Introduction
- Briefly introduce the importance of VPNs in securing internet traffic between different sites.
- Mention the benefits of using AWS Site-to-Site VPN for businesses.
Understanding AWS Site-to-Site VPN
- Define what AWS Site-to-Site VPN is.
- Discuss its key features and advantages.
Prerequisites for Configuration
- List the prerequisites for setting up an AWS Site-to-Site VPN, such as having an AWS account, VPC, and customer gateway.
Step-by-Step Configuration Guide
- Setting Up the Customer Gateway: Instructions on configuring the customer gateway in AWS.
- Creating a Virtual Private Gateway: Steps to create and attach the virtual private gateway to the VPC.
- Configuring the VPN Connection: How to create and configure the VPN connection between the customer gateway and the virtual private gateway.
- Routing and Propagation: Guidance on setting up routing options for network traffic.
AWS side VPN Configuration
AWS side VPN Configuration
Create VPC-EN-Branch1 which acts as AWS end of VPN tunnel
a. Create VPC-EN-Branch1 in Stockholm Region
(Name: VPC-EN-Branch1, CIDR: 10.100.0.0/16, Tenancy: Default)
b. Create a Private subnet in VPC-EN-Branch1
i. Create Subnet (Name: EN-Branch-Private-Subnet, VPC: VPC-EN-Branch1, AZ: eu-north-1a, CIDR: 10.100.0.0/24)
c. Create a Route Table (Name: EN-Branch-Private-RT, VPC: VPC-EN-Branch1)
i. Associate route table with the subnet
Select Route table -> Subnet Associations -> Edit Subnet Associations -> Select Subnet EN-Branch-Private-Subnet -> Save
d. Launch EC2 instance in this subnet
Select following options
VPC-EN-Branch1
EN-Branch-Private-Subnet
Auto assign Public IP Disable (Not Required)
Type: t3.micro
Storage: Default
Tags – Name: Branch1, ENBranch, etc.
Configure Security group to allow
1. Open “SSH” for Source as 10.200.0.0/16
2. Open “All TCP” for Source as 10.200.0.0/16
3. Open “All ICMP – IPV4” for Source 10.200.0.0/16
4. Open “UDP” port “500” for Source as 10.200.0.0/16 (Depend on Configuration)
Keypair: your existing key pair or create new if you don’t have existing keypair
Let’s call EC2 Private IP=EC2_EN_Branch1_PRIVATE_IP
Create Virtual Private Gateway
Name: EN-Branch1-VGW
ASN: Amazon default ASN
Note: By default ASN is 64512
Click on “Create” button
Attach Virtual Private Gateway to VPC-EN-Branch1
Select EN-Branch1-VGW
Action: Attach VPC
VPC: VPC-EN-Branch1
Click on “Attach” button
Create Customer Gateway (EN-Branch1-CGW)
a. Go to Customer Gateway > Create new customer gateway
c. Provide Customer end Public IP as IP address (In this case EC2_AS_Branch2_PUBLIC_IP. See 1.f.i step above)
IP Address: Branch2(EC2) Public IP
c. Routing Options: Static
Static IP Prefix: 10.200.200.0/24
d. Leave rest of the fields as default and Create Customer GatewayCreate Site-to-Site VPN Connection
a. Go to Site-to-Site VPN Connections -> Create VPN Connection
b. Provide Name: VPN-for-ENB1-and-ASB2
c. Select Target Type -> Virtual Private Gateway
d. Select newly created VGW and CGW
e. Select Static routing -> Enter IP Prefix range of VPC-AS-Branch2 (10.200.0.0/16)
f. Leave rest of the fields as default
g. Create VPN Connection
h. At this point, VPN connection id should be created. Wait for some time till state turns out to be “available”
i. After VPN connection is created, go to “Tunnel Details” tab where you should see 2 tunnel IPs
i. Assuming Tunnel1 IP=TUNNEL_1_PUBLIC_IP
ii. Assuming Tunnel2 IP= TUNNEL_2_PUBLIC_IP
j. Download VPN configuration as “Openswan” and save as text file locally. Open the file with editor like notepad++.
