Linux IPSec Site-to-Site VPN: AWS VPC & Mikrotik Router

In this tutorial, we will use the Site-to-Site VPN scenario with the modification and one of the customer site that is using Mikrotik router, which is also acting as gateway for LAN plus the vpn gateway while from the AWS side, we are using the exact same Ubuntu Linux router.
Please review the previous tutorial before starting this tutorial, as I’ll use the previous tutorial as the base for this one.
mikto
Note: Please don’t waste your time in hacking, all these public devices and IP(s) are Temporary, I have destroyed them after finished this tutorial.
VPN Configuration on Mikrotik Site:
Open the IP->IPsec window in WinBox:
1
Create a new Proposal(if you don’t want to use the default) as follows:
2
Now, create a new policy as follows:
From the General Tab
Src Address: Mikrotik LAN 192.168.10.0/24 Subnet
Dst Address: AWS VPC 10.100.0.0/16 Private Subnet
3
From the Action Tab:
SA Src Address: MIkrotik WAN Address 102.162.166.90
SA Dst Address: AWS VPC Linux NAT Router WAN Address 54.219.146.242
Tick the Tunnel checkbox
For Proposal: Use LAN2AWSProposal or whatever proposal you have created in the first step.
4
Next, Move to the Peers tab and create a new peer by using the public address of AWS NAT Instance as Address:
5
Next, create a NAT Bypass rule, to exclude the AWS VPC Private Subnet(s) to be natted:
nat1

nat2
Placed the above created rule at the top of all other NAT rule(s) and clear the connection table from existing connection or reboot the Mikrotik.
nat3
VPN Configuration on AWS VPC:
Also allow the ICMP packet on internal subnet security group from the remote LAN for testing purpose:
6a
Edit the ipsec.conf file:
vi /etc/ipsec.conf
1
Here is the addition to the ipsec.conf file (please refer to the ipsec.conf file from previous tutorial):
conn AWS2MikrotikConnection
 left=10.100.10.10
 leftsubnets=10.100.0.0/16
 leftid=54.219.146.242
 leftsourceip=10.100.10.10
 right=102.162.166.90
 rightsubnets=192.168.10.0/24
 rightid=102.162.166.90
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start
2
Edit the shared secret file:
vi /etc/ipsec.secrets
3
Mine ipsec.secrets file as an example:
4
Restart the IPSec service:
service ipsec restart
5
Verify the status of IPSec service on Ubuntu at AWS VPC:
service ipsec status
6

Note: Please don’t panic, just restart the service one more time if it didn’t come up.
Verify that the Traffic is passing through the Tunnel:
Ping from the AWS vpn gateway to the Mikrotik LAN IP:
7
Ping from AWS VPC private Subnet to Mikrotik’s LAN for verification:
8
Ping from the Local machine to the machine on VPC Private subnet:
7
8
VERY Useful Tip:
If the Tunnel didn’t come up after the configuration, just restart the server and also start the ping from your LAN host to other side LAN host.
Please Remember me in your prayers!
Enjoy  :-)

Comments

Post a Comment

Popular posts from this blog

DMASOFTLAB RADIUS MANAGER BILLING SYSTEM v 4.1 Finally Released

Image
DMASOFTLAB RADIUS MANAGER BILLING SYSTEM v 4.1 Finally Released  Filed under: Radius Manager — Tags: dmasoftlab radius manager new version , radius manager 4.1 — Waseem Anjum Meo @ 10:47 AM             5 Votes Finally DMA has released its new version for Radius Manager Billing System. Complete info can be found here. http://www.dmasoftlab.com/cont/revision   *** v 4.1.0 *** 2013-10-23 *** NEW FEATURES: ↓ -enhanced SMTP mailer with authentication and freely configurable port -SMS alert indicating the account is going to expire ** This was most DEMANDED   , Jz -support for BulkSMS HTTP->SMS gateway ** This was most DEMANDED   , Jz -alert type is selectable in user preferences (ACP / UCP) ** This was most DEMANDED   , Jz -enable traffic report per user in ACP even if global traffic report is disabled -service change is allowed for Hotspot MAC accounts -auto logout expired ACP sessions -FreeRadius 2.2.0 support -DOCSIS u
Read more

How To Configure Nano Station M2 As Access point

Image
Web Configuration Now that the hardware has been completely installed, it's time to configure the Bullet to act as a WiFi Access Point. Configuration is performed using your web browser by typing in  https://192.168.1.20 . You'll get a warning pop up stating that the device has presented an invalid SSL certificate due to the certificate being self-signed and not issued by a CA. This is normal so just hit accept/continue. You'll then need to log in with the default username and password of "ubnt". Configure the Wireless tab The first step is to configure the Wireless tab so the Bullet acts as a WiFi Access Point. Change the settings according to the below picture. Be sure to set the device up with WPA2 security and an appropriate WiFi password here. You can also use this tab to adjust the power output should you wish to cover a smaller area. The default channel bandwidth is 40MHz, but some older devices such as wireless printers and mobile phones cannot o
Read more