Engine Installation

A user with root privileges can install the Engine on a physical or virtual machine meeting minimum system requirements. As of this writing, the Engine has been tested on RHEL/CentOS 7.4 and 7.5.

Before You Begin

Ensure that firewalld is installed. If not, install, start, and enable firewalld

yum install firewalld
systemctl start firewalld
systemctl enable firewalld

Add the Ethernet interface to the public zone. The interface is typically named eth0. If the interface has a different name, be sure to use that name in the following command

firewall-cmd --permanent --zone=public --add-interface=eth0

Allow GRE and IPsec traffic

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
firewall-cmd --permanent --add-service="ipsec"
firewall-cmd --reload

If errors are encountered when starting the firewalld service, refer to the Troubleshooting & Debug for suggestions.


Install EPEL repository, which is required by strongSwan

yum install epel-release

Install Bayware’s repository

yum install https://repo.s3.bayware.io/public/bayware-repo.noarch.rpm

Before you can proceed with installing the Bayware Agent from the Bayware repository, you need an Access Key and An Access Key ID. These credentials are provided by Bayware. If you do not have these credentials please contact us <mailto:contact@bayware.io>.

Once you have your credentials, add them to the Bayware repo file as follows.

cd /etc/yum.repos.d

Using your favorite text editor, open the Bayware repo. This example uses vi.

vi Bayware-IceBreaker.repo

Look for the following lines in the file. They may not be in this order or even grouped together


Enable the repository and assign your Access Key ID to key_id and your Access Key to secret_key. When you’re finished, the three lines should look similar to


Of course, you’ure key_id and secret_key will be different than those shown above.

Install the Bayware Engine and Open vSwitch

yum install ib_engine openvswitch


The ib_engine must be configured after installation. Executing the following script without parameters displays its help screen. Refer to the following text for an explanation on how to properly configure the Engine.

  • default installation dir = /opt/ib_engine
  • default configuration script dir = /opt/ib_engine/bin
  • default configuration file dir = /opt/ib_engine/conf

There are two ways to run the configuration script

  1. run ib_configure -i INTERACTIVE mode
    the user has the ability to input parameters one at a time or to simply accept the suggested values using return. If this is the first time running the script, default values are suggested. If this is not the first time running the script, parameters used previously (and subsequently stored in ib_engine.conf) are used.
  2. run ib_configure BATCH mode
    in batch mode, the script uses parameters from the command line or parameters stored in ib_engine.conf. Any parameter not supplied on the command line is taken from the configuration file. Any parameter supplied on the command line is subsequently stored in ib_engine.conf for future use. Note that at least one parameter must be configured from the command line when using batch mode. Running the script without any command-line parameters returns the help message show below.

The usage is as follows

[root@bwsf-1 conf]# ./ib_configure
Must be mor than 1 cpu
Usage: ib_configure [-h] [-r] [-s] [-i] [-c CONTROLLER] [-d DOMAIN]

Setup the Bayware Engine.
optional arguments:
  -h show this help message and exit
  -r restart components
  -s setup strongswan
  -i interactive engine config OR
  -c <CONTROLLER> controller FQDN or IP address
  -d <DOMAIN> node domain
  -l <USERNAME> node user name
  -p <PASSWORD> node password associated with user name

If the engine is being configured interactively for the first time, run ib_configure -i and input the requested parameters.

Alternatively, run the script in batch mode with switches -c, -d, -l, and -p along with the required information shown in the help screen above. Add a -s flag if the network topology requires IPsec.

