Sunday, September 12, 2010

Amazon EC2 IPsec tunnel to Cisco IOS router

Amazon recently introduced a new EC2 "micro" instance:  613MB of memory and a burstable ~2GHz slice of a single processor core for as little as $0.007 per hour.  Cheap!

So, I spun one up and started playing with it.

The first thing I wanted to do was get an IPsec tunnel to my home edge router working.  It turned out to be trickier than I'd expected.  Here's the whole process:

Launch an Instance
  • Click the "Launch Instance" button
  • Choose "Basic Fedora Core 8"
  • Set "Micro" instance type
  • Download a new SSH key (or use an existing one)
  • Configure a security group (this is the firewall service) like this:


Configure OpenSwan on the EC2 Instance
  • Connect to the instance using the directions found here.
  • Install IPsec packages:
yum -y update
yum -y install openswan openswan-doc ipsec-tools bind
  • Set some variables that will be useful later
# The private IP address assigned to your EC2 instance.
EC2PRIVATE=`ifconfig eth0|grep Bcast|cut -d: -f 2|cut -d\  -f 1`

# The public IP address assigned to your EC2 instance.
EC2PUBLIC=`ec2-public-ip`

# The public IP address of the home router
HOMEPUBLIC=1.2.3.4

# The private address space in use at home
HOMEPRIVATENET=192.168.0.0/16

# A secret key, created here using dns-keygen
PSK=`dns-keygen`

  •  Configure the 'home' openswan connection.  The leading whitespace is important here.
echo "conn home" > /etc/ipsec.d/home.conf
echo "  left=%defaultroute" >> /etc/ipsec.d/home.conf
echo "  leftsubnet=$EC2PRIVATE/32" >> /etc/ipsec.d/home.conf
echo "  leftid=$EC2PUBLIC" >> /etc/ipsec.d/home.conf
echo "  right=$HOMEPUBLIC" >> /etc/ipsec.d/home.conf
echo "  rightid=$HOMEPUBLIC" >> /etc/ipsec.d/home.conf
echo "  rightsubnet=$HOMEPRIVATENET" >> /etc/ipsec.d/home.conf
echo "  authby=secret" >> /etc/ipsec.d/home.conf
echo "  ike=aes128-sha1-modp1024" >> /etc/ipsec.d/home.conf
echo "  esp=aes128-sha1" >> /etc/ipsec.d/home.conf
echo "  pfs=yes" >> /etc/ipsec.d/home.conf
echo "  forceencaps=yes" >> /etc/ipsec.d/home.conf
echo "  auto=start" >> /etc/ipsec.d/home.conf
chmod 600 /etc/ipsec.d/home.conf

  •  Configure the 'home' preshared key:
echo "$EC2PUBLIC $HOMEPUBLIC: PSK \"$PSK\"" > /etc/ipsec.d/home.secrets
chmod 600 /etc/ipsec.d/home.secrets
Configure the IOS end of the tunnel
The variables collected above are italicized here.  When you need to do some variable substitution in the IOS configuration, pop back into your amazon shell window and echo the variable out.  Like this:
echo $PSK
echo $EC2PUBLIC
Here's the IOS configuration I'm using:
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
 lifetime 86400
crypto isakmp key PSK address EC2PUBLIC no-xauth
crypto ipsec security-association lifetime seconds 1800
ip access-list extended AMAZON-CRYPTO-ACL
 permit ip any host EC2PRIVATE
crypto ipsec transform-set AMAZON-TRANSFORM-SET esp-aes esp-sha-hmac

crypto map INTERNET-CRYPTO 10 ipsec-isakmp
 description Amazon EC2 instance
 set peer EC2PUBLIC
 set transform-set AMAZON-TRANSFORM-SET
 set pfs group2
 match address AMAZON-CRYPTO-ACL



interface INTERNET-FACING-IF
 crypto map INTERNET-CRYPTO
Start openswan on the EC2 instance
The following commands prepare the ipsec service boot scripts, and then manually start the service:
chkconfig ipsec on
service ipsec start
That's it!  Now I can ping the private ($EC2PRIVATE) address of the EC2 instance from one of my internal machines at home.  This works in my environment because the 10.x.x.x address assigned by Amazon happens to fall within the default route in use by my home gateway.  You may need to add a static route if you're pushing the 10/8 block elsewhere in your environment.

Being able to talk securely to the private address is preferable to using the public one because of applications (SIP, FTP) that embed IP address information into their application payload.  These don't NAT well, and now they don't have to.

If you want to be able to talk securely to the public address of an EC2 instance, that can probably be done with a dummy interface on the EC2 end.  I'll work on that later.

No comments:

Post a Comment