AWS Site-to-Site VPN with strongSwan

Intro

This guide will walk you through the process of setting up a site-to-site VPN in AWS between two networks.

When configuring a VPN, one end of the connection will be on your on-premises network or another cloud provider, and the other end will be on the AWS cloud. To simulate the AWS and the on-prem sides, we’ll create two VPCs in different regions – us-east-1 and us-east-2 in this case.

We’ll use strongSwan to emulate the customer gateway on the on-premises side. strongSwan is an open-source IPsec-based VPN solution used to establish secure site-to-site connections. Essentially, it ensures that data transmitted between these two points is private and secure.

Visually, the final solution will look like this:

Let’s get going!

This project was completed as part of the Udemy course AWS VPC and Networking in depth: Learn practically in 8 hrs.

Setting up VPC-A and its Networking Components

The bullets in this section outline the network setup for the AWS side of the VPN connection. I’ll create the VPC in us-east-1, but you can use any region you see fit.

1. Create VPC-A

VPC Name: VPC-A
CIDR block: 10.100.0.0/16

2. Create an Internet Gateway for VPC-A

The initial setup and establishment of the VPN connection occurs over the public internet so we need an Internet Gateway.

Let’s create one like this:

Internet Gateway Name: VPC-A-IGW

3. Attach IGW to VPC-A

4. Create a Public Subnet in VPC-A

Name: VPC-A-Public-Subnet
CIDR block: 10.100.0.0/24

5. Set Up Routing for VPC-A

5.1 Create a Route Table

Name: VPC-A-Public-RT

5.2 Add route to the Internet Gateway

5.3 Associate the route table with the public subnet

Setting up VPC-B and its Networking Components

The process of creating the VPC for simulating the on-prem side of the VPN connection is similar to the previous section, so I’ll just mark the steps again.

1. Switch to another region (I’ll be using us-east-2)

2. Create VPC-B

VPC Name: VPC-B
CIDR block: 10.200.0.0/16

3. Create and Attach IGW to VPC-B

Internet Gateway Name: IGW-B

4. Define and Setup VPC-B’s Public Subnet

Name: VPC-B-Public-Subnet
CIDR block: 10.200.0.0/24

5. Set Up Routing for VPC-B

5.1 Create a Route Table
Name: VPC-B-Public-RT

5.2 Add route to the Internet Gateway

5.3 Associate the route table with the public subnet

EC2-A Instance Setup

Let’s create an EC2 instance in VPC-A. This instance acts as a representative node within VPC-A to showcase that resources within this VPC can communicate with resources in VPC-B via the VPN connection.

1. Select AMI and Instance Type

I’ll be using an Ubuntu instance. If you’re following along, you can select any free tier eligible instance type.

Name: EC2-A

2. Creating Key Pair KP-A

3. Setting up Security Group SG-A

Here is a sample configuration for the Security Group:

  • SSH access from my public IP so I can connect to the instance
  • Allow all TCP traffic for the CIDR of the VPC on the other end of the VPN connection – that is 10.200.0.0/16
  • Allow ICMP from the other side of the VPN as well – we’ll use that to ping the servers to ensure the VPN connection is working

EC2-B Instance Setup

The purpose of the EC2 instance in VPC-B that we’re about to configure is not only to represent a client machine on the on-prem side of the VPN. With strongSwan installed, this instance acts as the VPN endpoint for VPC-B. It establishes and maintains the VPN connection to VPC-A. This enables resources in VPC-B to securely communicate with resources in VPC-A through IPsec tunnels.

1. Launch EC2-B in VPC-B

This process is identical to the setup of EC2-A. For the security group, make sure to allow TCP and ICMP access from the AWS side of the VPN with CIDR block 10.100.0.0/16

We’ll need to configure a bunch of network settings on the instance, but first, let’s create the VPN connection itself and related components.

Creating the Site-to-Site VPN in AWS

1. Virtual Private Gateway Setup in VPC-A

A Virtual Private Gateway is the VPN endpoint on the AWS side of the Site-to-Site VPN connection.

