Amazon VPC with OpenSwan and Cisco ASA Site-to-Site VPN

Overview

Recently my company want to achieve PCI compliance on Amazon. As per PCI compliance standard Database instance should listen on private IP and should not be accessible from outside world using public IP. This is not achievable using EC2 as instances are assigned public you want it or not. Also when Database is listening on private IP we needed VPN connectivity between amazon and our network. Hence I started looking into Amazon VPC. However, VPC VPN needs BGP to create site-to-site VPN and we being using Cisco ASA couldn’t use the VPC VPN option as BGP is not supported. Hence I started looking for alternate solution on web and found TechSmog article “OpenSwan, Amazon VPC, and Cisco ASA. Putting it all together.” this helped me a lot.

Requirements

My requirement were as follows:

  1. Allow communication between my companies local network and ec2 instances within the vpc and vice-versa.
  2. Allow communication between ec2 instances within the vpc on different network.
  3. Communication between must be somewhat secure.
  4. The ability to have all instances be able to route to the outside world, and have a few publically accessable IP.

Network

My office network:

- 10.0.2.0/24 and 10.0.3.0/24 – office local networks 254 useable ip address each.
- 10.0.0.1/32 – office ASA internal IP.
- 1.2.3.4 – office ASA public IP.

Amazon VPC:

- 10.43.0.0/16 – the /16 subnet that is required for the outer vpc layer
- 10.43.1.0/24 and 10.43.2.0/24 – the vpc subnets that I will be working with.
- 10.43.1.254/32 – the internal private ip for the OpenSwan server.
- 9.7.8.6/32 – the elastic IP I allocated from amazon vpc. This will be binded to OpenSwan to use for our IPSec tunnel, more on that later. Just remember I am using that as my external IP to connect our IPSec tunnel.

Amazon VPC getting started:
First off we want to create our VPC via the Amazon AWS Management Console.

I pretty much followed the guide here:
http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

  1. Go to the VPC tab
  2. Find the Your Virtual Private Cloud area, and click Get started creating a VPC.
  3. I choose VPC with Public and Private Subnets, along with the information I provided above in the layout.
  4. Follow the steps to create the VPC.

Adding the OpenSwan Server into our VPC:

  1. First we will need to Allocate a New Elastic IP within the VPC tab under Virtual Private Cloud -> Elastic IPs. This will be used for the openswan server.
  2. Once that is done, I went back to the EC2 tab, and launched an instance. I used the Basic 32bit Amazon Linux AMI
  1. I choose m1.small as my instance type
  2. Make sure to choose ‘Launch Instances Into Your Virtual Private Cloud’
  3. For instance details, I chose to assign it a private IP address of 10.43.1.254
  4. Choose my keypair, assigned it a name tag of ‘openswankey’
  5. For configure firewall, I chose allow all traffic from my public IP (1.2.3.4/32).
  6. I then associated the elastic IP to the running instance after it started up.

I ssh’d into the instance using my key (ssh -i my-key.pem ec2-user@9.7.8.6), and I was brought to a shell, :yay:

Configure the instance w/ OpenSwan:

I followed TechSmog article which helped a lot I made few changes / amendments to make it work for my scenario.

Here are the exact commands I ran after ssh’ing into the server, note the HOMEPUBLIC and HOMEPRIVATE should be changed according to your internal network:

sudo yum update -y
sudo yum -y install openswan openswan-doc ipsec-tools
EC2PRIVATE=10.43.1.0
EC2PUBLIC=`curl -s http://169.254.169.254/latest/meta-data/public-ipv4`
HOMEPUBLIC=1.2.3.4
HOMEPRIVATE=10.0.2.0/24
PSK=`< /dev/urandom tr -dc a-zA-Z0-9_ | head -c30`
echo "conn home" > /tmp/home.conf
echo "  left=%defaultroute" >> /tmp/home.conf
echo "  leftsubnet=$EC2PRIVATE/24" >> /tmp/home.conf
echo "  leftid=$EC2PUBLIC" >> /tmp/home.conf
echo "  right=$HOMEPUBLIC" >> /tmp/home.conf
echo "  rightid=$HOMEPUBLIC" >> /tmp/home.conf
echo "  rightsubnet=$HOMEPRIVATE" >> /tmp/home.conf
echo "  authby=secret" >> /tmp/home.conf
echo "  esp=3DES-MD5" >> /tmp/home.conf
echo "  keyingtries=3" >> /tmp/home.conf
echo "  rekey=no" >> /tmp/home.conf
echo "  keyexchange=ike" >> /tmp/home.conf
echo "  ikelifetime=86400s" >> /tmp/home.conf
echo "  pfs=yes" >> /tmp/home.conf
echo "  forceencaps=no" >> /tmp/home.conf
echo "  auto=start" >> /tmp/home.conf
echo "" >> /tmp/home.conf
echo "conn officesub2" >> /tmp/home.conf
echo "  rightsubnet=10.0.3.0/24" >> /tmp/home.conf
echo "  also=home" >> /tmp/home.conf
echo "" >> /tmp/home.conf
echo "conn vpcsub2" >> /tmp/home.conf
echo "  leftsubnet=10.43.2.0/24" >> /tmp/home.conf
echo "  also=home" >> /tmp/home.conf
echo "" >> /tmp/home.conf
echo "conn officevpcsub2" >> /tmp/home.conf
echo "  leftsubnet=10.43.2.0/24" >> /tmp/home.conf
echo "  also=officesub2" >> /tmp/home.conf
echo "$EC2PUBLIC $HOMEPUBLIC: PSK \"$PSK\"" > /tmp/home.secrets
sudo sed 's!^#\(include /etc/ipsec.d/\*.conf\)!\1!' /etc/ipsec.conf > /tmp/ipsec.conf
sudo chmod 600 /tmp/home.* /tmp/ipsec.conf
sudo chown root:root /tmp/home.* /tmp/ipsec.conf
sudo mv /tmp/home.* /etc/ipsec.d
sudo mv /tmp/ipsec.conf /etc
sudo chkconfig ipsec on
sudo /etc/init.d/ipsec start

