.conf
echo "  ike=aes128-sha1-modp1024" >> /tmp/home.conf
echo "  esp=aes128-sha1" >> /tmp/home.conf
echo "  pfs=yes" >> /tmp/home.conf
echo "  forceencaps=yes" >> /tmp/home.conf
echo "  auto=start" >> /tmp/home.conf
  •  Configure the 'home' preshared key:
echo "$EC2PUBLIC $HOMEPUBLIC: PSK \"$PSK\"" > /tmp/home.secrets
  • Enable the IPsec service:
sudo sed 's!^#\(include /etc/ipsec.d/\*.conf\)!\1!' /etc/ipsec.conf > /tmp/ipsec.conf
sudo chmod 600 /tmp/home.* /tmp/ipsec.conf
sudo chown root:root /tmp/home.* /tmp/ipsec.conf
sudo mv /tmp/home.* /etc/ipsec.d
sudo mv /tmp/ipsec.conf /etc
sudo chkconfig ipsec on
sudo service ipsec start

Configure the IOS end of the tunnel
We'll need one more variable to build the IOS configuration:
Paste the following text into the EC2 command line.  It should spit out IPsec configuration for your IOS device:
cat > /tmp/IOS.cfg << EOF
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 86400
crypto isakmp key $PSK address $EC2PUBLIC no-xauth
crypto ipsec security-association lifetime seconds 1800
ip access-list extended AMAZON-CRYPTO-ACL
 permit ip any host $EC2PRIVATE
crypto ipsec transform-set AMAZON-TRANSFORM-SET esp-aes esp-sha-hmac
crypto map INTERNET-CRYPTO 10 ipsec-isakmp
 description Amazon EC2 instance
 set peer $EC2PUBLIC
 set transform-set AMAZON-TRANSFORM-SET
 set pfs group2
 match address AMAZON-CRYPTO-ACL
interface $HOMEEXTIF
cat /tmp/IOS.cfg
That's it!  Now I can ping the private ($EC2PRIVATE) address of the EC2 instance from one of my internal machines at home.  This works in my environment because the 10.x.x.x address assigned by Amazon happens to fall within the default route in use by my home gateway.  You may need to add a static route if you're pushing the 10/8 block elsewhere in your environment.

Being able to talk securely to the private address is preferable to using the public one because of applications (SIP, FTP) that embed IP address information into their application payload.  These don't NAT well, and now they don't have to.

If you want to be able to talk securely to the public address of an EC2 instance, that can probably be done with a dummy interface on the EC2 end.  I'll work on that later.

No comments:

Post a Comment