Using Openswan to Configure On- and Off-Cloud Communication

Scenarios

The VPC on the cloud has VPN gateways and VPN connections. Servers in customer data center are installed with the IPsec software to interconnect with the cloud. One-to-one NAT mapping has been configured between the customer server IP addresses and public IP addresses on the network egress.

Topology Connection

Figure 1 shows the topology connection and policy negotiation configurations.

The VPN gateway IP address of the VPC is 11.11.11.11 and the local subnet is 192.168.200.0/24.

The NAT mapping IP address of the customer server is 22.22.22.22 and the local subnet is 192.168.222.0/24.

The ECS IP address and the customer server IP address are 192.168.200.200 and 192.168.222.222, respectively.

The negotiation parameters of the VPN connection use the default configurations defined on Huawei Cloud.

Figure 1 Topology connection and policy negotiation configuration information

Configuration Procedure

In this example, the Openswan IPsec client is installed on CentOS 6.8.

1. Install the Openswan client.

   yum install -y openswan

2. Enable IPv4 forwarding.

   vim /etc/sysctl.conf

   1. Add the following content to this file:

      net.ipv4.ip_forward = 1

   2. Run the /sbin/sysctl -p command for the forwarding configuration to take effect.

3. Configure iptables.
   Run the iptables -L command to check whether the firewall is disabled or the data flow forwarding is allowed.

   iptables -L
       Chain INPUT (policy ACCEPT)
       target     prot opt source               destination 
       Chain FORWARD (policy ACCEPT)
       target     prot opt source               destination 
       Chain OUTPUT (policy ACCEPT)
       target     prot opt source               destination 

4. Configure the pre-shared key.

   vim /etc/ipsec.d/open_IPsec.secrets

   Add the following content to this file:

   22.22.22.22 11.11.11.11 : psk "IPsec-key"

   Format: IP address for connection+Space+Customer gateway IP address+Space+English colon (:)+Space+PSK (case insensitive)+Pre-shared key. There are spaces on both sides of the colon. The key is enclosed in double quotation marks.

5. Configure the IPsec connection.

   vim /etc/ipsec.d/open_IPsec.conf

   Add the following content to this file:

   conn openswan_IPsec                 # Set the connection name to openswan_IPsec.
     type=tunnel                       # Enable the tunnel mode.
     auto=start                        # The value can be add, route, or start.
     
     left=192.168.222.222              # Set the local IP address. The value must be the actual host IP address in the NAT scenario.
     leftid=22.22.22.22                # Set the local ID.
     leftsourceip=22.22.22.22          # In the NAT scenario, enter the post-NAT public IP address.
     leftsubnet=192.168.222.0/24       # Set the local subnet.
     leftnexthop=22.22.22.1            # In the NAT scenario, enter the post-NAT gateway IP address.
     right=11.11.11.11                 # Set the VPN gateway IP address.
     rightid=11.11.11.11               # Set the ID of the VPN gateway.
     rightsourceip=11.11.11.11         # Set the VPN gateway IP address.
     rightsubnet=192.168.200.0/24      # Set the subnet of the VPN gateway.
     rightnexthop=%defaultroute        # Set the default route.
    
     authby=secret                     # Set the authentication mode to PSK.
     keyexchange=ike                   # Set the IKE key exchange mode.
     ike=aes128-sha1;modp1536          # Define the IKE algorithm and group based on the configuration of the VPN gateway.
     ikev2=never                       # Disable the IKEv2 version.
     ikelifetime=86400s                # Set the lifetime of IKE SAs.
     
     phase2=esp                        # Set the data transmission format in phase 2.
     phase2alg=aes128-sha1;modp1536    # Set the algorithm and group in the IPsec policy based on the configuration of the VPN gateway.
     pfs=yes                           # Enable PFS.
     compress=no                       # Disable compression.
     salifetime=3600s                  # Set the lifetime of SAs in phase 2.

