Creating Site-To-Site VPN between StrongSwan and Amazon AWS Virtual Private Gateway

Posted: January 30, 2019 in Amazon Web Services (AWS)

A virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.

customer gateway is a software application  of the Site-to-Site VPN connection.

From AWS console click VPC-Virtual Private Gateways-Create Virtual Private Gateway

1.png

2.PNG

Now Create Customer Gateway: Customer Gateway-Create Customer Gateway

3.png

Routing Static-Enter Public IP of StrongSwan server

4.PNG

Now click Site-to-Site-VPN Connection-Create VPN Connection

5.png

Now select Virtual Private gateway and Customer Gateway we created previously and click Create VPN Connection-Routing Option:Static-Specify remote network local subnet

6.PNG

Click again Virtual Private Gateways-Actions-Attach to VPC – select VPC and click Yes,attach

7.PNG

Allow inbound traffic from StrongSwan server

From Services-VPC-Security Groups-Select Security Group-Inbound Rules-Edit Rule

8.PNG

Add Rule-Type:All traffic-Source StrongSwan IP address

11.PNG

Installing StrongSwan on CentOS 7

If StrongSwan is installed on AWS EC2 disable Source-Destination check

Ensure that /etc/sysctl.conf contains the following lines and then force them to be loaded by running sysctl -p /etc/sysctl.conf or by rebooting:

net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_mtu_probing = 1

yum install epel-release
yum repolist
yum update
yum install strongswan
systemctl enable strongswan
yum install ntp
systemctl enable ntpd

Replace the server configuration entries in /etc/ntp.conf so the AWS recommended NTP server pool is used:

server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst

Switch back to AWS console-Site-To-Site VPN Connection-select VPN connection-click Download Confiduration

12.PNG

13.PNG

For tunnel 1 downloaded configuration looks like this:

– IKE version : IKEv1
– Authentication Method : Pre-Shared Key
– Pre-Shared Key : aqke
– Authentication Algorithm : sha1
– Encryption Algorithm : aes-128-cbc
– Lifetime : 28800 seconds
– Phase 1 Negotiation Mode : main
– Diffie-Hellman : Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
Category “VPN” connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
Higher parameters are only available for VPNs of category “VPN,” and not for “VPN-Classic”.
– Protocol : esp
– Authentication Algorithm : hmac-sha1-96
– Encryption Algorithm : aes-128-cbc
– Lifetime : 3600 seconds
– Mode : tunnel
– Perfect Forward Secrecy : Diffie-Hellman Group 2

/etc/strongswan/ipsec.conf:
conn %default
mobike=no
compress=no
authby=psk
keyexchange=ikev1
ike=aes128-sha1-modp1024!
ikelifetime=28800s
esp=aes128-sha1-modp1024!
lifetime=3600s
rekeymargin=3m
keyingtries=3
installpolicy=yes
dpdaction=restart
type=tunnel
conn dc-aws1
leftsubnet=172.16.40.0/24 #local subnet
right=1.2.3.4 # AWS Gateway Public IP
rightsubnet=10.34.0.0/16 #remoye subnet
auto=start

Store preshared key in /etc/strongswan/ipsec.secrets

1.2.3.4 : PSK "aqke"

restart stronhswan service and check logs:

tail -f /var/log/messages | grep charon

If all is fine tunnel should be UP

10

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s