How to achieve high availability active/passive on aws


#1

Hello Gurus,

I am a total newbie, sorry if this was discussed already. I am looking for a solution. We have an infrastructure hosted on aws and it connected to various partners. Basically we have 5 connections with openswan(ubuntu). I am looking for :

[list]
[]a robust and actively developed software VPN solution
[
]a solution which supports active/passive high availability on aws where primary could be in availability zone A and it’s backup in availability zone B on stand by ready to step in should anything happen to primary/active
[]a solution that supports routing of public IP through the VPN (some partners won’t allow private IP as encryption domain, only public one. Vyos should know how to forward packet to correct destination translating public IP to internal IP)
[
]a solution that exposes any API for remote interaction should we auto restart a tunnel
[/list]Before I dive in I wanted to find out if all listed above is possible with VyOS in aws.I kept saying AWS because I did similar search with openVPN and the active/passive scenario wasn’t possible because AWS doesn’t allow ucarp traffic

Best Regards,


#2

Hello,
you may need to provide more details as not all is clear
some if this possible, about other points i’m not sure


#3

Hello Syncer,

Thanks a lot for replying. I really appreciate it. Let me provide more clarification

[list]
[]a robust and actively developed software VPN solution
[This I already know based on activity on this forum][
]a solution which supports active/passive high availability on aws where primary could be in availability zone A and it’s backup in availability zone B on stand by ready to step in should anything happen to primary/active
[Assuming I setup vyos on aws, I am thinking of having 2 instances running while one is primary and in use for VPN tunneling to partners infrastructure, while the other is waiting for primary to go down to step in. Both are obviously syncing configuration or I would have manually make sure they are identical in terms of configuration. That’s a high level scenario][]a solution that supports routing of public IP through the VPN (some partners won’t allow private IP as encryption domain, only public one. Vyos should know how to forward packet to correct destination translating public IP to internal IP) [Some partners instead of allowing encryption domain to be of local IP 192.x.x.x, 172.x.x.x,10.x.xx.x would use public IPs as encryption domain ei 80.x.x.x ,196.x.x.x. For example my encryption domain is 10.10.1.20 with EIP 52.x.x.x and 10.10.20.30 with EIP 54.x.x.x, my partner encryption domain is 172.20.0.10 with IP 80.x.x.x. So to send packet to partner is has to come from EIP 52.x.x.x or 54.x.x.x and vice versa, if packet coming from 80.x.x.x to 52.x.x.x is has to be routed to 10.10.1.20 ]
[
]a solution that exposes any API for remote interaction should we auto restart a tunnel
[Basically, I need a way to monitor tunnel and refresh/restart it][/list]

Best Regards,


#4

For HA described by you, you will likely need to use BGP.
For public ips as ED i think it’s possible via dummy/loopback interfaces
For automation you can use Ansible(it support VyOS) or we have python library


#5

Hello Syncer,

Thanks for the feedback. I would be grateful if you could post some vyos specific resources so I start playing with it on aws.

Best Regards,


#6

wiki.vyos.net


#7

Agree with Syncer…you can use BGP with secure GRE tunnels or VTI. We have done the automation of building such links with BGP and GRE tunnels etc. as well as integration with AWS and Azure using our netorc platform. You can check it out for free as its on trial at www.wanclouds.net

regards

Faiz

faiz@wanclouds.net


#8

Hello All,

Thanks for your help and for pointing me to the right direction. I have started my adoption of the VyOS for VPN purpose and I must say I love it. I have also been able create some posts about it on my blog mycodingpains.com

That’s for basic usage. Today I am trying out the scenario of using it with local prefix being a public IP. But it actually seems not to be working well. Below is my config

[code]vyos@VyOS-AMI# show vpn
ipsec {

 ike-group IKE-AES2562SHA {
     lifetime 86400
     lifetime 28800
     proposal 1 {
         encryption aes256
         hash sha1
     }
 }
 esp-group ESP-AES256SHA {
     lifetime 28800
     proposal 1 {
         encryption aes256
         hash sha1
     lifetime 28800
     proposal 1 {
         encryption aes256
         hash sha1
     }
 }

 ipsec-interfaces {
     interface eth0
 }
 nat-traversal enable
 site-to-site {
     peer 154.c.b.a {
         authentication {
             mode pre-shared-secret
             pre-shared-secret 
         }
         default-esp-group ESP-AES256SHA
         ike-group IKE-AES2562SHA
         local-address 10.10.0.16
         tunnel 1 {
             local {
                 prefix 13.a.b.c/32
             }
             remote {
                 prefix 172.25.d.e/32
             }
         }
         tunnel 2 {
             local {
                 prefix 13.a.b.c/32
             }
             remote {
                 prefix 172.25.d.f/32
             }
         }
         tunnel 3 {
             local {
                 prefix 13.a.b.c/32
             }
             remote {
                 prefix 172.25.d.g/32
             }
         }
         tunnel 4 {
             local {
                 prefix 13.a.b.c/32
             }
             remote {
                 prefix 172.25.d.h/32
             }
         }
     }
 }

}

dummy dum0 {
address 13.a.b.c/32
}
ethernet eth0 {
address dhcp
duplex auto
hw-id 02:c3:8f:2d:01:e1
smp_affinity auto
speed auto
}
loopback lo {
}[/code]

This VyOS is on AWS and the setup is very similar as the one mentioned on my blog. I am not too sure why I am getting the following error. I am in the known that I needed to create an SNAT and a DNAT but I am sure it’s not related to the tunnel coming up in the first place.

Jul 18 15:24:50 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-1" #4025: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #4020 {using isakmp#4024} Jul 18 15:24:50 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-2" #4026: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #4021 {using isakmp#4024} Jul 18 15:24:50 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-3" #4027: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #4022 {using isakmp#4024} Jul 18 15:24:50 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4028: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#4024} Jul 18 15:24:50 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4024: ignoring informational payload, type NO_PROPOSAL_CHOSEN Jul 18 15:24:50 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4024: received Delete SA payload: deleting ISAKMP State #4024 Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4028: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4028: starting keying attempt 2 of an unlimited number Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: initiating Main Mode Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-3" #4027: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-3" #4027: starting keying attempt 45 of an unlimited number Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-2" #4026: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-2" #4026: starting keying attempt 67 of an unlimited number Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-1" #4025: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-1" #4025: starting keying attempt 68 of an unlimited number Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: received Vendor ID payload [RFC 3947] Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: ignoring Vendor ID payload [FRAGMENTATION c0000000] Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: enabling possible NAT-traversal with method 3 Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: ignoring Vendor ID payload [Cisco-Unity] Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: received Vendor ID payload [XAUTH] Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: ignoring Vendor ID payload [e37cf42cb1852f6bb990b18a166c0fe0] Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: ignoring Vendor ID payload [Cisco VPN 3000 Series] Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: NAT-Traversal: Result using RFC 3947: i am NATed Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: received Vendor ID payload [Dead Peer Detection] Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: Peer ID is ID_IPV4_ADDR: '154.c.b.a' Jul 18 15:26:00 VyOS-AMI pluto[5507]: "peer-154.c.b.a-tunnel-4" #4029: ISAKMP SA established
I can’t seem to see where the problem is from I am still a newbie so a little enlightenment will be brutally beneficial :smiley: . Lol I promise I will write a blog about this one too.
Best Regards


#9

I have also added dum0 to the ipsec-interfaces. Not sure where I am going with it but it now looks like this:

show vpn ipsec ipsec-interfaces
interface eth0
interface dum0


#10

Hello Luck on this nice people?

I think I have hit a blocker

Thanks in advance