   

   • In NAT traversal scenarios, you can set forceencaps to yes as required.
   • For details about the bits of DH groups used by Huawei Cloud VPN, see What Are the Bits of the DH Groups Used by Huawei Cloud VPN?.
   After the configuration is complete, run the ipsec verify command to verify the configuration items. If OK is displayed for all items in the command output, the configuration is successful.

   ipsec verify
   Verifying installed system and configuration files
   Version check and IPsec on-path                             [OK]
   Libreswan 3.25 (netkey) on 3.10.0-957.5.1.el7.x86_64
   Checking for IPsec support in kernel                                 [OK]
    NETKEY: Testing XFRM related proc values
            ICMP default/send_redirects              [OK]
            ICMP default/accept_redirects            [OK]
            XFRM larval drop                         [OK]
   Pluto IPsec.conf syntax                           [OK]
   Two or more interfaces found, checking IP forwarding[OK]
   Checking rp_filter                                [OK]
   Checking that pluto is running                    [OK]
    Pluto listening for IKE on udp 500               [OK]
    Pluto listening for IKE/NAT-T on udp 4500        [OK]
    Pluto IPsec.secret syntax                        [OK]
   Checking 'ip' command                             [OK]
   Checking 'iptables' command                       [OK]
   Checking 'prelink' command does not interfere with FIPS[OK]
   Checking for obsolete IPsec.conf options          [OK]

   If the following information is displayed, the configuration fails:

   Checking rp_filter                                  [ENABLED]
    /proc/sys/net/ipv4/conf/default/rp_filter          [ENABLED]
    /proc/sys/net/ipv4/conf/lo/rp_filter               [ENABLED]
    /proc/sys/net/ipv4/conf/eth0/rp_filter             [ENABLED]
    /proc/sys/net/ipv4/conf/eth1/rp_filter             [ENABLED]
    /proc/sys/net/ipv4/conf/ip_vti01/rp_filter             [ENABLED]

   To rectify the fault, run the following commands:

   echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
   echo 0 > /proc/sys/net/ipv4/conf/ip_vti01/rp_filter

6. Start the service.

   service ipsec stop # Stop the service.

   service ipsec start # Start the service.

   service ipsec restart # Restart the service.

   ipsec auto --down openswan_IPsec # Disable the connection.

   ipsec auto --up openswan_IPsec # Enable the connection.

   

   Restart the service and enable the connection after each modification.

Configuration Verification

Connection list:
000  
000 "openswan_IPsec": 192.168.222.0/24===192.168.222.222<192.168.222.222>[22.22.22.22]---22.22.22.1...11.11.11.11<11.11.11.11>===192.168.200.0/24; erouted; eroute owner: #30
000 "openswan_IPsec":     oriented; my_ip=22.22.22.22; their_ip=11.11.11.11; my_updown=IPsec _updown;
000 "openswan_IPsec":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "openswan_IPsec":   our auth:secret, their auth:secret
000 "openswan_IPsec":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "openswan_IPsec":   labeled_IPsec:no;
000 "openswan_IPsec":   policy_label:unset;
000 "openswan_IPsec":   ike_life: 86400s; IPsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "openswan_IPsec":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "openswan_IPsec":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "openswan_IPsec":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "openswan_IPsec":   conn_prio: 24,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "openswan_IPsec":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "openswan_IPsec":   our idtype: ID_IPV4_ADDR; our id=1.1.1.1; their idtype: ID_IPV4_ADDR; their id=2.2.2.2
000 "openswan_IPsec":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "openswan_IPsec":   newest ISAKMP SA: #3; newest IPsec SA: #30;
000 "openswan_IPsec":   IKE algorithms: AES_CBC_128-HMAC_SHA1-MODP1536
000 "openswan_IPsec":   IKE algorithm newest: AES_CBC_128-HMAC_SHA1-MODP1536
000 "openswan_IPsec":   ESP algorithms: AES_CBC_128-HMAC_SHA1_96-MODP1536
000 "openswan_IPsec":   ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=MODP1536
000  
000 Total IPsec connections: loaded 1, active 1
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000  
000 #3: "openswan_IPsec":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 15087s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #30: "openswan_IPsec":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1744s; newest IPsec; eroute owner; isakmp#3; idle; import:admin initiate
000 #30: "openswan_IPsec" esp.b810a24@11.11.11.11 esp.aab7b496@192.168.222.222 tun.0@11.11.11.11 tun.0@192.168.222.222 ref=0 refhim=0 Traffic: ESPin=106KB ESPout=106KB! ESPmax
=4194303B