Help Center> Virtual Private Network> Administrator Guide> Using Openswan to Configure On- and Off-Cloud Communication

Using Openswan to Configure On- and Off-Cloud Communication

Scenarios

The VPC on the cloud has VPN gateways and VPN connections. Servers in customer data center are installed with the IPsec software to interconnect with the cloud. One-to-one NAT mapping has been configured between the customer server IP addresses and public IP addresses on the network egress.

Topology Connection

Figure 1 shows the topology connection and policy negotiation configurations.

The VPN gateway IP address of the VPC is 11.11.11.11 and the local subnet is 192.168.200.0/24.

The NAT mapping IP address of the customer server is 22.22.22.22 and the local subnet is 192.168.222.0/24.

The ECS IP address and the customer server IP address are 192.168.200.200 and 192.168.222.222, respectively.

The negotiation parameters of the VPN connection use the default configurations defined on HUAWEI CLOUD.

Figure 1 Topology connection and policy negotiation configuration information

Configuration Procedure

This example describes the VPN configurations of two types of Openswan IPsec clients in Linux systems.

  1. Enable IPv4 forwarding. 

    vim /etc/sysctl.conf 
net.ipv4.ip_forward = 1        //Add the content.
/sbin/sysctl -p                    //Run the command to make the forwarding configuration take effect.

  2. Configure iptables.

    Run the iptables -L command to check whether the firewall is disabled or the data flow forwarding is allowed. 
    iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination 
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination 
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

  3. Configure the pre-shared key.

    openswan 
    vim /etc/ipsec.d/open_ipsec.secrets              //Create and edit the open_ipsec.secrets file.
22.22.22.22 11.11.11.11 : psk "ipsec-key"

    Format: IP address for connection+Space+Customer gateway IP address+Space+English colon (:)+Space+PSK (case insensitive)+Pre-shared key. There are spaces on both sides of the colon. The key is enclosed in double quotation marks.

  4. Configure the IPsec connection. 

    vim /etc/ipsec.d/open_ipsec.conf          //Create and edit the open_ipsec.secrets file.
conn openswan_ipsec                                 //Set the connection name to openswan_ipsec.
authby=secret                                     //Set the authentication mode to PSK.
auto=start                                          //The value can be add, route, or start.
ikev2=never                                       //Disable the IKEv2 version.
ike=aes128-sha1;modp1536                 //Define the IKE algorithm and group based on the configuration on the customer side.
keyexchange=ike                                //IKE key exchange mode
ikelifetime=86400s                             //IKE phase lifecycle
phase2=esp                                        //Phase two transmission format
phase2alg=aes128-sha1;modp1536 //Define the IPsec algorithm and group based on the configuration on the customer side.
compress=no                                      //Disable compression.
pfs=yes                                             //Enable PFS.
salifetime=3600s                                //Lifecycle in phase two
type=tunnel                                       //Enable the tunnel mode.
left=192.168.222.222                         //Local IP address. Set it to the actual server IP address in the NAT scenario.
leftid=22.22.22.22                              //Local ID
leftsourceip=22.22.22.22                     //If the source is a private IP address, set this value to the IP address after NAT translation.
leftsubnet=192.168.222.0/24               //Local subnet
leftnexthop=22.22.22.1                       //In the NAT scenario, set the value to the gateway IP address after NAT translation.
right=11.11.11.11                              //VPN gateway IP address on the customer side
rightid=11.11.11.11                                   //Customer side ID
rightsourceip=11.11.11.11                   //Set the source address on the customer side to the VPN gateway IP address.
rightsubnet=192.168.200.0/24             //Subnet on the customer side
rightnexthop=%defaultroute                //Configure the route on the customer side according to the default configurations.

    In the NAT traversal scenario, configure forceencaps=yes as required.

  5. Start the service. 

    service ipsec stop                 //Stop the service.
service ipsec start                 //Start the service.
service ipsec restart              //Restart the service.
openswan auto -down openswan_ipsec        //Disable the connection.
openswan auto -up openswan_ipsec             //Enable the connection.
    • CentOS6.8 is required.
    • Restart the service and then enable the connection after each modification.

Configuration Verification

Run the ipsec --status command to query the IPsec status. Information (extract) similar to the following is displayed. 
Connection list:
000  
000 "openswan_ipsec": 192.168.222.0/24===192.168.222.222<192.168.222.222>[22.22.22.22]---22.22.22.1...11.11.11.11<11.11.11.11>===192.168.200.0/24; erouted; eroute owner: #30
000 "openswan_ipsec":     oriented; my_ip=22.22.22.22; their_ip=11.11.11.11; my_updown=ipsec _updown;
000 "openswan_ipsec":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "openswan_ipsec":   our auth:secret, their auth:secret
000 "openswan_ipsec":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "openswan_ipsec":   labeled_ipsec:no;
000 "openswan_ipsec":   policy_label:unset;
000 "openswan_ipsec":   ike_life: 86400s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "openswan_ipsec":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "openswan_ipsec":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "openswan_ipsec":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "openswan_ipsec":   conn_prio: 24,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "openswan_ipsec":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "openswan_ipsec":   our idtype: ID_IPV4_ADDR; our id=119.3.88.8; their idtype: ID_IPV4_ADDR; their id=122.112.222.188
000 "openswan_ipsec":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "openswan_ipsec":   newest ISAKMP SA: #3; newest IPsec SA: #30;
000 "openswan_ipsec":   IKE algorithms: AES_CBC_128-HMAC_SHA1-MODP1536
000 "openswan_ipsec":   IKE algorithm newest: AES_CBC_128-HMAC_SHA1-MODP1536
000 "openswan_ipsec":   ESP algorithms: AES_CBC_128-HMAC_SHA1_96-MODP1536
000 "openswan_ipsec":   ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=MODP1536
000  
000 Total IPsec connections: loaded 1, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000  
000 #3: "openswan_ipsec":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 15087s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #30: "openswan_ipsec":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1744s; newest IPSEC; eroute owner; isakmp#3; idle; import:admin initiate
000 #30: "openswan_ipsec" esp.b810a24@11.11.11.11 esp.aab7b496@192.168.222.222 tun.0@11.11.11.11 tun.0@192.168.222.222 ref=0 refhim=0 Traffic: ESPin=106KB ESPout=106KB! ESPmax
=4194303B