I want to set up an IPSEC VPN tunnel to Amazon’s site-to-site VPN service. I have retrieved the VPN configuration file after setting up the service on my Amazon AWS console and have started filling in the fields on my Ipfire to configure IPSEC.
Remote host/ip: I specified the ip of what Amazon calls the outside IP addresses of the virtual private gateway
Remote subnet: I specified 0.0.0.0/0
IPsec Setting
Mode: Tunnel
Interface -None (default)
MTU: 1436
Ip address/Subnet Mask: I left it blank
Authentication:
Use a pre-shared key: I have specified the Pre-Shared Key provided by Amazon
In the advanced menu
Keyexchange: IKEv1
Encryption IKE: I left the default checked
Encryption ESP: I left the default checked
Integrity IKE: I left the default checked
Integrity ESP: I left the default checked
Lifetime IKE: 8 hours
Lifetime ESP: 1 hour
Groupptype: I left the default checked
Dead peer Detection
Action: restart
Timeout: 120
Delay: 30
IKE+ESP = checked
Perfect Forward Secrecy (PFS): checked
Start action: On demand
Inactivity Tiemout: 15 min
The VPN shows connected but no route is created and I have no IP address associated on the Ipfire GUI homepage !
It’s ok now with the 1st tunnel. However, with AWS we have 2 tunnels (for redundancy). How can I connect the 2nd tunnel for redundancy ?
Indeed, if I connect the 2nd tunnel, there will be a routing problem because I cannot have a route to 1 network with 2 gateways that are different (the gateway of tunnel 1 and the gateway of tunnel 2) !
How can I get my 2 ipsec tunnels to work ?
Currently, if I activate both tunnels at the same time, my VPN network is not functional
I have to choose either one or the other…it’s not a very redundant process
is is possible to connect one (or more) IPFire instance to AWS like this. You will need to set up two tunnels and establish a BGP session over it for fail-over routing.
The dynamic routing is required so that both ends of the VPNs can decide which one is the best way to route traffic and always keep it up.
AWS will give you all the details you need to set this up in the document you can download when creating the connection on the VPC console.
Thanks for your reply.
My 2 VPN tunnels are working. The problem is that I don’t know how to set up the failover (How do I activate BGB session on Ipfire?) on Ipfire.
At the moment I activate 1 tunnel or the other one if there is a problem with 1 of the 2 tunnels and this by checking 1 of the 2 tunnels in the interface.
What procedure should I apply to set up the failover automatically with ipsec ?
IPsec doesn’t know failover. It provides connectivity from one place to another. You will have to have both tunnels active at the same time.
The difference is only which tunnel carries the traffic. It could even be both.
There is no way to set up BGP over the GUI. Currently, there is Bird and FRR available as dynamic routing daemons. Install those and setup your desired configuration with your desired failover behaviour.
@jon I had already seen this doc on the Ipfire wiki but it was too general and didn’t really explain how to set up a config with an example. It won’t really help me to configure Bird.
@ms thank you for this alternative…I hadn’t thought about that and it would be interesting to study this possibility if I can’t do it with Bird because…connecting Ipfire appliances together I know how to do it (I currently have 3 and soon 4)
For my failover problem above, I’m going to call Team Ipfire to set it up because the problem is quite complex for me to do without a HOWTO to guide me.
Also, in setting up this Ipsec connection to AWS I noticed something weird from my BLUE network (wifi). Indeed, from my Wifi network (BLUE), I can’t access my web server which is at AWS (EC2 Instance with a private address in the VPC) …via the Ipsec VPN connection mounted on my Ipfire firewall.
I specify that from my other LAN network I have no problem, all authorized requests pass.
However, in the firewall I have set the rules allowing to open from the BLUE interface (Wifi) the HTTPS and ICMP protocol to the server at AWS. And this, in both directions.
When I try for example a PING from my server at AWS, I see, thanks to the tcpdump command on my Ipfire firewall, that the request arrives well through the IPsec tunnel but this one is not redirected then by the firewall towards the BLUE network (wifi).
And vice versa, when I try to PING from the BLUE network (Wifi) to the server at AWS, the request arrives on the firewall but is not redirected to the ipsec tunnel
The firewall knows the route to my web server at AWS since I have no problem from my LAN.
I don’t understand where this is blocking Should I manually add an iptables rule ? Or is there something missing in my ipsec config ?
You can enable logging for those rules to find out which one is the one that is blocking more than you intend.
Otherwise I would recommend against adding your own iptables rules because mistakes are easy to make and they will run in a different place in the firewall which might impact other features like the IPS.