So, I spun one up and started playing with it.
The first thing I wanted to do was get an IPsec tunnel to my home edge router working. It turned out to be trickier than I'd expected. Here's the whole process:
Launch an Instance
- Click the "Launch Instance" button
- Choose "Basic Fedora Core 8"
- Set "Micro" instance type
- Download a new SSH key (or use an existing one)
- Configure a security group (this is the firewall service) like this:
Configure OpenSwan on the EC2 Instance
- Connect to the instance using the directions found here.
- Install IPsec packages:
yum -y update
yum -y install openswan openswan-doc ipsec-tools bind
- Set some variables that will be useful later
# The private IP address assigned to your EC2 instance.
EC2PRIVATE=`ifconfig eth0|grep Bcast|cut -d: -f 2|cut -d\ -f 1`
# The public IP address assigned to your EC2 instance.
EC2PUBLIC=`ec2-public-ip`
# The public IP address of the home router
HOMEPUBLIC=1.2.3.4
# The private address space in use at home
HOMEPRIVATENET=192.168.0.0/16
# A secret key, created here using dns-keygen
PSK=`dns-keygen`
- Configure the 'home' openswan connection. The leading whitespace is important here.
echo "conn home" > /etc/ipsec.d/home.conf
echo " left=%defaultroute" >> /etc/ipsec.d/home.conf
echo " leftsubnet=$EC2PRIVATE/32" >> /etc/ipsec.d/home.conf
echo " leftid=$EC2PUBLIC" >> /etc/ipsec.d/home.conf
echo " right=$HOMEPUBLIC" >> /etc/ipsec.d/home.conf
echo " rightid=$HOMEPUBLIC" >> /etc/ipsec.d/home.conf
echo " rightsubnet=$HOMEPRIVATENET" >> /etc/ipsec.d/home.conf
echo " authby=secret" >> /etc/ipsec.d/home.conf
echo " ike=aes128-sha1-modp1024" >> /etc/ipsec.d/home.conf
echo " esp=aes128-sha1" >> /etc/ipsec.d/home.conf
echo " pfs=yes" >> /etc/ipsec.d/home.conf
echo " forceencaps=yes" >> /etc/ipsec.d/home.conf
echo " auto=start" >> /etc/ipsec.d/home.conf
chmod 600 /etc/ipsec.d/home.conf
- Configure the 'home' preshared key:
echo "$EC2PUBLIC $HOMEPUBLIC: PSK \"$PSK\"" > /etc/ipsec.d/home.secretsConfigure the IOS end of the tunnel
chmod 600 /etc/ipsec.d/home.secrets
The variables collected above are italicized here. When you need to do some variable substitution in the IOS configuration, pop back into your amazon shell window and echo the variable out. Like this:
echo $PSKHere's the IOS configuration I'm using:
echo $EC2PUBLIC
crypto isakmp policy 20Start openswan on the EC2 instance
encr aes
authentication pre-share
group 2
lifetime 86400
crypto isakmp key PSK address EC2PUBLIC no-xauth
crypto ipsec security-association lifetime seconds 1800
ip access-list extended AMAZON-CRYPTO-ACL
permit ip any host EC2PRIVATE
crypto ipsec transform-set AMAZON-TRANSFORM-SET esp-aes esp-sha-hmac
crypto map INTERNET-CRYPTO 10 ipsec-isakmp
description Amazon EC2 instance
set peer EC2PUBLIC
set transform-set AMAZON-TRANSFORM-SET
set pfs group2
match address AMAZON-CRYPTO-ACL
interface INTERNET-FACING-IF
crypto map INTERNET-CRYPTO
The following commands prepare the ipsec service boot scripts, and then manually start the service:
chkconfig ipsec onThat's it! Now I can ping the private ($EC2PRIVATE) address of the EC2 instance from one of my internal machines at home. This works in my environment because the 10.x.x.x address assigned by Amazon happens to fall within the default route in use by my home gateway. You may need to add a static route if you're pushing the 10/8 block elsewhere in your environment.
service ipsec start
Being able to talk securely to the private address is preferable to using the public one because of applications (SIP, FTP) that embed IP address information into their application payload. These don't NAT well, and now they don't have to.
If you want to be able to talk securely to the public address of an EC2 instance, that can probably be done with a dummy interface on the EC2 end. I'll work on that later.

No comments:
Post a Comment