Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Given that you would want a cluster of sipXecs servers on Amazon's AWS EC2 that are in different Regions, you may to connect them using a VPN. Following are instructions to configure openSWAN for this purpose. I did this with CentOS 6.3 provided by CentOS from the AWS Marketplace. I'm not a Linux expert, I didn't figure this out – I liberally copied from others. If you figure a better way, please amend!

sipXecs 4.6 "update 4 modified' maintains its MongoDB succesfully between a Primary and a Secondary server in a cluster over this link.

Assumptions

The instructions assume an East and a West machine with the following IP addresses that you need to substitute with your own:

MachinePrivate IPExternal IP
West
10.150.6.135
50.111.154.248
East
10.150.4.134
107.22.235.173

You must ensure that the AWS EC2 or VPC Security Groups you are using for these instances allow incoming traffic from their counterpart's IP addresses: both the EIP and the private IP. If you feel you want to allow only necessary ports & protocols, I would suggest you do that after succesfully establishing a connection.

This configuration is suitable to connect machine A to machine B, or in other words to connect two /32 subnets. It's possible to use this for larger subnets, but then you do need to do more things both in the openSWAN settings, and on the AWS EC2 settings. These 'more things' are not documented in this article.

If you have problems establishing a connection, I'd suggest first that, for testing only, you allow all traffic in from anywhere on both the East and the West machine. ONce the VPN works, then figure out what you're doing with your Security Groups.

My last hint if things are not working is to super-double-check every setting in your files... it's easy to get confused with the internal and external IP addresses used by East and West and the IPSec Left and Right terminology.

ipsec.conf

On both the east and the west machine:

yum install openswan lsof -y
vi /etc/ipsec.conf

remove the # from the last line:

include /etc/ipsec.d/*.conf

add the virtual_private setting for reference; you really ought to not leave it blank, but things probably will work fine in this limited situation:

virtual_private=

and save.

eastwest.secrets

On both the east and the west machine:

vi /etc/ipsec.d/eastwest.secrets

Copy the following lines, replace the secrets (keep the quotes) with something long (>14 characters) and totally random:

107.22.132.99 50.111.163.10 : "VERYLONGANDSECRET1"
50.111.163.10 107.22.132.99 : "VERYLONGANDSECRET2"

west2east.conf

On the west machine only:

vi /etc/ipsec.d/west2east.conf

Copy the following lines and adjust the IP addresses:

conn west2east
  authby=secret
  auto=start
  type=tunnel
  #Left is "this" side
  left=10.150.6.135
  leftid=50.111.154.248
  leftsubnet=10.150.006.128/32
  #Right is the other side i.e. us-east so right and rightsubnet become
  # Elastic IP of us-east NAT instance and the VPC CIDR for the us-east VPC
  right=107.22.235.173
  rightsubnet=10.150.004.128/32
  ike=aes256-sha1;modp2048
  phase2=esp
  phase2alg=aes256-sha1;modp2048
  forceencaps=yes

east2west.conf

On the east machine only:

vi /etc/ipsec.d/east2west.conf

Copy the following lines and adjust the IP addresses:

conn west2east
  authby=secret
  auto=start
  type=tunnel
  #Left is "this" side i.e. us-east
  left=10.150.4.134
  leftid=107.22.235.173
  leftsubnet=10.150.4.134/32
  #Right is the other side i.e. us-west so right becomes the Elastic IP of us-west, and
  #rightsubnet becomes the us-west instance's private IP
  right=50.111.154.248
  rightsubnet=10.150.6.135/32
  ike=aes256-sha1;modp2048
  phase2=esp
  phase2alg=aes256-sha1;modp2048
  forceencaps=yes

Initiate the tunnel

Type in the command to start the tunnel, and to make sure it starts on reboot:

service ipsec start
chkconfig ipsec on

Verify that the tunnel is up with

service ipsec status

For whatever reason, it’ll possibly give you more than 1 tunnel up.

Also now test by doing a ping from one site to the other using theother's private IP address.

  • No labels