I recently had to setup OpenSWAN on Ubuntu to be part of a site-to-site VPN with a Cisco ASA 5520. There are a few resources I used to get me there. It was hard to find these resources so I'm keeping track of them for myself and in the hopes it helps someone else.

• this amazing page, about the same thing on ec2 vpc
• man ipsec
• configuring openswan ipsec server - great advice including some "gotchas" and troubleshooting ideas
• linuxjournal backgrounder on ipsec and vpns
• openswan installation and configuration tutorial
• A nice chart about cidr notation in ip addresses
• A gist about setting up openswan site-to-site on ec2
• A serverfault article about two people doing this behind some routers

My requirements were:

• local ike peer IP address: 89.76.54.321
• remote ike peer IP address: 123.45.67.89

• remote: also want all addresses in 123.45.0/24 to be addressable

• Authentication: pre shared key

• Encryption Scheme IKE
• Diffie Hellman Group: Group 2
• Encryption Algorithm: AES-256
• Hashing Algorithm: SHA1
• IKE Negotiation Mode: Main mode

• Lifetime (for renegotation): 480 minutes

• Phase 2 Encapsulation: ESP

• Phase 2 Encryption Algirithm: AES-256
• Phase 2 Hashing Algorithm: SHA1
• Perfect Forward Secrecy: No PFS
• Lifetime (for renegotiation): 480m

And here is roughly what my /etc/ipsec.d/connection.conf looks like:


conn i2c
authby=secret
type=transport #might be tunnel
keyexchange=ike
ikelifetime=480m
keylife=60m
ike=aes256-sha1;modp1024!
phase2=esp
phase2alg=aes256-sha1;modp1024
pfs=no
auto=start
aggrmode=no
left=89.76.54.321
leftsubnet=89.76.54.321/32
leftnexthop=%defaultroute
right=123.45.67.89
rightsubnet=123.45.67.89/24


We had a few situations where the VPN connection would die. Our website would make calls over it and get timeouts, I would try to ping or telnet across it and those would timeout. The first two times that happened I called our partner and asked if there was any problem - assuming their server was down. In fact there server was up and restarting ipsec fixed the issue. I tried looking in various log files (as suggested by the jameskyle.org article) but didn't find any "smoking gun" of what would cause the hiccup. So...we started a jenkins job that pings an IP on the far side of the VPN connection. If the ping fails then the jenkins job restarts ipsec. Here's that script. Yes, it gives jenkins sudo on restarting that service. I'm not sure of a better way to do that automatically, but would love to hear them!

!/bin/bash

Exit immediately on uninitialized variable or error, and print each command.

set -uex

if ping loses any packets

LINES=ping -w 4 -c 1 123.45.67.99 | grep ", 0% packet loss," | wc -l
if [ $LINES -ne 1 ]; then
# run the ping through awk to hide the nonzero exit code so we definitely get to restart ipsec.
echo "let's see the ping data"
ping -w 4 -c 1 123.45.67.99 | awk '{print $0}'
# now restart ipsec
echo "RESTARTING IPSEC"
sudo service ipsec restart
# this tells jenkins it's a fail so jenkins mails us
exit 1
else
ping -w 4 -c 1 123.45.67.99 | grep "^64 bytes from" | awk '{print d, $0}' "d=$(date)" >> timer_combined.txt
fi

One thing I decided to do with this script is to log the data to a file timer_combined.txt so that we can some-day look at whether the vpn connection ever slows down or something. I set this up 2 months ago and we still haven't looked at that data :)