forked from aws-samples/private5g-cloud-deployment
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcgwsetup.sh
221 lines (191 loc) · 6.94 KB
/
cgwsetup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
#!/bin/bash
#
# StrongSwan(IPSec) + Quaaga (BGP) Setup Script for EC2 Virtual Router
# - 2023/02/23
#
# How to use
# 1. Allocate EIP to EC2 located at public subnet
# 2. Create CGW which is using EIP of EC2 virtual router,
# and then make S2S VPN tunnel connection between TGW and the CGW
# 3. From the VPN tunnel config, get two of Outside IPs and run this script
#
# CGW(EC2 Instance) Eth0
pCgwEth0Ip=$(hostname -i)
pCgwEip=$(curl -s ifconfig.me)
pCgwCidr="`echo $pCgwEth0Ip | cut -d "." -f 1-2`.0.0/16"
# IPSec Tunnel #1 Info
pTu1CgwOutsideIp=$pCgwEip
pTu1CgwInsideIp=169.254.11.2
pTu1VgwInsideIp=169.254.11.1
# IPSec Tunnel #2 Info
pTu2CgwOutsideIp=$pCgwEip
pTu2CgwInsideIp=169.254.12.2
pTu2VgwInsideIp=169.254.12.1
#BGP ASN and PSK Info
pVgwAsn=64512
pCgwAsn=65016
pTuPsk=strongswan_awsvpn
echo "=============================================================="
echo " Let's begin to set up IPSEC/BGP using StrongSWAN and Quagga "
echo "--------------------------------------------------------------"
echo " 0. strongswan and quagga has been installed "
echo "----------------------------------------------------------"
echo " 1. IPSec Info - Input VPN Tunnel Outside IP addresses "
read -p " - Tunnel #1 Outside IP Addr : " pTu1VgwOutsideIp
read -p " - Tunnel #2 Outside IP Addr : " pTu2VgwOutsideIp
echo "----------------------------------------------------------"
echo " 2. BGP Info - ASN numbers are set as below"
echo " - TGW ASN Number (64512-65534) : $pVgwAsn "
echo " - CGW ASN Number (64512-65534) : $pCgwAsn "
echo "=========================================================="
read -p " informations above is correct? If yes, please continue (y/N)? " answer2
echo
if [ "${answer2,,}" != "y" ]
then
exit 100
fi
echo "3. Set IPSEC config on /etc/strongswan/ipsec.conf "
cat <<EOF > /etc/strongswan/ipsec.conf
#
# /etc/strongswan/ipsec.conf
#
conn %default
# Authentication Method : Pre-Shared Key
leftauth=psk
rightauth=psk
# Encryption Algorithm : aes-128-cbc
# Authentication Algorithm : sha1
# Perfect Forward Secrecy : Diffie-Hellman Group 2
ike=aes128-sha1-modp1024!
# Lifetime : 28800 seconds
ikelifetime=28800s
# Phase 1 Negotiation Mode : main
aggressive=no
# Protocol : esp
# Encryption Algorithm : aes-128-cbc
# Authentication Algorithm : hmac-sha1-96
# Perfect Forward Secrecy : Diffie-Hellman Group 2
esp=aes128-sha1-modp1024!
# Lifetime : 3600 seconds
lifetime=3600s
# Mode : tunnel
type=tunnel
# DPD Interval : 10
dpddelay=10s
# DPD Retries : 3
dpdtimeout=30s
# Tuning Parameters for AWS Virtual Private Gateway:
keyexchange=ikev1
rekey=yes
reauth=no
dpdaction=restart
closeaction=restart
leftsubnet=0.0.0.0/0,::/0
rightsubnet=0.0.0.0/0,::/0
leftupdown=/etc/strongswan/ipsec-vti.sh
installpolicy=yes
compress=no
mobike=no
conn TU1
# Customer Gateway
left=${pCgwEth0Ip}
leftid=${pTu1CgwOutsideIp}
# Virtual Private Gateway
right=${pTu1VgwOutsideIp}
rightid=${pTu1VgwOutsideIp}
auto=start
mark=100
conn TU2
# Customer Gateway
left=${pCgwEth0Ip}
leftid=${pTu2CgwOutsideIp}
# Virtual Private Gateway
right=${pTu2VgwOutsideIp}
