Engine Installation¶
A user with root privileges can install the Engine on a physical or virtual machine meeting minimum system requirements. As of this writing, the Engine has been tested on RHEL/CentOS 7.4 and 7.5.
Before You Begin¶
Ensure that firewalld is installed. If not, install, start, and enable firewalld
yum install firewalld
systemctl start firewalld
systemctl enable firewalld
Add the Ethernet interface to the public zone. The interface is typically
named eth0. If the interface has a different name, be sure to use that name
in the following command
firewall-cmd --permanent --zone=public --add-interface=eth0
Allow GRE and IPsec traffic
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --reload
If errors are encountered when starting the firewalld service, refer to the Troubleshooting & Debug for suggestions.
Installation¶
Install EPEL repository, which is required by strongSwan
yum install epel-release
Install Bayware’s repository
yum install https://repo.s3.bayware.io/public/bayware-repo.noarch.rpm
Before you can proceed with installing the Bayware Agent from the Bayware repository, you need an Access Key and An Access Key ID. These credentials are provided by Bayware. If you do not have these credentials please contact us <mailto:contact@bayware.io>.
Once you have your credentials, add them to the Bayware repo file as follows.
cd /etc/yum.repos.d
Using your favorite text editor, open the Bayware repo. This example uses vi.
vi Bayware-IceBreaker.repo
Look for the following lines in the file. They may not be in this order or even grouped together
enabled=0
key_id=<AWS_KEY_ID>
secret_key=<AWS_SECRET_KEY>
Enable the repository and assign your Access Key ID to key_id and your Access Key to secret_key. When you’re finished, the three lines should look similar to
enabled=1
key_id=AKIAJQLKJLXS5N6XL76B
secret_key=NR0SyUYSR0mSAkgzhKcFyMS1Bolyhw0p6CBTX6uw
Of course, you’ure key_id and secret_key will be different than those shown above.
Install the Bayware Engine and Open vSwitch
yum install ib_engine openvswitch
Configuration¶
The ib_engine must be configured after installation. Executing the following script without parameters displays its help screen. Refer to the following text for an explanation on how to properly configure the Engine.
/opt/ib_engine/bin/ib_configure
- Note
- default installation dir =
/opt/ib_engine - default configuration script dir =
/opt/ib_engine/bin - default configuration file dir =
/opt/ib_engine/conf
- default installation dir =
There are two ways to run the configuration script
- run
ib_configure -iINTERACTIVE mode- the user has the ability to input parameters one at a time or to simply accept the suggested values using
return. If this is the first time running the script, default values are suggested. If this is not the first time running the script, parameters used previously (and subsequently stored inib_engine.conf) are used.
- run
ib_configureBATCH mode- in batch mode, the script uses parameters from the command line or parameters stored in
ib_engine.conf. Any parameter not supplied on the command line is taken from the configuration file. Any parameter supplied on the command line is subsequently stored inib_engine.conffor future use. Note that at least one parameter must be configured from the command line when using batch mode. Running the script without any command-line parameters returns the help message show below.
The usage is as follows
[root@bwsf-1 conf]# ./ib_configure
Must be mor than 1 cpu
Usage: ib_configure [-h] [-r] [-s] [-i] [-c CONTROLLER] [-d DOMAIN]
[-l USERNAME] [-p PASSWORD]
Setup the Bayware Engine.
optional arguments:
-h show this help message and exit
-r restart components
-s setup strongswan
-i interactive engine config OR
-c <CONTROLLER> controller FQDN or IP address
-d <DOMAIN> node domain
-l <USERNAME> node user name
-p <PASSWORD> node password associated with user name
If the engine is being configured interactively for the first time, run
ib_configure -i and input the requested parameters.
Alternatively, run the script in batch mode with switches -c, -d, -l, and -p along with the required information shown in the help screen above. Add a -s flag if the network topology requires IPsec.
