-
Notifications
You must be signed in to change notification settings - Fork 5
<<toc>>
Some telcos require a VPN connection for communicating messages. Here's how to set one up on Ubuntu.
You will need two IP addresses. The first one is your public IP of your Nuntium server. If you're using EC2 this will be your Elastic IP see the EC2#!installing-nuntium-on-ec2 for more info. The second one is your internal IP or the IP that the telco communicates with once inside the tunnel. For some telco's this must be a valid IP so you *should* use one that you own. This could however be any IP address.
For the rest of these instructions 'your_public_ip' is your public IP address and 'your_internal_ip' is your internal IP address. Similarly 'telcos_public_ip' and 'telcos_internal_ip' denote the public and internal IP addresses of the telco respectively.
Run the following command selecting no when asked if you want to use a certificate
# sudo apt-get install openswan
Edit the file /etc/ipsec.conf
Change the following settings in the basic configuration section: Not the line virtual_private. It must include your_internal_ip.
# basic configuration config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:your_internal_ip/32 protostack=netkey
This will most likey change from telco to telco but here is one example using a pre-shared key:
conn telco
type=tunnel
left=%defaultroute
leftsubnet=your_internal_ip/32
leftid=your_public_ip
right=telcos_public_ip
rightsubnet=telcos_internal_ip/32
# if there are multiple ips
# rightsubnets={telcos_internal_ip_1/32,telcos_internal_ip_2/32}
keyexchange=ike
auth=esp
auto=start
authby=secret
pfs=no
forceencaps=yes
aggrmode=no
ike=3des-md5
esp=3des-md5
salifetime=3600sNote that authby=secret means to use a shared secret and is not the actual shared secret (see below)
Put your shared secret in /etc/ipsec.secrets
%any your_public_ip: PSK "shared_secret"
# sudo iptables -t nat -A POSTROUTING -d telcos_internal_ip/32 -j SNAT --to-source your_internal_ip
Note IP tables are stored in memory and are therefore lost on reboot. On Ubuntu/Debian you can use iptables-persistent so they are persisted on reboot. See http://serverfault.com/questions/249716/loading-manually-created-iptables-script-on-boot-up for more details.
# sudo apt-get install iptables-persistent
# sudo iptables -t nat -L
# sudo /etc/init.d/ipsec restart
# telnet <telcos_internal_ip> <port>
Use the following tools to check the status of the connection
# sudo ipsec auto --status # sudo ipsec auto --up/down telco
It should fail i.e. showing all *
# sudo traceroute telcos_internal_ip
From one terminal window:
# sudo tcpdump -i eth0 -nnvvS host telcos_external_ip
From a second terminal window:
# ping telcos_internal_ip
You should see something like:
07:46:05.924282 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 144) your_physical_address.4500 > telcos_public_ip.4500: [no cksum] UDP-encap: ESP(spi=0xea7ac2b2,seq=0x19), length 116 07:46:06.192283 IP (tos 0x0, ttl 48, id 32833, offset 0, flags [DF], proto UDP (17), length 144) telcos_public_ip.4500 > your_physical_address.4500: [no cksum] UDP-encap: ESP(spi=0x931d4664,seq=0x19), length 116
Which shows the encrypted packets between the telcos public ip and your physical ip
Create the following files then restart monit
# sudo /etc/init.d/monit restart
See http://wiki.openwrt.org/doc/howto/pseudowire for more info
Put the following monit config file in /etc/monit/conf.d/openswan:
check process openswan with pidfile /var/run/pluto/pluto.pid start "/etc/init.d/ipsec restart" stop "/etc/init.d/ipsec restart" group openswan
Create a script to check the connection somewhere on your server, e.g. /scripts/check_telco.sh
#!/usr/bin/env bash netcat -w <timeout> -z <telcos_internal_ip> <telco_port> exit $?
Then give it exec rights
# chmod u+x path/to/script.sh
Then put the following monit config file in /etc/monit/conf.d/<telco>:
check program telco_smsc with path "path/to/script.sh" if status != 0 then alert group telco
And restart Monit
# sudo /etc/init.d/monit/restart
Now if you connection goes down you'll be notified