AWS IPsec links: Difference between revisions

From techdocs
Jump to navigation Jump to search
No edit summary
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Sydney VPC list ==
{|
!VPC name
!VPC ID
!IPv4 CIDR
!Description
!Notable hosts
|-
|nw-sydney
|vpc-0e6039446916e2d4e
|10.197.84.0/22
|CSE production
|nw-syd-cfengine-hub
|-
|nw-sydney2
|vpc-0d909b2f0f3cab97a
|10.197.92.0/24
|Network experiments
|experimental-networking-nw-sydney2 (54.253.107.94)
|-
|csgproduction
|vpc-081c8a619f02801f6
|172.17.254.0/24
|CSG production
|techdocs, cfplaypen
|-
|aws1
|vpc-044951ecd1f85d3a2
|172.16.254.0/24
|Non-CSG production
|comp6443, cs1511-request-tracker, zzen9212-pen-testing-server1, zzen9212-pen-testing-server2
|}
== Sydney AWS VPN (IPsec) list ==
{|
{|
!AWS region
!AWS region
Line 16: Line 52:
|vpn-0329f8fc12afa0c09
|vpn-0329f8fc12afa0c09
|cserouter1
|cserouter1
|129.94.39.21
|129.94.39.21<br />cserouter1
|0.0.0.0/0
|0.0.0.0/0
|ipsec.1
|ipsec.1
Line 28: Line 64:
|vpn-0640a3802b05574e5
|vpn-0640a3802b05574e5
|vmfarm endpoint for testing
|vmfarm endpoint for testing
|129.94.242.18
|129.94.242.18<br />centos7
|172.16.254.0/24
|172.16.254.0/24<br />(csgproduction)
|ipsec.1
|ipsec.1
|13.238.86.95<br/>169.254.52.236/30
|13.238.86.95<br/>169.254.52.236/30
|54.79.34.39<br />169.254.176.252/30
|54.79.34.39<br />169.254.176.252/30
|All tunnel options set to defaults at AWS end
|All tunnel options set to defaults at AWS end
|style="color:red";|Not in use
|Operating. Use as exemplar
|}
|}
== Sydney AWS VPN (OpenVPN) list ==
Notes:
* Although strongSwan will re-establish a connection that has dropped due to, say, a disconnected network cable, the desired traffic may not resume flowing because the connected needs to be rekeyed. The script <code>/etc/strongswan/aws1tunnel-poll.sh</code> will regularly ping a known host on the AWS VPC/subnetwork and will force a rekey if the host does not reply. Of course, this host must be one which you are sure will remain up otherwise rekeying will keep happening uselessly.
** See <code>/etc/strongswan/aws1tunnel1-updown.sh</code>, which is run by strongSwan to bring up and down connections and which runs the above script.
** See also <code>/etc/strongswan/ipsec.conf</code>


== aws-ipsec-to-k17 ==
== aws-ipsec-to-k17 ==
Not in use. Never completed.


== aws1 ==
== aws1 ==


* <s>Connect to CSE endpoint:<br /><code>root@vmfram5 # '''ssh -l root -A site-to-site-vpn-k17-endpoint.cseunsw.tech'''</code></s>
* Connect to CSE endpoint:<br /><code>root@vmfram1 # '''ssh -l root -A centos7'''</code>
* Start strongSwan:<br /><code>root@centos7 # '''systemctl start strongswan'''</code>
* Display strongSwan status:<br /><syntaxhighlight lang="text">[root@centos7 system]# strongswan status
Security Associations (2 up, 0 connecting):
aws1tunnel2[2]: ESTABLISHED 11 minutes ago, 129.94.242.18[129.94.242.18]...54.79.34.39[54.79.34.39]
aws1tunnel2{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: f82804db_i c110cd07_o
aws1tunnel2{2}:  0.0.0.0/0 === 172.16.254.0/24
aws1tunnel1[1]: ESTABLISHED 11 minutes ago, 129.94.242.18[129.94.242.18]...13.238.86.95[13.238.86.95]
aws1tunnel1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: f0acb0c7_i c29fc1ef_o
aws1tunnel1{1}:  0.0.0.0/0 === 172.16.254.0/24
[root@centos7 system]#</syntaxhighlight>

Latest revision as of 17:53, 1 August 2022

Sydney VPC list

VPC name VPC ID IPv4 CIDR Description Notable hosts
nw-sydney vpc-0e6039446916e2d4e 10.197.84.0/22 CSE production nw-syd-cfengine-hub
nw-sydney2 vpc-0d909b2f0f3cab97a 10.197.92.0/24 Network experiments experimental-networking-nw-sydney2 (54.253.107.94)
csgproduction vpc-081c8a619f02801f6 172.17.254.0/24 CSG production techdocs, cfplaypen
aws1 vpc-044951ecd1f85d3a2 172.16.254.0/24 Non-CSG production comp6443, cs1511-request-tracker, zzen9212-pen-testing-server1, zzen9212-pen-testing-server2

Sydney AWS VPN (IPsec) list

AWS region VPN name VPN ID Description Customer gateway Remote CIDR Type Tunnel 1 Tunnel 2 Comments Status
Sydney aws-ipsec-to-k17 vpn-0329f8fc12afa0c09 cserouter1 129.94.39.21
cserouter1 		0.0.0.0/0 ipsec.1 52.63.191.33
169.254.187.12/30 		52.64.121.168
169.254.38.88/30 		All tunnel options set to defaults at AWS end Not in use
Sydney aws1 vpn-0640a3802b05574e5 vmfarm endpoint for testing 129.94.242.18
centos7 		172.16.254.0/24
(csgproduction) 		ipsec.1 13.238.86.95
169.254.52.236/30 		54.79.34.39
169.254.176.252/30 		All tunnel options set to defaults at AWS end Operating. Use as exemplar

Sydney AWS VPN (OpenVPN) list

Notes:

  • Although strongSwan will re-establish a connection that has dropped due to, say, a disconnected network cable, the desired traffic may not resume flowing because the connected needs to be rekeyed. The script /etc/strongswan/aws1tunnel-poll.sh will regularly ping a known host on the AWS VPC/subnetwork and will force a rekey if the host does not reply. Of course, this host must be one which you are sure will remain up otherwise rekeying will keep happening uselessly.
    • See /etc/strongswan/aws1tunnel1-updown.sh, which is run by strongSwan to bring up and down connections and which runs the above script.
    • See also /etc/strongswan/ipsec.conf

aws-ipsec-to-k17

Not in use. Never completed.

aws1

  • Connect to CSE endpoint:
    root@vmfram1 # ssh -l root -A centos7
  • Start strongSwan:
    root@centos7 # systemctl start strongswan
  • Display strongSwan status:
    [root@centos7 system]# strongswan status
Security Associations (2 up, 0 connecting):
 aws1tunnel2[2]: ESTABLISHED 11 minutes ago, 129.94.242.18[129.94.242.18]...54.79.34.39[54.79.34.39]
 aws1tunnel2{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: f82804db_i c110cd07_o
 aws1tunnel2{2}:   0.0.0.0/0 === 172.16.254.0/24
 aws1tunnel1[1]: ESTABLISHED 11 minutes ago, 129.94.242.18[129.94.242.18]...13.238.86.95[13.238.86.95]
 aws1tunnel1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: f0acb0c7_i c29fc1ef_o
 aws1tunnel1{1}:   0.0.0.0/0 === 172.16.254.0/24
[root@centos7 system]#
Retrieved from ‘https://techdocs.cseunsw.tech/mediawiki/index.php?title=AWS_IPsec_links&oldid=368