Setup EC2 Amazon L2TP IPSec VPN

Print
Details
Parent Category: Tutorials
Hits: 14407

In this tutorial i'll guide you to configure your Amazon cloud sessions in order to conect to it from internet via L2TP IPSec VPN.

But first let's define some things for the new Amazon users:

  • EC2 Private IP Address: The internal RFC 1918 address of an instance that is only routable within the EC2 Cloud. Network traffic originating outside the EC2 network cannot route to this IP, and must use the Public IP or Elastic IP Address mapped to the instance.
  • EC2 Public IP Address: Internet routable IP address assigned by the system for all instances. Traffic routed to the Public IP is translated via 1:1 Network Address Translation (NAT) and forwarded to the Private IP address of an instance. The mapping of a Public IP to Private IP of an instance is the default launch configuration for all instance types. Public IP Addresses are no longer usable upon instance termination.
  • EC2 Elastic IP Address: Internet routable IP address allocated to an AWS EC2 account. Similar to EC2 Public Address, 1:1 NAT is used to map Elastic IP Addresses with their associated Private IP addresses. Unlike a standard EC2 Public IP Address, Elastic IP Addresses are allocated to accounts and can be remapped to other instances when desired.

    • This config was tested on Windows clients  and they need a special adjustment on registry for AssumeUDPEncapsulationContextOnSendRule string:

    1. Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
    2. Click Start
      Collapse this imageExpand this image, point to All Programs, click Accessories, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
    3. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
      Note You can also apply the
      AssumeUDPEncapsulationContextOnSendRule
      DWORD value to a Microsoft Windows XP Service Pack 2 (SP2)-based VPN client computer. To do this, locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
    4. On the Edit menu, point to New, and then click DWORD (32-bit) Value.
    5. Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
    6. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
    7. In the Value Data box, type one of the following values:
      • 0
        A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
      • 1
        A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
      • 2
        A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
    8. Click OK, and then exit Registry Editor.
    9. Restart the computer.

    More on: http://support.microsoft.com/kb/926179/en-us

    Now let's move to the Amazon server configs:

    1) Openswan package install

    #apt-get install openswan xl2tpd

    ipsec.conf
    #EC2
    # /etc/ipsec.conf on remote (non-amazon) server
    version 2.0

    config setup
    nat_traversal=yes
    # we should exclude ourselves, but that's dynamic.
    # The other end should not be behind NAT anyway. If it is via port forward, avoid 10/8 that Amazon uses
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.224.58.229/32,%v4:!192.168.2.0/24
    # amazon kernels have no KLIPS support
    protostack=netkey

    oe=off
    nhelpers=0
    interfaces=%defaultroute


    conn EC2
    authby=secret
    pfs=no
    rekey=no
    type=tunnel
    esp=aes128-sha1
    ike=aes128-sha-modp1024
    left=%defaultroute
    leftnexthop=%defaultroute
    leftprotoport=17/1701

    right=%any
    rightprotoport=17/%any
    rightsubnetwithin=0.0.0.0/0
    auto=add

     

    ipsec.secrets:


    include /var/lib/openswan/ipsec.secrets.inc
    "ELASTIC_AMAZON_IP" %any: PSK "secretkey"

     

    xl2tpd.conf:

    [global]


    [lns default]
    ip range = 192.168.2.2-192.168.2.254
    local ip = 192.168.2.1
    refuse chap = yes
    refuse pap = yes
    require authentication = yes
    name = openSwanVPNserver
    ppp debug = yes
    pppoptfile = /etc/ppp/options.xl2tpd
    length bit = yes

    options.xl2tpd:


    ipcp-accept-local
    ipcp-accept-remote
    noccp
    auth
    crtscts
    idle 1800
    mtu 1280
    mru 1280
    defaultroute
    debug
    lock
    proxyarp
    connect-delay 5000

    chap-secrets
    # Secrets for authentication using CHAP
    # client        server  secret                  IP addresses
    "user"          *          "pass"                  192.168.2.1/25

    On a Windows XP client, we set things up for a quick test:
    Control Panel > Network Connections > File > New connection...
    Select Connect to the network at my workplace
    Select Virtual Private Network connection
    Company Name: Your Company
    Select Do not dial the initial connection
    Host name or IP address: ELASTIC_IP Properties > Security > IPSec Settings > Check Use pre-shared key for authentication
    Pre-shared key: secretkey Properties > Network > Type of VPN: L2TP IPSec VPN
    Whether you want to allow split tunneling is up to you: Properties > Networking > TCP/IP > Properties > Advanced... > General > Uncheck Use default gateway on remote network

    Note:

    We use Hosting and VPS Hosting, from: www.star-host.org

    We like and trust them.

    Good prices, high security.