Setting Up a VPN into Amazon's Public Cloud VPC » History » Version 4
Version 3 (Yaron Sheffer, 26.12.2011 22:38) → Version 4/29 (Yaron Sheffer, 26.12.2011 23:04)
h1. Setting Up a VPN into Amazon's Public Cloud VPC
The AWS VPC (Virtual Private Cloud) is somewhat inconvenient for developers. The standard way to access it is through an IPsec "hardware VPN". In practice this means having to deal with BGP, in addition to IPsec. This howto simplifies things by using StrongSwan to access the VPC instances. Neither hardware nor BGP are required.
h2. Scenario
We assume a single VPC subnet with Internet access (i.e., located behind an Internet Gateway). We have a small number of clients accessing the VPC remotely, from Linux machines. I believe the solution can be tweaked to allow for larger deployments.
h2. Solution Overview
We create a new, dedicated instance serving as a VPN gateway for the whole VPC. The solution uses tunnel-mode IPsec with IKEv2 and a virtual IP pool. StrongSwan is deployed on both client and gateway.
h2. Solution Steps
# Create a new VPC instance (the minimal instance type in VPC is Small). We have used a standard Ubuntu Oneiric image, @ami-a562a9cc@. ami-a562a9cc. You can use an existing instance but that would be much less secure. Note that the VPN Gateway instance can be stopped when not in use, and later restarted.
# Disable source/destination check on the instance.
# Assign an Elastic IP for the instance. This will be the gateway's address, but first we will use it to access the gateway and install it.
# Install StrongSwan on the gateway (and on your client, too). We have used the version available in the repository, 4.5.2. Modify the configuration files per the next section.
# Enable IP forwarding on the gateway:
* For the current session, run @echo 1 > /proc/sys/net/ipv4/ip_forward@
* We also want this setting to persist after a reboot: edit @/etc/sysctl.conf@ and uncomment the line @net.ipv4.ip_forward=1@.
# Define the gateway's security group(s) to allow incoming TCP/22, UDP/500 and UDP/4500.
* Once the gateway is fully set up, you will be able to disable TCP/22 in the security group and tunnel SSH through IPsec instead of directly. You simply SSH into the gateway's private IP address.
# Define a subnet for the virtual IP pool. It doesn't need to be inside the VPC. In our example the VPC encompasses 10.10.0.0/16, and the virtual IP pool will be drawn from 10.100.0.0/16.
# IPsec clients will be assigned addresses from the virtual address pool. Note the instance ID of the VPN gateway. Then locate the route table associated with the subnet of protected instances (this may or may not be the main route table), and add a routing rule that routes all traffic destined to the pool's subnet (10.100.0.0./16) through the gateway.
# Allow any incoming traffic from this subnet into all VPC instances. For example, by adding an "all traffic" rule to the @default@ "default" security group of your VPC.
# Finally, sudo ipsec restart on the gateway and the client, and you are good to go!
h2. Configuration Files
h3. /etc/ipsec.conf on the client
<pre>
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# nat_traversal=yes
charonstart=yes
plutostart=no
# charondebug="ike 2, knl 2, cfg 2, mgr 2, chd 2, net 2"
# Connections into AWS VPC
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn us-east-1-vpc
left=%any
leftsourceip=%config
leftid=yaronf@porticor.com
leftfirewall=yes
right=<gateway's elastic IP>
rightsubnet=10.10.0.0/16
rightid=@us-east-gw.porticor.com
auto=start
# Add connections here.
# include /var/lib/strongswan/ipsec.conf.inc
</pre>
h3. /etc/ipsec.secrets on the Client
<pre>
us-east-gw.porticor.com : PSK "aa82c7a776e2175114213acc02dda9951a6bc25deb433e6d5d6ef7058626c589"
</pre>
h3. /etc/ipsec.conf on the Gateway
<pre>
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# nat_traversal=yes
charonstart=yes
plutostart=no
# charondebug="ike 2, knl 2, cfg 2, mgr 3, chd 2, net 2"
# /etc/ipsec.conf - strongSwan IPsec configuration file
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn client
# the leftid is not a real DNS name
leftid=us-east-gw.porticor.com
left=10.10.0.10
# We are protecting the entire VPC, not just this subnet
leftsubnet=10.10.0.0/16
leftfirewall=yes
right=%any
# The virtual IP pool is outside the VPC!
rightsourceip=10.100.255.0/28
auto=add
# Add connections here.
# include /var/lib/strongswan/ipsec.conf.inc
</pre>
h3. /etc/ipsec.secrets on the Gateway
<pre>
yaronf@porticor.com : PSK "aa82c7a776e2175114213acc02dda9951a6bc25deb433e6d5d6ef7058626c589"
</pre>
The AWS VPC (Virtual Private Cloud) is somewhat inconvenient for developers. The standard way to access it is through an IPsec "hardware VPN". In practice this means having to deal with BGP, in addition to IPsec. This howto simplifies things by using StrongSwan to access the VPC instances. Neither hardware nor BGP are required.
