ZhuYun
Intern
Intern
  • UID827
  • Fans0
  • Follows0
  • Posts2
Reads:5572Replies:4

[Share]! FlexGW IPsec VPN Guide - Connect VPC/ECS between China and US

Created#
More Posted time:Aug 31, 2016 18:02 PM
FlexGW IPsec VPN provides a VPN, SNAT basic services.
Main functions as below:
1. IPSec Site-to-Site feature. It can quickly help you to connect two ECS in different private
network through IPSec Site-to-Site protocol
2. Dial-up VPN feature. You can connect to ECS through dial-up VPN mode, to do routine
maintenance and management.
3. SNAT feature. You can easily set the Source NAT, to allow VM in VPC private network
access the Internet through the Gateway VM.
1.4 Typical Scenarios Description

If you want to buid a VPN service on China server or any alibaba cloud regions keep your application/service transfer smoothly, FlexGW IPsec VPN could connect the machines in Alibaba Cloud and the machines in IDC side (Site-to-Site).
It also could connect multiple VPC (include same Region / different Region) through VPN (Site-to-Site).
And connect to machine in cloud through dial-up VPN, then use the VPN private IP address
to communicate with other machines.

Install:
You could subscribe FlexGW IPsec VPN on marketplaceand one-click launch

Guide:

1. FlexGW (i.e. this program)
Directory: /usr/local/flexgw
Database file: /usr/local/flexgw/instance/website.db
Startup script: /etc/init.d/flexgw 或/usr/local/flexgw/website_console
Log directory: /usr/local/flexgw/logs
Utility scripts directory: /usr/local/flexgw/scripts
"Database File" to save all VPN configuration, please backup them periodicly. If the database
is corrupted, use the script initdb.py in "utility scripts directory” to initialize the database, it
will clears all configurations.


2. Strongswan
Directory: /etc/strongswan
Log file: /var/log/strongswan.charon.log
Startup script: /usr/sbin/strongswan
If strongswan.conf is corrupted, you can use the backup files in /usr/local/flexgw/rc/strongswan.conf to recover.
ipsec.conf and ipsec.secrets files are generated from the files with same name in /usr/local/flexgw/website/vpn/sts/templates/sts, do not modify them.

3. OpenVPN
Directory: /etc/openvpn
Log file: /etc/openvpn/openvpn.log
Status file: /etc/openvpn/openvpn-status.log
Startup script: /etc/init.d/openvpn
server.conf generated from the file with same name in
/usr/local/flexgw/website/vpn/dial/templates/dial, don’t modify it.

Software Operation Command Summary
openvpn:
/etc/init.d/openvpn start/stop/restart/reload)
strongwan:
/etc/init.d/strongswan start/stop/restart/...
flexgw:
/etc/init.d/flexgw start/stop/restart/...
Example:start openvpn
/etc/init.d/openvpn start


2 IPSec Site-to-Site VPN User Guide (VPC network scenario)
As shown above, VPC1 private network is: 172.16.0.0/24, VPC2 private network is: 192.168.0.0/24. One GateWay VM in each of two VPC configured VPN/SNAT, and bind the EIP. Now we want the VMs in the two private networks can communicate with each other, we need to establish an IPSec Site-to-Site tunnel between VPC1 GateWay VM and VPC2 GateWay VM.
In this example: From VPC1 of 172.16.0.3 access VPC2 of 192.168.0.3.

2.1 Start IPSec VPN service
Go to IPSec "VPN Service Management" page, make sure both GateWay VM1, GateWay VM2 have IPSec VPN service started.


Start VPN service: Start the IPSec VPN service on the VM. The tunnel startup type as "automatic connection" will automatically try to connect to the remote VPN.
Stop VPN service: Stop the IPSec VPN service. All connected tunnels will be disconnect.
Configurate deployment & reload: Generally, this action will be triggered automatically when add, modify or delete the tunnel. But sometimes, if you want to regenerate the VPN configuration, you can do this manually.

2.2 Add new tunnel
VPC2 GateWay VM: Tunnel ID is an abbreviation of the tunnel, please note naming rules.
On both sides of the local ID, the peer ID must correspond (It is recommended to use public IP address)
IKE version, IKE and ESP encryption, authentication algorithm must be same at both ends (For VPN equipment, please get the configuration information, especially IKE version)
Pre-shared key must be the same to establish a connection (shared secret key, please set it more complex).

The local subnet 、peer subnet: The previous example 192.168.0.0/24,172.16.0.0/24.
The other side of the public network IP: peer GateWay's ECS EIP, it can be a public network IP of the VPN equipment.

2.3 Check the tunnel list
After added tunnel on Gateway VM of VPC1 and VPC2, goto 'tunnel List "page. Click the "Connect" fo the tunnel configured just now, you can see:
Connect: connect the tunnels.
Disconnect: disconnect the tunnel.