Start Engine Service

After running the configuration script, start the Engine

systemctl enable ib_engine
systemctl start ib_engine

Check Installation

Both ib_engine and strongSwan should now be running as a service on the system. Confirm this

systemctl status ib_engine

The ib_engine service should be active and running, similar to the following

[root@aws-gsw-4 bin]# systemctl status ib_engine
● ib_engine.service - IceBreaker Engine
   Loaded: loaded (/usr/lib/systemd/system/ib_engine.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2018-08-09 17:52:17 UTC; 1h 35min ago
  Process: 2036 ExecStart=/opt/ib_engine/bin/ib_engine start (code=exited, status=0/SUCCESS)
 Main PID: 2061 (run_erl)

And for strongSwan (if using)

systemctl status strongswan

the output should be similar to

[root@aws-gsw-4 bin]# systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/usr/lib/systemd/system/strongswan.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2018-08-09 19:30:48 UTC; 3s ago
 Main PID: 2908 (starter)

Troubleshooting & Debug

Operating System & Libraries

The Engine has been tested on RHEL and CentOS 7.4 and 7.5. If the system is running an earlier version or the libraries on the system are outdated, the Engine may not run properly. If you are experiencing problems installing the Engine, it is recommended to update all packages

yum update

Firewalld & CentOS Upgrade

If starting firewalld results in an error message similar to

[centos@aws-16 ~]$ systemctl start firewalld
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to manage system services or units.
Authenticating as: Cloud User (centos)
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
Failed to start firewalld.service: Access denied
See system logs and 'systemctl status firewalld.service' for details.

then restart D-Bus service followed by firewallD service as follows

systemctl restart dbus
systemctl restart firewalld

This problem may be the result of upgrading the operating system from CentOS 7.4 to 7.5. It may also be corrected by rebooting the system.


Check that ib_engine and IPsec daemons are working correctly by executing

netstat -tulpn

The output should look similar to the following–note the relevant lines show beam, epmd, and charon under Program name

[root@aws-eng-test-9 conf]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0  *               LISTEN      2702/beam
tcp        0      0*               LISTEN      2702/beam
tcp        0      0   *               LISTEN      496/rpcbind
tcp        0      0  *               LISTEN      1192/epmd
tcp        0      0 *               LISTEN      2702/beam
tcp        0      0    *               LISTEN      972/sshd
tcp        0      0  *               LISTEN      2702/beam
tcp        0      0  *               LISTEN      931/master
tcp6       0      0 :::111                  :::*                    LISTEN      496/rpcbind
tcp6       0      0 :::4369                 :::*                    LISTEN      1192/epmd
tcp6       0      0 :::22                   :::*                    LISTEN      972/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      931/master
udp        0      0 *                           522/chronyd
udp        0      0  *                           3379/charon
udp        0      0   *                           3379/charon
udp        0      0    *                           3379/charon
udp        0      0    *                           755/dhclient
udp        0      0   *                           496/rpcbind
udp        0      0   *                           496/rpcbind
udp6       0      0 ::1:323                 :::*                                522/chronyd
udp6       0      0 :::4500                 :::*                                3379/charon
udp6       0      0 :::500                  :::*                                3379/charon
udp6       0      0 :::111                  :::*                                496/rpcbind
udp6       0      0 :::669                  :::*                                496/rpcbind


To debug the IPsec daemon, execute strongswan status or strongswan statusall (more verbose)

[root@bwsf-1 ~]# strongswan status
Security Associations (1 up, 4 connecting):
 ib_d59c4a35[5]: CONNECTING,[%any]...[%any]
 ib_632b6374[4]: CONNECTING,[%any]...[%any]
 ib_632b6373[3]: CONNECTING,[%any]...[%any]
 ib_17629885[1]: CONNECTING,[%any]...[%any]
 ib_632b6372[8]: ESTABLISHED 4 minutes ago,[CN=bwsf-1]...[CN=bwsf-14]
 ib_632b6372{2}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cfce6fc1_i cfa4e773_o
 ib_632b6372{2}: ===

The strongswan diagnostic messages are logged at

egrep 'charon|strongswan' /var/log/messages

GRE Interface

Verify that there is traffic over the GRE interface when connected to an Engine

tcpdump ip6 -ni ib-tap