Recently my company want to achieve PCI compliance on Amazon. As per PCI compliance standard Database instance should listen on private IP and should not be accessible from outside world using public IP. This is not achievable using EC2 as instances are assigned public you want it or not. Also when Database is listening on private IP we needed VPN connectivity between amazon and our network. Hence I started looking into Amazon VPC. However, VPC VPN needs BGP to create site-to-site VPN and we being using Cisco ASA couldn’t use the VPC VPN option as BGP is not supported. Hence I started looking for alternate solution on web and found TechSmog article “OpenSwan, Amazon VPC, and Cisco ASA. Putting it all together.” this helped me a lot.
My requirement were as follows:
- Allow communication between my companies local network and ec2 instances within the vpc and vice-versa.
- Allow communication between ec2 instances within the vpc on different network.
- Communication between must be somewhat secure.
- The ability to have all instances be able to route to the outside world, and have a few publically accessable IP.
My office network:
- 10.0.2.0/24 and 10.0.3.0/24 – office local networks 254 useable ip address each.
- 10.0.0.1/32 – office ASA internal IP.
- 188.8.131.52 – office ASA public IP.
- 10.43.0.0/16 – the /16 subnet that is required for the outer vpc layer
- 10.43.1.0/24 and 10.43.2.0/24 – the vpc subnets that I will be working with.
- 10.43.1.254/32 – the internal private ip for the OpenSwan server.
- 184.108.40.206/32 – the elastic IP I allocated from amazon vpc. This will be binded to OpenSwan to use for our IPSec tunnel, more on that later. Just remember I am using that as my external IP to connect our IPSec tunnel.
Amazon VPC getting started:
First off we want to create our VPC via the Amazon AWS Management Console.
I pretty much followed the guide here:
- Go to the VPC tab
- Find the Your Virtual Private Cloud area, and click Get started creating a VPC.
- I choose VPC with Public and Private Subnets, along with the information I provided above in the layout.
- Follow the steps to create the VPC.
Adding the OpenSwan Server into our VPC:
- First we will need to Allocate a New Elastic IP within the VPC tab under Virtual Private Cloud -> Elastic IPs. This will be used for the openswan server.
- Once that is done, I went back to the EC2 tab, and launched an instance. I used the Basic 32bit Amazon Linux AMI
- I choose m1.small as my instance type
- Make sure to choose ‘Launch Instances Into Your Virtual Private Cloud’
- For instance details, I chose to assign it a private IP address of 10.43.1.254
- Choose my keypair, assigned it a name tag of ‘openswankey’
- For configure firewall, I chose allow all traffic from my public IP (220.127.116.11/32).
- I then associated the elastic IP to the running instance after it started up.
I ssh’d into the instance using my key (ssh -i my-key.pem firstname.lastname@example.org), and I was brought to a shell, :yay:
Configure the instance w/ OpenSwan:
I followed TechSmog article which helped a lot I made few changes / amendments to make it work for my scenario.