rightid=${pTu2VgwOutsideIp}
auto=start
mark=200
EOF
echo "4. Set IPSEC config on /etc/strongswan/ipsec.secrets "
cat <<EOF > /etc/strongswan/ipsec.secrets
#
# /etc/strongswan/ipsec.secrets
#
${pTu1CgwOutsideIp} ${pTu1VgwOutsideIp} : PSK ${pTuPsk}
${pTu2CgwOutsideIp} ${pTu2VgwOutsideIp} : PSK ${pTuPsk}
EOF
echo "5. Set IPSEC tunnel options on /etc/strongswan/ipsec-vti.sh "
cat <<EOF > /etc/strongswan/ipsec-vti.sh
#!/bin/bash
#
# /etc/strongswan/ipsec-vti.sh
#
IP=\$(which ip)
IPTABLES=\$(which iptables)
PLUTO_MARK_OUT_ARR=(\${PLUTO_MARK_OUT//// })
PLUTO_MARK_IN_ARR=(\${PLUTO_MARK_IN//// })
case "\$PLUTO_CONNECTION" in
TU1)
VTI_INTERFACE=vti1
VTI_LOCALADDR=${pTu1CgwInsideIp}/30
VTI_REMOTEADDR=${pTu1VgwInsideIp}/30
;;
TU2)
VTI_INTERFACE=vti2
VTI_LOCALADDR=${pTu2CgwInsideIp}/30
VTI_REMOTEADDR=${pTu2VgwInsideIp}/30
;;
esac
case "\${PLUTO_VERB}" in
up-client)
#\$IP tunnel add \${VTI_INTERFACE} mode vti local \${PLUTO_ME} remote \${PLUTO_PEER} okey \${PLUTO_MARK_OUT_ARR[0]} ikey \${PLUTO_MARK_IN_ARR[0]}
\$IP link add \${VTI_INTERFACE} type vti local \${PLUTO_ME} remote \${PLUTO_PEER} okey \${PLUTO_MARK_OUT_ARR[0]} ikey \${PLUTO_MARK_IN_ARR[0]}
sysctl -w net.ipv4.conf.\${VTI_INTERFACE}.disable_policy=1
sysctl -w net.ipv4.conf.\${VTI_INTERFACE}.rp_filter=2 || sysctl -w net.ipv4.conf.\${VTI_INTERFACE}.rp_filter=0
\$IP addr add \${VTI_LOCALADDR} remote \${VTI_REMOTEADDR} dev \${VTI_INTERFACE}
\$IP link set \${VTI_INTERFACE} up mtu 1436
\$IPTABLES -t mangle -I FORWARD -o \${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
\$IPTABLES -t mangle -I INPUT -p esp -s \${PLUTO_PEER} -d \${PLUTO_ME} -j MARK --set-xmark \${PLUTO_MARK_IN}
\$IP route flush table 220
#/etc/init.d/bgpd reload || /etc/init.d/quagga force-reload bgpd
;;
down-client)
#\$IP tunnel del \${VTI_INTERFACE}
\$IP link del \${VTI_INTERFACE}
\$IPTABLES -t mangle -D FORWARD -o \${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
\$IPTABLES -t mangle -D INPUT -p esp -s \${PLUTO_PEER} -d \${PLUTO_ME} -j MARK --set-xmark \${PLUTO_MARK_IN}
;;
esac
# Enable IPv4 forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.eth0.disable_xfrm=1
sysctl -w net.ipv4.conf.eth0.disable_policy=1
# Disable IPv4 ICMP Redirect
sysctl -w net.ipv4.conf.eth0.accept_redirects=0
sysctl -w net.ipv4.conf.eth0.send_redirects=0
EOF
sudo chmod +x /etc/strongswan/ipsec-vti.sh
echo "6. Set BGP setting using Quagga /etc/quagga/bgpd.conf "
cat <<EOF > /etc/quagga/bgpd.conf
#
# /etc/quagga/bgpd.conf
#
router bgp ${pCgwAsn}
bgp router-id ${pTu1CgwInsideIp}
neighbor ${pTu1VgwInsideIp} remote-as ${pVgwAsn}
neighbor ${pTu2VgwInsideIp} remote-as ${pVgwAsn}
network ${pCgwCidr}
EOF
echo "7. Start StrongSWAN and Quagga BGP "
sudo systemctl enable --now strongswan
sudo systemctl start zebra
sudo systemctl enable zebra
sudo systemctl start bgpd
sudo systemctl enable bgpd
sudo chmod -R 777 /etc/quagga/
sudo strongswan restart
echo "=========================================================="
echo " Using below command, verify IPSec Tunnel and BGP Routing tables"
echo " -. IPsec status : sudo strongswan statusall "
echo " -. Routing tables : sudo ip route "
echo " -. BGP detail config : Enter teminal mode > sudo vtysh and then > show ip bgp "
echo "=========================================================="