2.4 Check the real-time traffic of tunnel
Click on "Traffic" button, you can see real-time traffic of tunnel.

2.5 Modify or delete tunnel
Click to tunnel into the tunnel under the list to enter the modify page:

Save: After modifying, click Save, the configuration will take effect immediately, but will not affect the current connected tunnel. You need to manually disconnect and reconnect the tunnel.
Delete: Click Delete to delete the tunnel, and it will automatically disconnect the tunnel
immediately.

3 Dial-up VPN Guide
3.1 Scenario
Classic network scenario. interconnect between machines cross-account or cross-region.
VPC network scenarios. Administrator access VPC conduct private network access and
management.

3.2 Classic network scenarios
As shown above, the user in Hangzhou, Beijing, Qingdao region with different accounts each bought a flat-ECS VM, now want to carry out within the network communication between these three VM, we need these three to dial in to the same VM a VPN network using VPN address assignment to communicate.
In this example: VM Hangzhou elected VPN GateWay, Beijing and Qingdao, Hangzhou VM dial to the VPN. Use VPN assigned address 10.8.8.7,10.8.8.9 communicate with each other.

3.2.1 Start dialing VPN service
Enter dialup VPN "VPN Service Management" page, make sure GateWay VM started dialing
VPN services.

Start VPN service: Start the machine only dial VPN.
Stop VPN service: Stop the machine dial VPN. Tunnel has been connected to Disconnect all.
Install & reload configuration: dial-up VPN "Settings", this action automatically. But in some cases, if you want to regenerate the VPN server configuration, you can do this manually.

3.2.2 Setup
Communication protocol: optional "UDP", "TCP". NOTE: After each save changes, please re-download the client configuration files.
Virtual IP address pool: that VPN Server assigned to the client's virtual IP address pool. In this example: 10.8.8.0/24
Allow inter-client communication: in this example, here please choose "Yes."
Allow a single account doing multiple login: Optional "yes" or "no."
Subnet segment: that allow access to dial-up client subnet. This example does not require client access subnets, fill in the private network IP VPN GateWay VM can:
10.171.112.120/32.

3.2.3 Add the dial-up VPN account
Click on the "Add Account" button to add the account:
Account name: can only contain the following characters: numbers, letters, underscore.
Password: can only contain the following characters: numbers, letters, underscore.

3.2.4 Configure the client
Click on "client download" button, you can download the VPN client and the appropriate
configuration files.

Modify the configuration file: The configuration file "remote IP" field modify GateWay VM's public IP address.
Windows platforms: After installing the client, the configuration file client.ovpn and ca.crt files into config file installation directory folder. Then start openvpn-gui.exe, connect the
prompts.
Linux platforms: Perform at profiles client.conf and ca.crt directory command: openvpn client.conf, connect the prompts. To form a daemon in the background, do: openvpn
client.conf & to establish a connection.

Note: When you download Linux platform client, you need to turn off certificate validation.
Please add parameters wget --no-check-certificate, curl please add parameters --insecure.

3.2.5 View account list
Click "Account List" button, you can view the account list that have been added. If the account has dial-in VPN, you will see more detailed information:

Status: Due VPN keepalive mechanism, there will be a delay of about one minute.

3.2.6 The use of VPN IP communication
Now, you can use VPN assigned address 10.8.8.7,10.8.8.9 communicate with each other up.

3.3 VPC network scenarios
As shown above, the administrator wants access VPC2 within a private network to manage maintenance VM1 and VM2. Wherein, VPC2 have a use VPN / SNAT mirror mounted
GateWay VM, and bind the EIP.
In this example: Administrator from the public network through the VPN tunnel access VPC2 of 192.168.0.3.

3.3.1 Start dialing VPN service
Enter dialup VPN "VPN Service Management" page, make sure that the GateWay VM VPC VPN service started dialing.
Start VPN service: Start the machine only dial VPN.
Stop VPN service: Stop the machine dial VPN. Tunnel has been connected to Disconnect all.
Install & reload configuration: dial-up VPN "Settings", this action automatically. But in some cases, if you want to regenerate the VPN server configuration, you can do this manually.

ZhuYun
Intern
Intern
  • UID827
  • Fans0
  • Follows0
  • Posts2
1st Reply#
Posted time:Aug 31, 2016 18:06 PM
FlexGW IPsec VPN Guide - Connect VPC/ECS between China and US 2
3.3.2 Setup
Communication protocol:
optional "UDP", "TCP". NOTE: After each save changes,please re-download the client configuration files.
Virtual IP address
pool: that VPN Server assigned to the client's virtual IP address pool. In thisexample: 10.8.8.0/24Allow inter-client
communication: in this example, here please choose "Yes."
Allow a single account doing multiple login: Optional "yes" or "no."
Subnet segment: that
allow access to dial-up client subnet. This example does not require client access subnets, fill in the private network IP VPN GateWay VM can:
10.171.112.120/32.
 
