View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Openswan on Linode
Log in to Ask a Question

Openswan on Linode

general

Hi,

Is it possible to run a VPN client using IPSec (Openswan -?) on Linode instance to connect to a remote VPN gateway through a Shared Secret? Basically I need to establish a secure VPN connection between our cloud instance (Linode in this case) and a mobile operators network using shared secret over IPSec.

The VPN server on the mobile operator's network is Juniper, so my questions are:

1. Is it possible to achieve on Linode?

2. Is it as straightforward as downloading/installing Openswan, configure the ipsec.conf and ipsec.secrets and then Start the IPSec service?

3. Can this be achieved with OpenVPN (low on preference though)?

I am in urgent need to solve this crisis as soon as possible, would really really appreciate a response on this.

Thanks a ton in advance,

Rahul

12 Replies

I've got about 8 Strongswan IPSec tunnels running on the Linode servers I manage which connect to a Sonicwall firewall at my office. I started out with Openswan, but switched to Strongswan after running into problems (I remember Openswan being very difficult to debug and the documentation was almost non-existent). I wrote a Puppet module that automates the entire process of setting up Strongswan and configuring the tunnels: https://github.com/theasci/puppet-strongswan

Here's an example configuration taken from one of my Linode servers (with IPs obfuscated):

conn office_sonicwall
  authby=secret
  type=tunnel
  esp=3des-sha1-modp1024
  ike=3des-sha1-modp1024
  ikelifetime=28800s
  keyexchange=ikev2
  lifetime=28800s
  left=xx.xx.xx.xx
  leftid=@web.node4
  leftsubnet=192.168.132.139/32
  right=xx.xx.xx.xx
  rightid=@0017C525F310
  rightsubnet=192.168.100.1/24
  forceencaps=yes
  auto=start

I spent a ton of time debugging IPSec issues (most of which were the fault of Sonicwall, which I now loathe), but after I got all the kinks worked out it's been pretty solid. I have no experience with Juniper routers

Can we configure public IPs to send out traffic to remote nodes? Reason for asking this is if Linode NATs the IPs through different boxes? Because if that happens then it would not be possible to run VPN client through public IP.

The only thing special I had to do to get the tunnel to work was set "forceencaps=yes". According to the docs, forceencaps "forces the NAT detection code to lie and tell the remote peer that RFC-3948 encapsulation (ESP in UDP port 4500 packets) is required". I'm not sure if this was necessary because of a quirk in Sonicwall or with Linode. I'm going to guess Sonicwall, since I've had quite a few problems with them.

Was your traffic going out from public IP or private IP of Linode instance?

Public. Linode does use NAT unless you explicitly set it up, which I haven't.

Thanks masonm, this is great help. I am now going to open a Linode account and will try to configure the VPN client. Will bug you again if I am stuck. Thanks a ton.

@masonm:

Public. Linode does use NAT unless you explicitly set it up, which I haven't.

I suspect this was just a typo, but the above should read "does not".

@anderiv:

@masonm:

Public. Linode does use NAT unless you explicitly set it up, which I haven't.

I suspect this was just a typo, but the above should read "does not".

That it was. Thanks for the correction!

Hello again,

I downloaded Strongswan but could not get it to work, the Linode instance is not able to connect to the remote VPN gateway. I then switched to Openswan and again the same problem. Here is my config:

conn ee-roamware

forceencaps=yes

authby=secret

type=tunnel

keyexchange=ike

ikelifetime=1440m

keylife=480m

pfs=no

auto=start

right=xxx.xxx.xxx.xxx

rightid=xxx.xxx.xxx.xxx

rightsubnet=xxx.xxx.xxx.xxx/32

left=yyy.yyy.yyy.yyy

leftid=yyy.yyy.yyy.yyy

ike=3des-md5!

esp=3des-md5!

phase2=esp

At the remote vpn gateway, the external firewalls have blocked all the ping responses and they can only accept public IPs that they have configured in their system to accept connections on. You can only ping the servers when you are inside their network, but may not necessarily be actually transferring data if you are not accepted with the right IP.

So by looking at this config, could someone please guide me if I missed something here or configured something wrong?

Many thanks,

Rahul

@smokingfly:

At the remote vpn gateway, the external firewalls have blocked all the ping responses and they can only accept public IPs that they have configured in their system to accept connections on

Then you need to configure the gateway to accept connections from the Linode server's public IP. Specifically, you need to open UDP ports 4500 and 500. If that doesn't work, I'm going to need the following information:

* The name and model of the remote VPN gateway (I'm assuming it's a Juniper firewall/router of some sort)

  • Full VPN configuration details on the remote VPN gateway

  • Output of "strongswan statusall" on the Linode box

  • Any relevant logs from both ends

The remote VPN gateway is already setup to accept connection from my Linode instance's public IP. Remote VPN gateway is the Juniper Netscreens.

When you mentioned open UDP ports - did you mean open UDP ports at the Linode or at the remote or both? If its remote, it would be very difficult as the remote owners say that they have 200+ clients connected to their gateway using IPSec.

Can I pm or email you the remote vpn's config and Linode's ipsec statusall?

You PM'd me logs from Openswan. Like I said before, I stopped using Openswan because I couldn't figure out how to debug it, so I can't help you with that.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct