Monthly Archives: March 2014

Setting up IPSec/L2TP on Amazon EC2

I wanted to figure out how to setup an IPSec/L2TP VPN, since it seems to be a pretty useful thing to have. Since I didn’t have a VPS to stage this on, I signed up for Amazon’s AWS service using their free tier.

The AWS sign-up process is pretty easy. Amazon will want your credit card details so they can easily up-sell you. You have to provide them with a phone number, which they will call you and ask you to enter the PIN you see on the screen to verify your contact information. Once this is finished your Amazon Web Services account will be created and you can spin up an instance. There are still a few things you need to watch out for:

  • When creating an instance, the wizard will default to the small tier, which has a charge associated with it (IIRC they quoted me ~$43/mo). You’ll need to change this to the micro instance if you don’t want to pay.
  • The free tier is only available for the first year after signing up for AWS, after which they will charge you. At US Eastern prices, it will cost me around $14/mo for the micro instance, which is quite a bit more expensive than what other hosting providers are offering.
  • You need the private key you generated when you signed up to SSH into your server. The username is “admin” and has no-password sudo privileges.
  • “Terminate” in Amazon lingo means “Turn off and permanently delete” which unless you’re finished with your instance I do not recommend you select. For some reason I thought terminate meant “force shutdown,” which it really didn’t. Suffice to say configuring IPSec was much faster the second time around.
  • Amazon uses 1-to-1 NAT for EC2 instances, so when you’re configuring services you need to change the Group Security settings applied to your instance to allow the ports through. Group Security settings are under “Networking & Security” -> Security Groups” in the AWS dashboard. Also, this probably goes without saying, the public IP you SSH to is not the IP of your instance, so if you’re configuring things you need to specify the interface IP address of your instance, not the public IP address.
  • Amazon won’t discuss the bandwidth your instance will get in concrete terms, but it’s pretty poor. I thought I would try to watch South Park via my VPN, but I didn’t even get past the ads before waiting for buffering killed all desire to watch episodes the legitimate way.

tl;dr – You get 750 hours per month of usage for the first year on Amazon AWS. You can use this to create micro instances of any of the free-tier operating systems they offer. From my poking around, micro instances appear to offer you 8GB of disk space and 613MB of RAM. The free tier gives you 15GB of bandwidth shared across all your AWS services.

At current US Eastern pricing, which seems to be the least expensive, the micro tier will cost you about $15/mo. So unless you find yourself needing Amazon’s infrastructure for some purpose, or plan to increase your computing requirements significantly in the near future, plan on using AWS micro instances for the first year and then migrating to another hosting provider that better suits your needs.

I plan on using my micro instance as a staging area for services I want to eventually deploy to my production server, but have not finished testing yet.

On to setting up IPSec/L2TP. For the most part I followed this guide available on elastichosts.

This being the first time I’ve ever setup IPSec and L2TP, I ran into some issues. One was that xl2tpd wouldn’t start. This is the output from when I tried to start it in daemon mode:

root@ip-172-31-14-183:~# xl2tpd -D
xl2tpd[6164]: Enabling IPsec SAref processing for L2TP transport mode SAs
xl2tpd[6164]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
xl2tpd[6164]: init_network: Unable to bind socket: Cannot assign requested address. Terminating.

This is because AWS uses 1-to-1 NAT and I put the public IP address instead of the IP address of the instance into /etc/xl2tpd/xl2tpd.conf

After that, I headed over to System Preferences in OS X to configure my shiny new VPN. Except I kept getting cryptic error messages in Console like this one:

14-03-05 7:18:33 PM pppd[7612] pppd 2.4.2 (Apple version 412.5.70) started by devops, uid 502
14-03-05 7:18:33 PM pppd[7612] L2TP connecting to server 'xx.xx.xx.xxx' (xx.xx.xx.xxx)...
14-03-05 7:18:33 PM pppd[7612] IPSec connection started
14-03-05 7:18:33 PM racoon[7613] Connecting.
14-03-05 7:18:33 PM racoon[7613] IKE Packet: transmit success. (Initiator, Main-Mode message 1).
14-03-05 7:18:36 PM racoon[7613] IKE Packet: transmit success. (Phase1 Retransmit).
14-03-05 7:18:39 PM racoon[7613] IKE Packet: transmit success. (Phase1 Retransmit).
14-03-05 7:18:42 PM racoon[7613] IKE Packet: transmit success. (Phase1 Retransmit).
14-03-05 7:18:43 PM pppd[7612] IPSec connection failed

And Google was not helpful at all. So, over to the server logs:

pluto[3627]: packet from xxx.xxx.xxx.xxx:439: received Vendor ID payload [RFC 3947] method set to=109
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: received Vendor ID payload [Dead Peer Detection]
pluto[3627]: packet from xxx.xxx.xxx.xxx:439: initial Main Mode message received on 172.xx.xx.xxx:500 but no connection has been authorized with policy=PSK

Mmhm. Yeah. Mmhm. Oh, yeah yeah yeah. I know some of these words.

Turns out, again, the problem is that I’ve foolishly specified the public (NAT) IP address instead of the IP address of my instance in /etc/ipsec.conf

Fixing that leads to a VPN that can connect! I’d say that was an afternoon well spent.