Openswan on Linode
Is it possible to run a VPN client using IPSec (Openswan -?) on Linode instance to connect to a remote VPN gateway through a Shared Secret? Basically I need to establish a secure VPN connection between our cloud instance (Linode in this case) and a mobile operators network using shared secret over IPSec.
The VPN server on the mobile operator's network is Juniper, so my questions are:
1. Is it possible to achieve on Linode?
2. Is it as straightforward as downloading/installing Openswan, configure the ipsec.conf and ipsec.secrets and then Start the IPSec service?
3. Can this be achieved with OpenVPN (low on preference though)?
I am in urgent need to solve this crisis as soon as possible, would really really appreciate a response on this.
Thanks a ton in advance,
Rahul
12 Replies
Here's an example configuration taken from one of my Linode servers (with IPs obfuscated):
conn office_sonicwall
authby=secret
type=tunnel
esp=3des-sha1-modp1024
ike=3des-sha1-modp1024
ikelifetime=28800s
keyexchange=ikev2
lifetime=28800s
left=xx.xx.xx.xx
leftid=@web.node4
leftsubnet=192.168.132.139/32
right=xx.xx.xx.xx
rightid=@0017C525F310
rightsubnet=192.168.100.1/24
forceencaps=yes
auto=start
I spent a ton of time debugging IPSec issues (most of which were the fault of Sonicwall, which I now loathe), but after I got all the kinks worked out it's been pretty solid. I have no experience with Juniper routers
@masonm:
Public. Linode does use NAT unless you explicitly set it up, which I haven't.
I suspect this was just a typo, but the above should read "does not".
@anderiv:
@masonm:Public. Linode does use NAT unless you explicitly set it up, which I haven't.
I suspect this was just a typo, but the above should read "does not".
That it was. Thanks for the correction!
I downloaded Strongswan but could not get it to work, the Linode instance is not able to connect to the remote VPN gateway. I then switched to Openswan and again the same problem. Here is my config:
conn ee-roamware
forceencaps=yes
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=1440m
keylife=480m
pfs=no
auto=start
right=xxx.xxx.xxx.xxx
rightid=xxx.xxx.xxx.xxx
rightsubnet=xxx.xxx.xxx.xxx/32
left=yyy.yyy.yyy.yyy
leftid=yyy.yyy.yyy.yyy
ike=3des-md5!
esp=3des-md5!
phase2=esp
At the remote vpn gateway, the external firewalls have blocked all the ping responses and they can only accept public IPs that they have configured in their system to accept connections on. You can only ping the servers when you are inside their network, but may not necessarily be actually transferring data if you are not accepted with the right IP.
So by looking at this config, could someone please guide me if I missed something here or configured something wrong?
Many thanks,
Rahul
@smokingfly:
At the remote vpn gateway, the external firewalls have blocked all the ping responses and they can only accept public IPs that they have configured in their system to accept connections on
Then you need to configure the gateway to accept connections from the Linode server's public IP. Specifically, you need to open UDP ports 4500 and 500. If that doesn't work, I'm going to need the following information:
* The name and model of the remote VPN gateway (I'm assuming it's a Juniper firewall/router of some sort)
Full VPN configuration details on the remote VPN gateway
Output of "strongswan statusall" on the Linode box
Any relevant logs from both ends
When you mentioned open UDP ports - did you mean open UDP ports at the Linode or at the remote or both? If its remote, it would be very difficult as the remote owners say that they have 200+ clients connected to their gateway using IPSec.
Can I pm or email you the remote vpn's config and Linode's ipsec statusall?