Creating Site-To-Site VPN between StrongSwan and Amazon AWS Virtual Private Gateway using BGP Routing protocol

Posted: February 1, 2019 in Amazon Web Services (AWS)

In last post we configured site-to-site VPN between StrongSwan and AWS VPC Gateway using stating route. In this one we’ll use BGP.

1-0.PNG

I’ll be creating Site-to-Site VPN between 2 AWS regions, although we usually take adventage of VPC peering, for demonstration purposes i used EC2 instance (CentoOS 7), public IP:3.120.227.213, internal IP:172.31.36.231, AWS VPN gateway creates 2 tunnels, public IPs:34.246.169.212 and 54.49.220.63

Creating AWS VPN Gateway

From AWS VPC console click Customer gateway-New Customer Gateway

1.png

Specify IP adress of StrongSwan server (3.120.227.213) and BGP ASN (65600)

We’ll create BGP on StrongSwan server later on.

2.PNG

Create Virtual Private Gateway

3.PNG

4.PNG

Atach Virtual Private Gateway to VPC-select Virtual private gateway-Action-attach-select VPC and click yes, attach

5.png

Create VPN Connection-click Site-to-Site VPN Connection-create VPN connection

6.PNG

Select Virtual private gateway,Customer gateway, Routing option: Dynamic

7.PNG

Download VPN Gateway configuration

8.png

9.PNG

Install quagga (BGP router emulator) on StrongSwan server

sed -i 's/enforcing/disabled/g' /etc/selinux/config /etc/selinux/config
setenforce 0
yum install iptables-services
systemctl enable iptables
systemctl start iptables
yum install quagga
chmod -R 777 /etc/quagga/
systemctl enable zebra
systemctl start zebra
systemctl start bgpd
systemctl enable bgpd
cp /usr/share/doc/quagga-*/bgpd.conf.sample /etc/quagga/bgpd.conf

Creating BGP area

vtysh
config t
router bgp 65600
network 172.31.36.0/24
neighbor 169.254.20.181 remote-as 64512
neighbor 169.254.21.193 remote-as 64512
#if get BGP is already running; AS is 7675
no router bgp 7675
do write
exit
exit

AWS BGP ASN is 64512

10.PNG

Neighbor are defined in AWS Virtual gateway configuration file

For tunnel 1:
11.PNG

And tunnel 2:

0.PNG

Install StrongSwan

/etc/strongswan/ipsec.conf:

conn %default
# Authentication Method : Pre-Shared Key
#authby=psk
leftauth=psk
rightauth=psk
# Encryption Algorithm : aes-128-cbc
# Authentication Algorithm : sha1
# Perfect Forward Secrecy : Diffie-Hellman Group 2
ike=aes128-sha1-modp1024!
#ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024!
# Lifetime : 28800 seconds
ikelifetime=28800s
# Phase 1 Negotiation Mode : main
aggressive=no
# Protocol : esp
# Encryption Algorithm : aes-128-cbc
# Authentication Algorithm : hmac-sha1-96
# Perfect Forward Secrecy : Diffie-Hellman Group 2
#esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024!
esp=aes128-sha1-modp1024!
# Lifetime : 3600 seconds
lifetime=3600s
# Mode : tunnel
type=tunnel
# DPD Interval : 10
dpddelay=10s
# DPD Retries : 3
dpdtimeout=30s
# Tuning Parameters for AWS Virtual Private Gateway:
keyexchange=ikev1
#keyingtries=%forever
rekey=yes
reauth=no
dpdaction=restart
closeaction=restart
#left=%defaultroute
leftsubnet=0.0.0.0/0,::/0
rightsubnet=0.0.0.0/0,::/0
leftupdown=/etc/strongswan/ipsec-vti.sh
installpolicy=yes
compress=no
mobike=no
conn AWS-VPC-GW1
# Customer Gateway: :
left=172.31.36.231
leftid=3.120.227.213
# Virtual Private Gateway :
right=34.246.169.212
rightid=34.246.169.212
auto=start
mark=100
#reqid=1
conn AWS-VPC-GW2
# Customer Gateway: :
left=172.31.36.231
leftid=3.120.227.213
#leftsubnet=172.31.36.0/24
# Virtual Private Gateway :
right=52.49.220.63
rightid=52.49.220.63
#rightsubnet=172.31.16.0/24
auto=start
mark=200

Tunnel 1 Virtual cutomer/private gateway:

11.PNG

Tunnel 2 Virtual cutomer/private gateway:

12.PNG

Public IP of AWS VPN Gateway tunnel

11-a.PNG

/etc/strongswan/ipsec-vti.sh:

IP=$(which ip)
IPTABLES=$(which iptables)

PLUTO_MARK_OUT_ARR=(${PLUTO_MARK_OUT//// })
PLUTO_MARK_IN_ARR=(${PLUTO_MARK_IN//// })
case "$PLUTO_CONNECTION" in
AWS-VPC-GW1)
VTI_INTERFACE=vti1
VTI_LOCALADDR=169.254.20.182/30
VTI_REMOTEADDR=169.254.20.181/30
;;
AWS-VPC-GW2)
VTI_INTERFACE=vti2
VTI_LOCALADDR=169.254.21.194/30
VTI_REMOTEADDR=169.254.21.193/30
;;
esac

case "${PLUTO_VERB}" in
up-client)
#$IP tunnel add ${VTI_INTERFACE} mode vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
$IP link add ${VTI_INTERFACE} type vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
sysctl -w net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1
sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2 || sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=0
$IP addr add ${VTI_LOCALADDR} remote ${VTI_REMOTEADDR} dev ${VTI_INTERFACE}
$IP link set ${VTI_INTERFACE} up mtu 1436
$IPTABLES -t mangle -I FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -t mangle -I INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
$IP route flush table 220
#/etc/init.d/bgpd reload || /etc/init.d/quagga force-reload bgpd
;;
down-client)
#$IP tunnel del ${VTI_INTERFACE}
$IP link del ${VTI_INTERFACE}
$IPTABLES -t mangle -D FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -t mangle -D INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
;;
esac

# Enable IPv4 forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.eth0.disable_xfrm=1
sysctl -w net.ipv4.conf.eth0.disable_policy=1

/etc/strongswan/ipsec-vti.sh:

3.120.227.213 34.246.169.212 : PSK "yZ1oMi60GNgzgXmBSHo84w0M_uYMFL5R"
3.120.227.213 52.49.220.63 : PSK "RDihsBvmWrJ1PbI0HwJ7vMJW24qVJKbx"

If all is fine, both tunnels should be UP

15

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s