With the invent of cloud computing, a much powerful addition to a corporate data centre was the ability to scale its infrastructure in a virtual private cloud. The setup thus becomes flexible enough to manage the resource demand and remains safe from the public eye.
Using AWS VPC with Corporate VPN is an excellent option to extend a corporate data centre.
- AWS offers multiple regions and extreme flexibility to tweak your infrastructure needs
- The data rides on a VPN Tunnel and is not publicly exposed, thus meeting information security & confidentiality needs of an organisation
In the following post, I will delve deeper into creating a prototype of how you can extend your business network and put it on the “cloud”.
What we will be doing:
- Setup VPC & VPN on AWS
- Configure an External Machine to act as Corporate IPsec VPN (using “racoon”)
- Connect our External Machine to AWS and test
Note: We will use “Static” routing, which is simpler, and not “Dynamic (BGP)” routing, which requires many more steps.
Interconnecting AWS VPC & VPN with Corporate VPN through IPSec (racoon)
Our Base Setup
- An External Machine to act as a Corporate VPN Appliance (referred as “CorpVPN”), running Ubuntu/Debian Linux variant with a public IP. I took a cloud server with Rackspace Cloud, but you can take it up on AWS in a different region too if you prefer.
- Opening of UDP 500 & UDP 4500 on the CorpVPN Firewall (or AWS Security Group Inbound Rule if you’re using AWS EC2 machine as CorpVPN Appliance).
- Since CorpVPN is an independent device, we don’t have a connecting internal network to it. So we will use the Link-local 169.254.x.x IP Addresses.
- An AWS Account where we can create an EC2 machine and configure VPN Services
Part 1 – AWS Setup
1a) VPC Configuration
Create a New VPC
Select “VPC” option under Services
Go to “Your VPCs”, and “Create New” VPC
We will use the network as 172.28.0.0/16 for the EC2 Machines which will work as our extended network.
Create a Subnet for your EC2 Machines. We will select it when we configure our EC2 Machine. In this example, we use 172.28.16.0/24 as the subnet.
Add an Internet Gateway
Create an Internet Gateway and attach it with the new VPC that you created so that your EC2 machines can reach Internet & you can connect to them remotely. You can let go of this option if you don’t want any external connectivity.
Setup a Security Group
Create a Security Group that allows ping and SSH to your EC2 machines. As per your preference, open ICMP and SSH for everyone or only to limited IP addresses.
1b) VPN Configuration
Customer Gateway (CGW)
The Customer Gateway is primarily our CorpVPN gateway. We need to provide the IP Address of our CorpVPN server. If you have it readily available, then provide it, else add a random IP and change later once your CorpVPN server is setup.
We will use as an example 100.101.102.103 as the IP of the CorpVPN Server. Please note that “Static” routing is selected.
Virtual Private Gateway (VGW)
We create a Virtual Private Gateway that enables network connectivity to our VPC. It is a two step process
- We create the VGW
- We attach it to our VPC that we created
It is a hardware VPN and is a paid service. Create a new VPN and select the following
- VGW that you created before
- CGW that you created before
Routing Option should be “Static”
Static IP Prefixes will be Link-local addresses 169.254.0.0/16. It means you will reach the AWS network through your Private IP Address in 169.254.x.x series.
Note: We are using the above configuration because we have an independent CorpVPN machine. If you do have a VPN appliance and a network behind it, please go ahead and use your internal IP range.
It takes a few minutes to get the VPN ready.
Once the VPN is available, you can download the “Generic” configuration. It is a text file with the VPN IP Addresses and other configuration details.
Example Tunnel #1 Configuration’s Text File
Enable Route Propagation
Open the “Route Table”, select the “Route Propagation” tab. For the CorpVPN VGW, enable “Propagate”.
It is a critical step. Without “Route Propagation”, you will not be able to reach the EC2 machines from the VPN.
1c) EC2 Machine Setup
In the same region where you have setup your VPN, create an EC2 machine. I used t2.nano with Ubuntu 16.04. This EC2 machine will act as our extended network hosted on AWS.
Please ensure that you select the VPC that we created when configuring the EC2 instance.
Also, ensure that you select the Security Group that we created for the Corporate VPC.
Part 2 – CorpVPN Setup (the CGW Setup)
Points to note:
- AWS VPN Setup by default provides 2 VPN Tunnels (for Failover). However, since we are just testing it out, we will only be using 1 Tunnel. It will help ease the setup.
- The CorpVPN setup is our Customer Gateway, and we had provided its IP address while configuring the VPN in AWS.
- Remember – we are using a separate server (hosted on Rackspace Cloud) to act as CorpVPN Appliance. You can use an AWS Setup also by setting up an Ubuntu based server in a different region. Don’t forget to open UDP 500 & UDP 4500 in the Security Group / Firewall.
2a) Base Installation for IPsec & Racoon VPN Server
Install ipsec-tools & racoon. On a Debian/Ubuntu machine, you can use
apt-get install ipsec-tools racoon
Racoon is the IPsec server that we will use to establish the VPN. We will also use ipsec-tools to setup the SPD (Security Policy Database) to allow connection to-and-from AWS.
2b) IPsec Tools Configuration
Modify the file /etc/ipsec-tools.conf and use the entries below. You will need to refer to the “Generic Configuration” that you downloaded in the steps above from AWS interface.
