Posted on Leave a comment

Linux IPSec Site-to-Site VPN: AWS VPC & Cisco Router

In this tutorial, we will use the Site-to-Site VPN scenario with the modification and one of the customer site that is using Cisco router, which is also acting as gateway for LAN plus the vpn gateway while from the AWS side, we are using the exact same Ubuntu Linux router.

Please review the previous tutorial before starting this tutorial, as I’ll use the previous tutorial as the base for this one.

topologyNote: Please don’t waste your time in hacking, all these public devices and IP(s) are Temporary, I have destroyed them after finished this tutorial.

VPN Configuration on Cisco Site:

First step is to configure an ISAKMP Phase 1 policy:

crypto isakmp policy 1
encryption aes 128
hash sha
authentication pre-share
group 2

1

Next, we need to set the pre-shared key for authentication with the AWS peer:

crypto isakmp key $VER_SEC_PSK address 54.219.146.242

2

Next step is to create the transform set (We have named it AWSTrans), which will be used to protect the data:

crypto ipsec transform-set AWSTrans esp-aes esp-sha-hmac

3

After that we have to define the Traffic to be protected through the VPN Tunnel using the access-list:

ip access-list extended VPN-TRAFFIC
permit ip 192.168.168.0 0.0.0.255 10.100.0.0 0.0.255.255

5

Now, we need to define the Crypto Map which will connect the ISAKMP and IPSec configuration together, that we have defined above:

crypto map AWSMAP 10 ipsec-isakmp
 set peer 54.219.146.242
 set transform-set AWSTrans
 match address VPN-TRAFFIC

4

Apply the Crypto Map to the outgoing interface of the router (In our case, it is FastEthernet 0/0)

interface FastEthernet0/0
crypto map AWSMAP

7

Check the NAT access-list before proceeding:

NAT Show

Add the NAT Bypass entry inside the NAT access-list before the NAT entry, to exclude the AWS VPC Private Subnet(s) to be NAT’d:

ip access-list extended NAT-TRAFFIC
5 deny ip 192.168.168.0 0.0.0.255 10.100.0.0 0.0.255.255

6

NAT access-list after modification:

NAT after Change

VPN Configuration on AWS VPC:

Also allow the ICMP packet on internal subnet security group from the remote LAN for testing purpose:

0

Edit the ipsec.conf file:

vi /etc/ipsec.conf

Here is the addition to the ipsec.conf file (please refer to the ipsec.conf file from previous tutorial):

conn AWS2CiscoConnection
 left=10.100.10.10
 leftsubnets=10.100.0.0/16
 leftid=54.219.146.242
 leftsourceip=10.100.10.10
 right=25.109.210.75
 rightsubnets=192.168.168.0/24
 rightid=25.109.210.75
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

2

Edit the shared secret file:

vi /etc/ipsec.secrets

3

Mine ipsec.secrets file as an example:

4

Restart the IPSec Service & verify the Tunnel status on both Sides:

Restart the IPSec service on Ubuntu at AWS VPC:

service ipsec restart

6

Verify the status of IPSec service on Ubuntu at AWS VPC:

service ipsec status

5Note: Please don’t panic, just restart the service one more time if it didn’t come up.

Verify the status of IPSec Tunnel on Cisco:

show crypto isakmp sa

8

Verify that the Traffic is passing through the Tunnel:

Ping from the AWS vpn gateway to the Cisco LAN IP:

7

Ping from AWS VPC private Subnet to Cisco’s LAN for verification:

8

Ping from the Local machine to the machine on VPC Private subnet:

9

10

Posted on Leave a comment

OSPF routing between Cisco,Ubuntu,CentOS and Mikrotik Router!

Scenario:

  • Routers: 1 Ubuntu Linux with 3 nics, 1 Centos Linux with 3 nics, 1 Cisco 3640 Router with 3 FastEthernet interfaces and 1 Mikrotik Router with 2 interfaces.
  • Clients: 3 Windows Xp with 1 nic.
IP Details

All the Routers in this scenario have a default password of “zebra“.

Cisco Router:

  • fe0/0: 10.10.10.1/24
  • fe1/0:10.10.50.1 /24
  • fe2/0: Getting through DHCP

UbuntuRouter:

  • eth0: 10.10.10.2/24
  • eth1: 172.16.10.1/24
  • eth2: 10.10.100.1/24

CentOSRouter:

  • eth0: 172.16.10.2/24
  • eth1: 192.168.10.1/24
  • eth2: 10.10.150.1/24

Mikrotik Router:

  • ether1: 192.168.10.2/24
  • ether2: 10.10.200.1/24

Clients:

  • Ubuntu-Desktop: 10.10.50.50/24
  • WinXP-1: 10.10.100.50/24
  • WinXP-2: 10.10.150.50/24
  • WinXP-3: 10.10.200.50/24

Cisco Router Configuration:

UbuntuRouter Configuration:

Restart the Router!!!

CentOSRouter Configuration:

Restart the Router!!!

Mikrotik Router Configuration:

Neighbor verification from Routers:

Route verification from Routers:

Test from Clients:

Make a simple test from Ubuntu-Desktop.

Make a simple test from WinXP-1.

Make a simple test from WinXP-2.

Make a simple test from WinXP-3.

Configure NAT on Cisco Router:

This is just a bonus section, in which we will configure the NAT on Cisco router and also propagate the default route in OSPF. I connect my Cisco Router to DSL Modem and configure it so that it will take IP address through DHCP, as well as configure the inside and outside interface for NAT.

Lazy man access -list for NAT (This is not the perfect access list):

NAT Overload:

Originate the default route in OSPF:

Verify the last resort information on Cisco Router:

Check default route information on all routers :-)

Hope this will help you!