3.3.3 Configure SNAT
After dialing VPN
"set up" in order to allow administrators to access VPC2 private network, you need to manually adjust the corresponding SNAT settings!
 
In the above example, the virtual address pool 10.8.0.0/24, subnet as 192.168.0.0/24, you need to configure SNAT: 10.8.0.0/24 192.168.0.1
3.3.4 Add the dial-up
VPN account
Click on the "Add Account" button to add the account:
Account name: can only contain the following characters: numbers, letters, underscore.
Password: can only contain the following characters: numbers, letters, underscore.
 
3.3.5 Configure the
client
Click on "client
download" button, you can download the VPN client and the appropriate
configuration files.
 
Modify the
configuration file: The configuration file "remote IP" field modify
GateWay VM's public IP address.
Windows platforms:
After installing the client, the configuration file client.ovpn and ca.crt
files into config file installation directory folder. Then start
openvpn-gui.exe, connect the prompts.
Linux platforms:
Perform at profiles client.conf and ca.crt directory command: openvpn
client.conf, connect the prompts. To form a daemon in the background, do:
openvpn
client.conf & to
establish a connection.
Note: When you download
Linux platform client, you need to turn off certificate validation.
Please add parameters
wget --no-check-certificate, curl please add parameters --insecure.
 
3.3.6 View account list
Click "Account
List" button, you can view the account list that have been added. If the
account has dial-in VPN, you will see more detailed information:
 
Status: Due VPN
keepalive mechanism, there will be a delay of about one minute.
 
4 SNAT
 
As shown above, VPC1
private network is: 172.16.0.0/24. There is a Gateway VM with flexGW image
installed, and bind the EIP.
Now we want the VM in
VPC1 private network can access the internet, we need to configure SNAT on the
GateWay VM.
In this example: we
want VM 172.16.0.3 to access the inernet.
 
4.1 Add the SNAT entry
Enter "New
SNAT" page under SNAT tab,
Source IP (or network
segment): is the private network segment which need to access
internet. In this case:
172.16.0.0/24
IP converted: is the
private network IP of the GateWay VM private. In this case: 172.16.0.1
 
 
4.2 Check SNAT list
When new SNAT entry
added, it will automatically jump to the "SNAT list" page, you can
see:
Source IP (or network
segment): is the private network segment which need to access internet. In this
case: 172.16.0.0/24
IP converted: is the
private network IP of the GateWay VM private. In this case: 172.16.0.1
Delete: Click the
"Delete" button to delete the SNAT entry, and take effect
immediately.
 
 
5 TCP Tunnel
When you want to access
a particular port of an ECS in a VPC, you can use TCP tunnel to map the port to
FlexGW VM, then access the ECS port through FlexGW EIP.
 
5.1 Add a TCP tunnel
entry
Go to the "New TCP
tunnel" page:
Local port: is the
FlexGW port for forwarding. In this case: 50000
Target IP: is the
private IP of the ECS which want to access internet in VPC.. In this case:
10.0.0.1
Destination port: the
port of the target ECS. In this case: 3306
 
5.2 Check the TCP
tunnel list
When the new TCP tunnel
entry added, it will automatically jump to the "TCP tunneling list"
page, you can see:
 
 
Local port: is the
FlexGW port for forwarding. In this case: 50000
Target IP: is the
private IP of the ECS which want to access internet in VPC.. In this case:
10.0.0.1
Destination port: the
port of the target ECS. In this case: 3306
Close: Click the
'Close' button to close the TCP tunnel, and take effect immediately.

paulkkjh
Intern
Intern
  • UID2860
  • Fans0
  • Follows0
  • Posts1
2nd Reply#
Posted time:Jun 8, 2017 14:01 PM
Hello, is there any support for this?

IDMS
Intern
Intern
  • UID5108
  • Fans0
  • Follows0
  • Posts1
3rd Reply#
Posted time:Feb 7, 2018 23:11 PM
We had tried this earlier and I used to be able to connect from our network in India.
But Now when I am trying it now, using FlexGW as well as standalone OpenVPN, it always DROPS the connection.
Earlier the ExpressVPN used to work from China main land, but that also does not work.
Is there anything common between these 2, which can be none other than the Great FireWall of China?

shhanshan
Forum Moderator
Forum Moderator
  • UID105
  • Fans5
  • Follows0
  • Posts343
4Floor#
Posted time:Feb 9, 2018 8:20 AM
Hello, you might need to provide double way mtr output for further investigation.
AlibabaCloud.com
Guest