To be specific, the IP Addresses as mentioned in our downloaded configuration are:
- CGW Inside IP – 169.254.54.122/30 (At Customer/CorpVPN’s end)
- VGW Inside IP – 169.254.54.121/30 (At AWS End)
- CGW Outside IP – 100.101.102.103 (CorpVPN’s publicly exposed IP)
- VGW Outside IP – 220.127.116.11 (For Tunnel #1, it is AWS VPN IP)
## Flush the SAD and SPD
# Tunnel 1
# -4 means use only IPv4. Can be omitted.
# a) Allow CGW Inside IP Address to VGW Inside IP Address "outbound" from CGW Outside IP Address to VGW Outside IP Address
spdadd -4 169.254.54.122/30 169.254.54.121/30 any -P out ipsec esp/tunnel/18.104.22.168-22.214.171.124/require;
# b) Allow VGW Inside IP Address to CGW Inside IP Address "inbound" from VGW Outside IP Address to CGW Outside IP Address
spdadd -4 169.254.54.121/30 169.254.54.122/30 any -P in ipsec esp/tunnel/126.96.36.199-188.8.131.52/require;
# c) Allow CGW Inside IP Address to VPC Network "outbound" from CGW Outside IP Address to VGW Outside IP Address
spdadd -4 169.254.54.122/30 172.28.0.0/16 any -P out ipsec esp/tunnel/184.108.40.206-220.127.116.11/require;
# d) Allow VPC Network to CGW Inside IP Address "inbound" from VGW Outside IP Address to CGW Outside IP Address
spdadd -4 172.28.0.0/16 169.254.54.122/30 any -P in ipsec esp/tunnel/18.104.22.168-22.214.171.124/require;
Now on the CorpVPN setup, we will add the CGW Inside IP
ip a a 169.254.54.122/30 dev eth0
Replace eth0 with the relevant network card, preferably the one on which you have configured the CorpVPN/CGW IP.
Later, if you need to delete it, you can use ip a d 169.254.54.122/30 dev eth0
To confirm if the IP is now available in the routing table.
Reset the ipsec-tools rules
2c) Racoon Configuration
We will now setup the IPsec Server – Racoon. The configuration is simple, and you can copy paste the following and replace the IPs with your relevant IP Address Ranges.
Modify the file /etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
# Tunnel 1
# VGW Outside IP Address
# CGW Outside IP Address
my_identifier address 126.96.36.199;
# VGW Outside IP Address
peers_identifier address 188.8.131.52;
generate_policy = off;
initial_contact = on;
nat_traversal = on;
dpd_delay = 10;
dpd_maxfail = 3;
encryption_algorithm aes 128;
lifetime time 28800 secs;
# CGW Inside IP Address & VGW Inside IP Address
sainfo address 169.254.54.122/30 any address 169.254.54.121/30 any
encryption_algorithm aes 128;
lifetime time 3600 secs;
In /etc/racoon/psk.txt, enter the VGW Outside IP Address, and the Pre-Shared Key that is available in the configuration.
- To begin with, you can do a debug mode ON racoon initialisation. For example:
- Later on, you can just manage it through init script.
Part 3 – Testing the setup
Now you need to ping your VGW Inside IP Address from your CorpVPN/CGW machine
It should start pinging within a few seconds.
You should be able to see the status of the VPN Tunnel as up for your VGW Outside IP Address under VPN Connections on Amazon. It is important for this to happen.
If the above doesn’t work, please refer to the Troubleshooting section.
Now you need to add a route so that you can reach your 172.28.0.0/16 range of IP Addresses.
route add -net 172.28.0.0/16 gw 169.254.54.121 dev eth0
To check if your configuration is correct, and you have set the appropriate gateway.
Now ping your EC2 instance’s Private IP address.
It should work.
Similarly, from your AWS EC2 instance, you can ping the CGW Inside IP Address
If it works, then CONGRATULATIONS to you. You have successfully established the two way connection.
Part 4 – Maintenance & Troubleshooting
To make it permanent, you need to add the ip address addition (of CGW Inside IP Address), and routing rules (Using VGW Inside IP Address as Gateway for 172.28.0.0/16 range) in maybe /etc/rc.local or in your /etc/network/interfaces so that they apply automatically on a reboot.
Also, to keep the tunnel alive, traffic has to pass through it. You can setup a cron job with the following to ensure that the tunnel is always up
* * * * * (/bin/ping -c 10 169.254.54.121) > /dev/null 2>&1
You have to be able to ping the inside IP Address of VGW. If that is not happening, please make sure you have done ‘Route Propagation’ for that VGW under ‘Routing Tables’ -> ‘Route Propagation’ under AWS VPC Settings.
You should be able to ping your EC2 instance. If not, then
- Make sure you’ve allowed ICMP (ping packets) to pass through in the Firewall (Security Group for your EC2 Instance).
- You have added the route on your CGW, for reaching your EC2 Subnet (172.16.x.x series for example) through your VGW Inside IP Address (as mentioned in the tutorial above).
- Have you replaced the IP addresses with the ones provided in the Downloaded Configuration File as well as the ones of your Customer Gateway?
If the tunnel works but goes down intermittently, then to keep it active you need to ping the VGW Inside IP Address continuously. Use a cron job for that as explained in the tutorial above.
That’s all. There are instructions on AWS to setup through dedicated VPN Appliances. You can refer those to Extend Your Network and make it more scalable.