Go ahead and create a VPG and attach it to VPC-A:

Name: VPC-A-VPC-B-VGW

2. Attach the VPG to VPC-A

3. Customer Gateway Configuration

A Customer Gateway represents the gateway device on the on-premises network. When you create a customer gateway, you provide information about your device to AWS.

Here are the details for the CG for our setup:

Name: VPC-B-CGW

The IP address here should correspond to the public IP of the EC2 instance in VPC-B.

4. Creating the site-to-site VPN connection

Now, it’s time to create the VPN connection itself. Go to the VPN section of the VPC dashboard and click “Create VPN connection”:

Populate the required fields:

Name: VPC-A-VPC-B-VPN-Connection

Make sure to select the Virtual Private Gateway and Customer Gateway we’ve just created. For the Static IP prefixes, you need to specify the CIDR block of VPC-B (10.200.0.0/16).

Once done, you’ll see the VPN connection was created with two tunnels for redundancy. For this demo we’ll use only Tunnel 1.

5. Download the VPN tunnel configuration

We’ll need that to set up the VPN parameters in EC2-B. Go ahead and click the “Download configuration” button on the VPN connection:

You can select a generic configuration:

Now, inspect the downloaded files. You will find connection details for both tunnels.

For each tunnel, there are sections:
– Internet Key Exchange Configuration
– IPSec Configuration
– Tunnel Interface Configuration
– Static Routing Configuration

Here’s how these look in our case:

In a later section, we’ll see where we need to specify these values when setting up the on-premise side of the VPN.

6. Enabling route propagation

Go to the Route Table VPC-A-Public-RT:

Then, enable route propagation through the Virtual Private Gateway:

VPN Configuration on EC2-B

It’s time to configure the VPN connection on the on-premises side, that is, on the EC2 instance in VPC-B.

1. SSH into EC2-B

2. Install strongSwan

sudo apt update
sudo apt install strongswan

3. Configuring EC2-B to function as a router

Update /etc/sysctl.conf to have the following:

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Once you’ve updated the file, you can apply the changes with:
sudo sysctl -p

4. Configure an IPsec connection for the VPN tunnel

Open the ipsec.conf file:

sudo nano /etc/ipsec.confg

You need to add a configuration that looks similar to this one (I will provide details of the main fields below):

conn Tunnel1
      authby=secret
      auto=start
      left=%defaultroute
      leftid=3.145.217.88
      right=52.7.200.169
      type=tunnel
      ikelifetime=8h
      keylife=1h
      esp=aes128-sha1-modp1024
      ike=aes128-sha1-modp1024
      keyingtries=%forever
      keyexchange=ike
      leftsubnet=10.200.0.0/16
      rightsubnet=10.100.0.0/16       
      dpddelay=10
      dpdtimeout=30

Here are the main bits you need to tweak for your use case:

leftid = EC2-B public ID (on-prem end of the VPN)
right = Public IP attached to the Virtual Private Gateway
Left subnet = Customer end of VPN CIDR Right subnet = AWS end of VPN CIDR
Right subnet = AWS end of VPN CIDR

You can get the leftid and right values from the VPN config file you downloaded:

5. Specify the shared secret in the IPsec secrets file

Open the ipsec.conf file:

sudo nano /etc/ipsec.secrets

You need to add a line with the following format to the file:

<customer public ip> <aws vpc public ip> : PSK "<shared secret>"

The shared secret can be retrieved from the VPN config file:

Here is what the config looks like for me after the change:

6. Reload the IPsec configuration to take effect

sudo ipsec restart

7. Check the IPsec status

sudo ipsec statusall

You can see the Tunnel1 connection is successfully established. This means the VPN is up and running but let’s make a few more checks anyway.

Testing the VPN connection

1. Verify the Tunnel is up in the AWS Console:

2. Ensure you can ping the machines from both sides of the VPN

For example, let’s ping the EC2-A machine from EC2-B on it’s private IP

Summary

By following this comprehensive guide, you should be able to successfully establish a secure communication bridge between your on-premise and AWS networks using strongSwan.

Thanks for reading, and see you next time!

Resources

  1. AWS VPC and Networking in depth: Learn practically in 8 hrs

Site Footer

Subscribe To My Newsletter

Email address