Here are the exact commands I ran after ssh’ing into the server, note the HOMEPUBLIC and HOMEPRIVATE should be changed according to your internal network:
sudo yum update -y sudo yum -y install openswan openswan-doc ipsec-tools EC2PRIVATE=10.43.1.0 EC2PUBLIC=`curl -s http://169.254.169.254/latest/meta-data/public-ipv4` HOMEPUBLIC=18.104.22.168 HOMEPRIVATE=10.0.2.0/24 PSK=`< /dev/urandom tr -dc a-zA-Z0-9_ | head -c30` echo "conn home" > /tmp/home.conf echo " left=%defaultroute" >> /tmp/home.conf echo " leftsubnet=$EC2PRIVATE/24" >> /tmp/home.conf echo " leftid=$EC2PUBLIC" >> /tmp/home.conf echo " right=$HOMEPUBLIC" >> /tmp/home.conf echo " rightid=$HOMEPUBLIC" >> /tmp/home.conf echo " rightsubnet=$HOMEPRIVATE" >> /tmp/home.conf echo " authby=secret" >> /tmp/home.conf echo " esp=3DES-MD5" >> /tmp/home.conf echo " keyingtries=3" >> /tmp/home.conf echo " rekey=no" >> /tmp/home.conf echo " keyexchange=ike" >> /tmp/home.conf echo " ikelifetime=86400s" >> /tmp/home.conf echo " pfs=yes" >> /tmp/home.conf echo " forceencaps=no" >> /tmp/home.conf echo " auto=start" >> /tmp/home.conf echo "" >> /tmp/home.conf echo "conn officesub2" >> /tmp/home.conf echo " rightsubnet=10.0.3.0/24" >> /tmp/home.conf echo " also=home" >> /tmp/home.conf echo "" >> /tmp/home.conf echo "conn vpcsub2" >> /tmp/home.conf echo " leftsubnet=10.43.2.0/24" >> /tmp/home.conf echo " also=home" >> /tmp/home.conf echo "" >> /tmp/home.conf echo "conn officevpcsub2" >> /tmp/home.conf echo " leftsubnet=10.43.2.0/24" >> /tmp/home.conf echo " also=officesub2" >> /tmp/home.conf echo "$EC2PUBLIC $HOMEPUBLIC: PSK \"$PSK\"" > /tmp/home.secrets sudo sed 's!^#\(include /etc/ipsec.d/\*.conf\)!\1!' /etc/ipsec.conf > /tmp/ipsec.conf sudo chmod 600 /tmp/home.* /tmp/ipsec.conf sudo chown root:root /tmp/home.* /tmp/ipsec.conf sudo mv /tmp/home.* /etc/ipsec.d sudo mv /tmp/ipsec.conf /etc sudo chkconfig ipsec on sudo /etc/init.d/ipsec start
Now on command line run following command
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
At the end of this, I had OpenSwan up and running! I had /etc/ipsec.d/home.conf as my openswan configuration and /etc/ipsec.d/home.secrets as my preshared key! Awesome!
Configuring the ASA:
ASA Configs: Make sure to BACKUP before making these changes!
tunnel-group 22.214.171.124 type ipsec-l2l tunnel-group 126.96.36.199 ipsec-attributes ! pre-shared-key (the key in /etc/ipsec.d/home.secrets on your openswan server)
crypto map outside_map 6 match address outside_cryptomap_6 crypto map outside_map 6 set pfs crypto map outside_map 6 set peer 188.8.131.52 crypto map outside_map 6 set transform-set ESP-3DES-MD5 crypto ipsec transform-set ESP-3DES-MD5 access-list outside_cryptomap_6 extended permit ip 10.0.2.0 255.255.255.0 10.43.1.0 255.255.255.0 access-list outside_cryptomap_6 extended permit ip 10.0.3.0 255.255.255.0 10.43.1.0 255.255.255.0 access-list outside_cryptomap_6 extended permit ip 10.0.2.0 255.255.255.0 10.43.2.0 255.255.255.0 access-list outside_cryptomap_6 extended permit ip 10.0.3.0 255.255.255.0 10.43.2.0 255.255.255.0
Internal Network Group:
object-group myinternalnetwork1 description My Internal Network that Will connect to EC2 VPC network-object 10.0.2.0 255.255.255.0
object-group myinternalnetwork2 description My Internal Network that Will connect to EC2 VPC network-object 10.0.3.0 255.255.255.0
NAT Entries allowing Access from internal network to VPC:
access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork1 10.43.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork2 10.43.1.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork1 10.43.2.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork2 10.43.2.0 255.255.255.0
Restarting IPSec on OpenSwan Instance:
1. Log back into your openswan instance via ssh, and issue the commands sudo /etc/init.d/ipsec stop; sudo /etc/init.d/ipsec start
2. You can check if the tunnel is up by issuing an /etc/init.d/ipsec status which should state if the tunnel is up or not, you can also check your ASA.
That’s it you should now be able to connect your instances without any problems.
Note:- If you are using windows instances you will need to reduce the MTU of interface on instance to 1200 from 1500 else you won’t be able to access your windows instance.