- Enable Route Propagation for VPC-EN-Branch1 Route table
a. Select Route Table (EN-Branch-Private-RT) -> Route Propagation -> Edit Route Propagation -> Select Virtual private gateway -> Save - Login over SSH on VPC-AS-Branch2-EC2 instance, configure OpenSWAN as below
a. sudo su
b. Create a file /etc/ipsec.d/aws.conf and paste the Tunnel1 configurations from the VPN configuration file you downloaded. The section looks like following
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=
right=
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
keyingtries=%forever
keyexchange=ike
leftsubnet=
rightsubnet=
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
Note: Remove auth=esp line from the above section if exists.
Replacing values from our example:
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=EC2_B_PUBLIC_IP
right=TUNNEL_1_PUBLIC_IP
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
keyingtries=%forever
keyexchange=ike
leftsubnet=10.200.0.0/16
rightsubnet=10.100.0.0/16
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
c. Create a new file /etc/ipsec.d/aws.secrets and add the pre-shared key to the file. You can find the shared key details in the VPN configuration file. Refer the section of Tunnel 1.
Example:
EC2_B_PUBLIC_IP TUNNEL_1_PUBLIC_IP: PSK “xxxxxxxxxxxxxxxxxxxxxxxxxxx”
d. Configure ipsec service to be ON on reboot > chkconfig ipsec on
e. Start the ipsec service
$ systemctl start ipsec
f. Check status of the service
$ systemctl status ipsec
If you have completed all the steps properly then your VPN Connection should be setup at this point
Customer Side VPN Configuration
Create VPC-AS-Branch2 which acts as Customer datacenter end of VPN connection
a. Create VPC in Mumbai Region
(Name: VPC-AS-Branch2, CIDR: 10.200.0.0/16, Tenancy: Default)
b. Create an Internet Gateway (Name: AS-Branch2-IGW)
c. Attach an Internet Gateway to VPC-AS-Branch2
d. Create a Public subnet in VPC-AS-Branch2
i. Create Subnet (Name: AS-Branch-Public-Subnet, VPC: VPC-AS-Branch2, AZ: ap-south-1a, CIDR: 10.200.0.0/24)
ii. Enable “Auto Assign Public IP” for the Subnet
Select Subnet -> Actions -> Modify auto-assign IP settings -> Enable auto-assign public IPv4 address
e. Create a Route Table (Name: AS-Branch-Public-RT, VPC: VPC-AS-Branch2)
i. Add a route entry for destination 0.0.0.0/0 and target as Internet Gateway
Select Route table -> Routes -> Edit Routes -> Add Route -> Save
ii. Associate route table with the subnet
Select Route table -> Subnet Associations -> Edit Subnet Associations -> Select Subnet AS-Branch-Public-Subnet -> Save
f. Launch an EC2 instance (EC2-B)
Select following options
VPC-AS-Branch2
AS-Branch-Public-Subnet
Auto assign Public IP Enable
Type: t3.micro
Storage: Default
Tags – Name: Branch2, ASBranch, CustomerGateway, etc.
Configure security group to allow inbound traffic for
1. Port 22 for your IP address so that you can login and configure software VPN.
Select source “My IP” from the dropdown
2. Open “All TCP” for Source as 10.100.0.0/16
3. Open “All ICMP – IPV4” for Source 10.100.0.0/16
4. Open “UDP” port 500 for Source 10.100.0.0/16
Note: If you have this instance behind NAT then you should also open UDP port 4500 for Public IP of VPN. (Not application in this use case)
Keypair: your existing key pair or create new if you don’t have existing keypair
After successful launch of EC2 instance:
Let’s call EC2 Public IP = EC2_AS_Branch2_PUBLIC_IP
Let’s call EC2 Private IP = EC2_AS_Branch2_PRIVATE_IP
g. Disable Source-Destination Check for this instance as it acts as a router
i. Go to console -> Select EC2-B -> Action -> Networking -> Change Source/Destination check -> Disable
i. Login to VPC-AS-Branch2 EC2 machine using SSH and configure software VPN
i. Change to root user
$ sudo su
ii. Install openswan
$ yum install openswan -y
iii. In /etc/ipsec.conf uncomment following line (if not already uncommented)
include /etc/ipsec.d/*.conf
iv. Update /etc/sysctl.conf to have following
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
v. Restart network service
$ service network restart
Testing and Troubleshooting
- Tips on how to test the VPN connection.
- Common troubleshooting steps if issues arise.
Best Practices for AWS Site-to-Site VPN
- Best practices in configuring, managing, and securing the AWS Site-to-Site VPN.
Conclusion
- Recap the importance of using AWS Site-to-Site VPN.
- Encourage readers to follow the steps carefully for successful deployment.