Now on command line run following command

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

At the end of this, I had OpenSwan up and running! I had /etc/ipsec.d/home.conf as my openswan configuration and /etc/ipsec.d/home.secrets as my preshared key! Awesome!

Configuring the ASA:

ASA Configs: Make sure to BACKUP before making these changes!

Tunnel Group:

tunnel-group 9.7.8.6 type ipsec-l2l
tunnel-group 9.7.8.6 ipsec-attributes
! pre-shared-key (the key in /etc/ipsec.d/home.secrets on your openswan server)

Crypto Map:

crypto map outside_map 6 match address outside_cryptomap_6
crypto map outside_map 6 set pfs
crypto map outside_map 6 set peer 9.7.8.6
crypto map outside_map 6 set transform-set ESP-3DES-MD5
crypto ipsec transform-set ESP-3DES-MD5
access-list outside_cryptomap_6 extended permit ip 10.0.2.0 255.255.255.0 10.43.1.0 255.255.255.0
access-list outside_cryptomap_6 extended permit ip 10.0.3.0 255.255.255.0 10.43.1.0 255.255.255.0
access-list outside_cryptomap_6 extended permit ip 10.0.2.0 255.255.255.0 10.43.2.0 255.255.255.0
access-list outside_cryptomap_6 extended permit ip 10.0.3.0 255.255.255.0 10.43.2.0 255.255.255.0

Internal Network Group:

object-group myinternalnetwork1
description My Internal Network that Will connect to EC2 VPC
network-object 10.0.2.0 255.255.255.0
object-group myinternalnetwork2
description My Internal Network that Will connect to EC2 VPC
network-object 10.0.3.0 255.255.255.0

NAT Entries allowing Access from internal network to VPC:

access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork1 10.43.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork2 10.43.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork1 10.43.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork2 10.43.2.0 255.255.255.0

Restarting IPSec on OpenSwan Instance:
1. Log back into your openswan instance via ssh, and issue the commands sudo /etc/init.d/ipsec stop; sudo /etc/init.d/ipsec start
2. You can check if the tunnel is up by issuing an /etc/init.d/ipsec status which should state if the tunnel is up or not, you can also check your ASA.

That’s it you should now be able to connect your instances without any problems.

Note:- If you are using windows instances you will need to reduce the MTU of interface on instance to 1200 from 1500 else you won’t be able to access your windows instance.

8 thoughts on “Amazon VPC with OpenSwan and Cisco ASA Site-to-Site VPN

  1. Hi,
    I am trying to create the Site to SIte openvpn connection using the ‘OPENVPN’ software but not able to succeed after so many tries. I am using mazon designed AMIs for the same. Can you please help me out.

    Thanks

  2. Hi Anuj,

    What help you want from me?

    What all have you tried?

    Regards,

    Mohan

  3. Hi, Can you please share how did you perform step5:
    “For configure firewall, I chose allow all traffic from my public IP (1.2.3.4/32).”

  4. Hey Mohan,

    Would require a small advice on this specific lab scenario wherein we are considering to implement a VPN in AWS which will allow 5-10 people to access to the instances in amazon’s VPC. What kind of layout to utilize and how should the implementation move? Also architecture is to be constructed such as to add or remove instances from the VPC.

    Would appreciate if you could share your insights ! :)

    Regards..

  5. Hi Anuj,

    Sorry for late reply.

    You need to put this entry in your Public Security Group where you OpenSwan server is installed.

    Hope this helps.

    Regards,

    Mohan

  6. Hi Raj,

    To help you I would need to know what type of setup you need as mine is considering the PCI DSS compliance. i.e. DMZ implementation and so on.

    What will be your setup like?

    Regards,

    Mohan

  7. Dear Mohan,

    No pre-considerations actually.. it’s completely flexible from any compliance and due diligence perspective. =))

    Regards,

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv badge

(Spamcheck Enabled)