Connecting Cisco ASA to VPC EC2 Instance (IPSec)

Articles & Tutorials>Amazon EC2>Connecting Cisco ASA to VPC EC2 Instance (IPSec)
Amazon Virtual Private Cloud (Amazon VPC) provides customers with tremendous network routing flexibility. This document describes how a customer can create a secure IPSec tunnel to connect a corporate network with VPC using an on-premise Cisco ASA with an Amazon Linux Elastic Compute Cloud (Amazon EC2) instance.

Details

Submitted By: Steve Morad
AWS Products Used: Amazon EC2, Amazon VPC
Created On: October 11, 2012 7:58 PM GMT
Last Updated: October 11, 2012 8:19 PM GMT

Connecting Cisco ASA to VPC EC2 Instance (IPSec)

Topics

Overview

Amazon Virtual Private Cloud (Amazon VPC) provides customers with tremendous network routing flexibility. This document describes how a customer can create a secure IPSec tunnel to connect a corporate network with VPC using an on-premise Cisco ASA with an Amazon Linux Elastic Compute Cloud (Amazon EC2) instance.

Amazon Virtual Private Network Components

Please reference the Amazon Virtual Private Cloud Network Administrator Guide for complete VPC networking documentation; however, the following definitions, example configuration, and diagram may be helpful for understanding the content of this paper.

Internet Gateway (IGW)

The IGW is an egress point from a customer's VPC that allows public Elastic IP addresses to be mapped to VPC instances. IGW will provide public address mapping that will allow VPN instances in each VPC to communicate with each other.

IPSec Connection

An IPSec VPN connection providing encrypted traffic between the on-premise Cisco ASA firewall and the EC2 VPN instance that will be used to virtually connect the two networks.

Example VPC Setup

This guide will use the following VPC configuration for illustrative purposes:

Additional Considerations

  1. The IPSec connections require each VPN instance to live in a public subnet and have an Elastic IP address.
  2. VPN instances are a potential single point of failure. Please see the Appendix for a high-level High Availability design for this component.
  3. This lab provides examples using Amazon Linux and standard Amazon Linux packages.
  4. This guide assumes you already have a VPC created and a Cisco ASA device. For instructions on creating VPCs, see the Amazon Virtual Private Cloud Getting Starting Guide.
  5. In this scenario, AWS manages the IGW and the customer is responsible for managing their Cisco ASA, EC2 instance, and the IPSec connections.

Configuration Walkthrough

In this walkthrough, we will perform the following steps:

  1. Launch an EC2 VPN instance
  2. Configure VPN server software on the EC2 instance
  3. Configure the Cisco ASA device

To launch an EC2 VPN instance

  1. Launch an Amazon Linux instance in a VPC public subnet and do the following:
    1. Assign the VPN instance a static private IP address. This is not required, but it makes setting up the config files easier. In this example, use 10.0.0.5.
    2. Allocate a VPC EIP and associate an EIP to your VPN instance. In this example, use EIP1 to represent the public EIP address used to connect into your VPC.
  2. Disable Source/Dest checking on your EC2 instance.
    1. Right-click the instance and selecting Change Source/Dest. Check.
    2. Click Yes, Disable.

  3. Configure routing tables in your VPC to send traffic to your corporate network through the VPC EC2 instance.

To configure VPN server software on an Amazon EC2 instance

  1. Connect to each EC2 VPN Instance and install the openswan package with the following command:
    Prompt> sudo yum install openswan
  2. Edit the /etc/ipsec.conf file (as root) to include files in /etc/ipsec.d/*.conf (uncomment the last line by removing the '#' on the first character of the last line so it looks like the following):
    Prompt> sudo vi /etc/ipsec.conf
    # /etc/ipsec.conf - Openswan IPsec configuration file
    #
    # Manual: ipsec.conf.5
    #
    # Please place your own config files in /etc/ipsec.d/ ending in .conf
    
    version 2.0 # conforms to second version of ipsec.conf specification
    
    # basic configuration
    config setup
    	# Debug-logging controls: "none" for (almost) none, "all" for lots.
    	# klipsdebug=none
    	# plutodebug="control parsing"
    	# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
    	protostack=netkey
    	nat_traversal=yes
    	virtual_private=
    	oe=off
    	# Enable this if you see "failed to find any available worker"
    	# nhelpers=0
    
    #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
    include /etc/ipsec.d/*.conf
  3. Create the following files in /etc/ipsec.d (as root)
    Prompt> sudo vi /etc/ipsec.d/vpc1-to-vpc2.conf
    conn vpc-to-asa
    	type=tunnel
    	authby=secret
    	left=%defaultroute
    	leftid=<EIP1>
    	leftnexthop=%defaultroute
    	leftsubnet=<VPC CIDR>
    	right=<ASA Public IP>
    	rightsubnet=<Corporate Network CIDR>
    	esp=aes192-sha1
    	keyexchange=ike
    	ike=aes192-sha1
    	salifetime=43200s
    	pfs=yes
    	auto=start
    	dpdaction=restart
    Prompt> sudo vi /etc/ipsec.d/vpc1-to-vpc2.secrets
    <EIP1> <ASA Public IP>: PSK "Put a Preshared Key here!!"
  4. Start IPSec/Openswan.
    Prompt> sudo service ipsec start
  5. Configure IPSec/Openswan to always start on boot.
    Prompt> sudo chkconfig ipsec on
  6. Configure the Linux instance to route traffic by editing /etc/sysctl.conf and changing the net.ipv4.ip_forward variable from 0 to 1.
    Prompt> sudo vi /etc/sysctl.conf
    net.ipv4.ip_forward = 1
  7. Restart your network settings for the network forwarding settings to take effect.
    Prompt> sudo service network restart

To configure a Cisco ASA device

Please follow the Cisco ASA documentation for configuring an IPSec connection between your Cisco ASA and the Elastic IP address (EIP1) of your EC2 VPN Instance using the algorithms (aes192-sha1) and lifetimes (43200s) configured in the IPsec configuration file above. Also, some customers have found it necessary to disable the IKE keepalive to turn that dead peer detection off. The following example walks a user through using the Cisco ASA IPSec wizard for creating this type of connection (in step #5 of the example, ensure you check the option to enable Perfect Forwarding Secrecy (PFS) as this is a more secure section than the one recommended by the example):

http://houseoflinux.com/vpn/vpn-site-to-site-openswan-x-asa-cisco/page-2

Appendix: High-Level HA Architecture for VPN Instances

Creating a fully redundant VPN connection requires the setup and configuration of two VPN instances and a monitoring instance to monitor the health of the VPN connections. The following diagram depicts an HA design for the VPC component of the network. Creating redundancy on the customer's Cisco ASA side of the network is out of scope for this document.

We recommend configuring your VPC route tables to leverage all VPN instances simultaneously by directing traffic from all of the subnets in one Availability Zone through its respective VPN instances in the same Availability Zone. Each VPN instance will then provide cross-VPC connectivity for instances that share the same Availability Zone.

VPN Monitoring Instance(s)

The VPN Monitor is a custom instance that you will need to create and develop monitoring scripts to run on. This instance is intended to run and monitor the state of a VPN connection and VPN instances. If a VPN instance or connection goes down, the monitor will need to stop, terminate, or restart the VPN instance while also rerouting traffic from one subnet to the working VPN instance until both connections are functional. Amazon does not provide any guidance or scripts to use to set up this monitoring instance, so it is up to you to develop the necessary business logic to provide notification and/or attempt to automatically repair network connectivity in the event of a VPN connection failure.

©2014, Amazon Web Services, Inc. or its affiliates. All rights reserved.