Start Engine Service¶
After running the configuration script, start the Engine
systemctl enable ib_engine
systemctl start ib_engine
Check Installation¶
Both ib_engine and strongSwan should now be running as a service on the system. Confirm this
systemctl status ib_engine
The ib_engine service should be active and running, similar to the following
[root@aws-gsw-4 bin]# systemctl status ib_engine
● ib_engine.service - IceBreaker Engine
Loaded: loaded (/usr/lib/systemd/system/ib_engine.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2018-08-09 17:52:17 UTC; 1h 35min ago
Process: 2036 ExecStart=/opt/ib_engine/bin/ib_engine start (code=exited, status=0/SUCCESS)
Main PID: 2061 (run_erl)
And for strongSwan (if using)
systemctl status strongswan
the output should be similar to
[root@aws-gsw-4 bin]# systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2018-08-09 19:30:48 UTC; 3s ago
Main PID: 2908 (starter)
Troubleshooting & Debug¶
Operating System & Libraries¶
The Engine has been tested on RHEL and CentOS 7.4 and 7.5. If the system is running an earlier version or the libraries on the system are outdated, the Engine may not run properly. If you are experiencing problems installing the Engine, it is recommended to update all packages
yum update
Firewalld & CentOS Upgrade¶
If starting firewalld results in an error message similar to
[centos@aws-16 ~]$ systemctl start firewalld
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or units.
Authenticating as: Cloud User (centos)
Password:
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
==== AUTHENTICATION FAILED ===
Failed to start firewalld.service: Access denied
See system logs and 'systemctl status firewalld.service' for details.
then restart D-Bus service followed by firewallD service as follows
systemctl restart dbus
systemctl restart firewalld
This problem may be the result of upgrading the operating system from CentOS 7.4 to 7.5. It may also be corrected by rebooting the system.
Daemons¶
Check that ib_engine and IPsec daemons are working correctly by executing
netstat -tulpn
The output should look similar to the following–note the relevant lines show beam, epmd, and charon under Program name
[root@aws-eng-test-9 conf]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:6653 0.0.0.0:* LISTEN 2702/beam
tcp 0 0 127.0.0.1:1830 0.0.0.0:* LISTEN 2702/beam
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 496/rpcbind
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 1192/epmd
tcp 0 0 0.0.0.0:44083 0.0.0.0:* LISTEN 2702/beam
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 972/sshd
tcp 0 0 0.0.0.0:8088 0.0.0.0:* LISTEN 2702/beam
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 931/master
tcp6 0 0 :::111 :::* LISTEN 496/rpcbind
tcp6 0 0 :::4369 :::* LISTEN 1192/epmd
tcp6 0 0 :::22 :::* LISTEN 972/sshd
tcp6 0 0 ::1:25 :::* LISTEN 931/master
udp 0 0 127.0.0.1:323 0.0.0.0:* 522/chronyd
udp 0 0 0.0.0.0:4500 0.0.0.0:* 3379/charon
udp 0 0 0.0.0.0:500 0.0.0.0:* 3379/charon
udp 0 0 0.0.0.0:68 0.0.0.0:* 3379/charon
udp 0 0 0.0.0.0:68 0.0.0.0:* 755/dhclient
udp 0 0 0.0.0.0:111 0.0.0.0:* 496/rpcbind
udp 0 0 0.0.0.0:669 0.0.0.0:* 496/rpcbind
udp6 0 0 ::1:323 :::* 522/chronyd
udp6 0 0 :::4500 :::* 3379/charon
udp6 0 0 :::500 :::* 3379/charon
udp6 0 0 :::111 :::* 496/rpcbind
udp6 0 0 :::669 :::* 496/rpcbind
StrongSwan¶
To debug the IPsec daemon, execute strongswan status or strongswan statusall (more verbose)
[root@bwsf-1 ~]# strongswan status
Security Associations (1 up, 4 connecting):
ib_d59c4a35[5]: CONNECTING, 10.1.7.17[%any]...213.156.74.53[%any]
ib_632b6374[4]: CONNECTING, 10.1.7.17[%any]...99.43.99.116[%any]
ib_632b6373[3]: CONNECTING, 10.1.7.17[%any]...99.43.99.115[%any]
ib_17629885[1]: CONNECTING, 10.1.7.17[%any]...23.98.152.133[%any]
ib_632b6372[8]: ESTABLISHED 4 minutes ago, 99.43.99.113[CN=bwsf-1]...99.43.99.114[CN=bwsf-14]
ib_632b6372{2}: INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cfce6fc1_i cfa4e773_o
ib_632b6372{2}: 99.43.99.113/32 === 99.43.99.114/32
The strongswan diagnostic messages are logged at
egrep 'charon|strongswan' /var/log/messages
GRE Interface¶
Verify that there is traffic over the GRE interface when connected to an Engine
tcpdump ip6 -ni ib-tap