Versions Compared

Old Version 12

changes.mady.by.user Torsten Schmidt

Saved on

compared with

New Version 13

changes.mady.by.user Torsten Schmidt

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
# if you are logged in with your normal user you have to become root now
sudo su -

# create eth0:0add transfer network to eth0 (as secondary IP address), since strongswan expects packets from/to 172.20.0.0/22 
cat << EOF >> /etc/sysconfig/network-scripts/ifcfg-eth0:0
BOOTPROTO=static
DEVICE=eth0:0
ONBOOT=yes
IPADDR=172.20.0.1
NETMASK=255.255.255.0
EOF

# disable automatic updating of /etc/resolv.conf
cat << EOF >> /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=127.0.0.1
PEERDNS=no
EOF

# clear resolv.conf once
echo "" > /etc/resolv.conf

# install strongswan
yum install -y strongswan

# add ipsec config and use the internal IP of your instance for the <cloud-ip>
cat << EOF >> /etc/strongswan/ipsec.conf
conn cmts-cm
        left=<cloud-ip>
        leftsubnet=172.20.0.0/22
        leftid=<cloud-ip>
        leftfirewall=yes
        right=<cmts-ip>
        rightsubnet=10.0.0.0/19
        rightid=<cmts-ip>
        auto=start
        ike=aes256-sha-modp1536
        esp=aes256-sha1-modp1536
        keyexchange=ikev1
        authby=secret

conn cmts-cpepriv
        also=cmts-cm
        rightsubnet=100.64.0.0/22

conn cmts-mta
        also=cmts-cm
        rightsubnet=100.96.0.0/22
EOF

# add pre-shared key
echo '<cloud-ip> <cmts-ip> : PSK "<secret>"' >> /etc/strongswan/ipsec.secrets

# restart network
systemctl restart network.service

# enable strongswan
systemctl enable strongswan

Setup, test and teardown of IPsec tunnels

Code Block
languagebash
# add transfer network to eth0 (as secondary IP address), since strongswan expects packets from/to 172.20.0.0/22
ip addr add 172.20.0.1/22 dev eth0

# start strongswan
systemctl start strongswan

# start all ipsec tunnels/associations
strongswan up cmts-cm
strongswan up cmts-cpepriv
strongswan up cmts-mta

# get routes - note that they originate from 172.20.0.1, thus going through the tunnel
ip r get 10.0.31.254
  10.0.31.254 via <cmts-ip> dev eth0 src 172.20.0.1
ip r get 100.64.3.254
  100.64.3.254 via <cmts-ip> dev eth0 src 172.20.0.1
ip r get 100.96.3.254
  100.96.3.254 via <cmts-ip> dev eth0 src 172.20.0.1

# ping all bundle interface ip addresses
ping -c1 10.0.31.254
  PING 10.0.31.254 (10.0.31.254) 56(84) bytes of data.
  64 bytes from 10.0.31.254: icmp_seq=1 ttl=255 time=0.475 ms
ping -c1 100.64.3.254   PING 100.64.3.254 (100.64.3.254) 56(84) bytes of data.
  64 bytes from 100.64.3.254: icmp_seq=1 ttl=255 time=0.696 ms
ping -c1 100.96.3.254
  PING 100.96.3.254 (100.96.3.254) 56(84) bytes of data.
  64 bytes from 100.96.3.254: icmp_seq=1 ttl=255 time=0.495 ms

# teardown all ipsec tunnels/associations
strongswan down cmts-mta
strongswan down cmts-cpepriv
strongswan down cmts-cm

# stop strongswan
systemctl stop strongswan