LI Nick X.com
Blog |Follow Nick on Twitter| About
 

I'm looking at running two servers on EC2; as we all know the most important thing about running services in the cloud is encryption!

Whilst googling on how to setup a host-to-host IPSEC VPN I was surprised at how easy it is...

On Host1 (192.168.56.101)...

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#!/bin/bash
[root@CentOS1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1 
DST=192.168.56.102
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
[root@CentOS1 ~]#
[root@CentOS1 ~]# cat /etc/sysconfig/network-scripts/keys-ipsec1 
IKE_PSK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[root@CentOS1 ~]#
[root@CentOS1 ~]# ifup ipsec1

On host2 (192.168.56.102)...

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#!/bin/bash
[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1 
DST=192.168.56.101
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
[root@CentOS2 ~]#
[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/keys-ipsec1 
IKE_PSK=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[root@CentOS2 ~]#
[root@CentOS2 ~]#ifup ipsec1

... done!!!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
#!/bin/bash
[root@CentOS1 ~]# tcpdump -n -i eth1 host 192.168.56.102
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
09:46:37.306292 IP 192.168.56.101 > 192.168.56.102: AH(spi=0x0aff2b10,seq=0x203): ESP(spi=0x00a0a3cc,seq=0x203), length 84
09:46:37.310197 IP 192.168.56.102 > 192.168.56.101: AH(spi=0x09f82154,seq=0x203): ESP(spi=0x098f0ff9,seq=0x203), length 68
09:46:38.175048 IP 192.168.56.101 > 192.168.56.102: AH(spi=0x0aff2b10,seq=0x204): ESP(spi=0x00a0a3cc,seq=0x204), length 84
09:46:38.179017 IP 192.168.56.102 > 192.168.56.101: AH(spi=0x09f82154,seq=0x204): ESP(spi=0x098f0ff9,seq=0x204), length 68
09:46:39.313583 IP 192.168.56.101 > 192.168.56.102: AH(spi=0x0aff2b10,seq=0x205): ESP(spi=0x00a0a3cc,seq=0x205), length 84
09:46:39.316427 IP 192.168.56.102 > 192.168.56.101: AH(spi=0x09f82154,seq=0x205): ESP(spi=0x098f0ff9,seq=0x205), length 68

6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@CentOS1 ~]#

Now this is a simple IKE pre-shared key vpn, you might want to google for using certificates for stronger authentication, you can also edit /etc/racoon/racoon.conf to change your IPSEC parameters.

Reference: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html

UPDATE: To make this work in EC2, you need to enable NAT-T see my hack here!

 

 
Nick Bettison ©