h2. Scenario
We assume a single VPC subnet with Internet access (i.e., located behind an Internet Gateway). We have a small number of clients accessing the VPC remotely, from Linux machines. I believe the solution can be tweaked to allow for larger deployments.
h2. Solution Overview
We create a new, dedicated instance serving as a VPN gateway for the whole VPC. The solution uses tunnel-mode IPsec with IKEv2 and a virtual IP pool. StrongSwan is deployed on both client and gateway.
h2. Solution Steps
# Create a new VPC instance (the minimal instance type in VPC is Small). We have used a standard Ubuntu Oneiric image, @ami-a562a9cc@. ami-a562a9cc. You can use an existing instance but that would be much less secure. Note that the VPN Gateway instance can be stopped when not in use, and later restarted.
# Disable source/destination check on the instance.
# Assign an Elastic IP for the instance. This will be the gateway's address, but first we will use it to access the gateway and install it.
# Install StrongSwan on the gateway (and on your client, too). We have used the version available in the repository, 4.5.2. Modify the configuration files per the next section.
# Enable IP forwarding on the gateway:
* For the current session, run @echo 1 > /proc/sys/net/ipv4/ip_forward@
* We also want this setting to persist after a reboot: edit @/etc/sysctl.conf@ and uncomment the line @net.ipv4.ip_forward=1@.
# Define the gateway's security group(s) to allow incoming TCP/22, UDP/500 and UDP/4500.
* Once the gateway is fully set up, you will be able to disable TCP/22 in the security group and tunnel SSH through IPsec instead of directly. You simply SSH into the gateway's private IP address.
# Define a subnet for the virtual IP pool. It doesn't need to be inside the VPC. In our example the VPC encompasses 10.10.0.0/16, and the virtual IP pool will be drawn from 10.100.0.0/16.
# IPsec clients will be assigned addresses from the virtual address pool. Note the instance ID of the VPN gateway. Then locate the route table associated with the subnet of protected instances (this may or may not be the main route table), and add a routing rule that routes all traffic destined to the pool's subnet (10.100.0.0./16) through the gateway.
# Allow any incoming traffic from this subnet into all VPC instances. For example, by adding an "all traffic" rule to the @default@ "default" security group of your VPC.
# Finally, sudo ipsec restart on the gateway and the client, and you are good to go!
h2. Configuration Files
h3. /etc/ipsec.conf on the client
<pre>
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# nat_traversal=yes
charonstart=yes
plutostart=no
# charondebug="ike 2, knl 2, cfg 2, mgr 2, chd 2, net 2"
# Connections into AWS VPC
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn us-east-1-vpc
left=%any
leftsourceip=%config
leftid=yaronf@porticor.com
leftfirewall=yes
right=<gateway's elastic IP>
rightsubnet=10.10.0.0/16
rightid=@us-east-gw.porticor.com
auto=start
# Add connections here.
# include /var/lib/strongswan/ipsec.conf.inc
</pre>
h3. /etc/ipsec.secrets on the Client
<pre>
us-east-gw.porticor.com : PSK "aa82c7a776e2175114213acc02dda9951a6bc25deb433e6d5d6ef7058626c589"
</pre>
h3. /etc/ipsec.conf on the Gateway
<pre>
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# nat_traversal=yes
charonstart=yes
plutostart=no
# charondebug="ike 2, knl 2, cfg 2, mgr 3, chd 2, net 2"
# /etc/ipsec.conf - strongSwan IPsec configuration file
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn client
# the leftid is not a real DNS name
leftid=us-east-gw.porticor.com
left=10.10.0.10
# We are protecting the entire VPC, not just this subnet
leftsubnet=10.10.0.0/16
leftfirewall=yes
right=%any
# The virtual IP pool is outside the VPC!
rightsourceip=10.100.255.0/28
auto=add
# Add connections here.
# include /var/lib/strongswan/ipsec.conf.inc
</pre>
h3. /etc/ipsec.secrets on the Gateway
<pre>
yaronf@porticor.com : PSK "aa82c7a776e2175114213acc02dda9951a6bc25deb433e6d5d6ef7058626c589"
</pre>