On Premise Server

Amazon Web Services, Inc.unable to install openswan amzon linux 2023

fedora.repo

vim /etc/yum.repos.d/fedora.repo
Shell
복사

sudo dnf --enablerepo=fedora install libreswan -y
Shell
복사

# Libreswan EC2의 공인 IP
export LEFT_PUBLIC_IP=$(aws ec2 describe-instances \
    --filters "Name=tag:Name,Values=onprem-server" "Name=instance-state-name,Values=running" \
    --query 'Reservations[0].Instances[0].PublicIpAddress' \
    --output text)
Shell
복사

export LEFT_PUBLIC_IP_2=$LEFT_PUBLIC_IP
Shell
복사

export LEFT_SUBNET="10.10.0.0/16"   # 온프레미스 VPC 서브넷
Shell
복사

# VPN connection id
export VPN_CONNECTION_ID=$(aws ec2 describe-vpn-connections \
    --filters "Name=tag:Name,Values=onprem-to-cloud-vpn" "Name=state,Values=available" \
    --query 'VpnConnections[0].VpnConnectionId' \
    --output text)
Shell
복사

# AWS VPN Gateway의 공인 IP
export RIGHT_PUBLIC_IP=$(aws ec2 describe-vpn-connections \
    --vpn-connection-ids ${VPN_CONNECTION_ID} \
    --query 'VpnConnections[0].VgwTelemetry[0].OutsideIpAddress' \
    --output text)
Shell
복사

export RIGHT_PUBLIC_IP_2=$(aws ec2 describe-vpn-connections \
    --vpn-connection-ids ${VPN_CONNECTION_ID} \
    --query 'VpnConnections[0].VgwTelemetry[1].OutsideIpAddress' \
    --output text)
Shell
복사

export RIGHT_SUBNET="10.20.0.0/16" # Cloud VPC 서브넷
Shell
복사

# VPN 첫번째 터널의 사전 공유 키
export PSK_SECRET=$(aws ec2 describe-vpn-connections \
    --vpn-connection-ids ${VPN_CONNECTION_ID} \
    --query 'VpnConnections[0].Options.TunnelOptions[0].PreSharedKey' \
    --output text)
Shell
복사

export PSK_SECRET_2=$(aws ec2 describe-vpn-connections \
    --vpn-connection-ids ${VPN_CONNECTION_ID} \
    --query 'VpnConnections[0].Options.TunnelOptions[1].PreSharedKey' \
    --output text)
Shell
복사

cat << EOF > /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
EOF
Shell
복사

sudo sysctl -p
Shell
복사

cat << EOF > /etc/ipsec.d/aws.conf
conn Tunnel1
    authby=secret
    auto=start
    left=%defaultroute
    leftid=$LEFT_PUBLIC_IP
    right=$RIGHT_PUBLIC_IP
    type=tunnel
    ikelifetime=8h
    keylife=1h
    phase2alg = aes256-sha2_256;modp2048
    ike=aes128-sha1;modp2048
    keyingtries=%forever
    keyexchange=ike
    leftsubnet=$LEFT_SUBNET
    rightsubnet=$RIGHT_SUBNET
    dpddelay=10
    dpdtimeout=30
    dpdaction=restart_by_peer
    overlapip=yes

conn Tunnel2
    authby=secret
    auto=start
    left=%defaultroute
    leftid=$LEFT_PUBLIC_IP_2
    right=$RIGHT_PUBLIC_IP_2
    type=tunnel
    ikelifetime=8h
    keylife=1h
    phase2alg = aes256-sha2_256;modp2048
    ike=aes128-sha1;modp2048
    keyingtries=%forever
    keyexchange=ike
    leftsubnet=$LEFT_SUBNET
    rightsubnet=$RIGHT_SUBNET
    dpddelay=10
    dpdtimeout=30
    dpdaction=restart_by_peer
    overlapip=yes
EOF
Shell
복사

cat << EOF > /etc/ipsec.d/aws.secrets
$LEFT_PUBLIC_IP $RIGHT_PUBLIC_IP : PSK "$PSK_SECRET"
$LEFT_PUBLIC_IP_2 $RIGHT_PUBLIC_IP_2 : PSK "$PSK_SECRET_2"
EOF
Shell
복사

systemctl restart ipsec
Shell
복사