Topics

• Overview
  • Amazon Virtual Private Network Components
  • Example VPC Setup
  • Additional Considerations
• Configuration Walkthrough
  • To launch an EC2 VPN instance
  • To configure VPN server software on an Amazon EC2 instance
  • To configure a Cisco ASA device
• Appendix: High-Level HA Architecture for VPN Instances
  • VPN Monitoring Instance(s)

Amazon Virtual Private Cloud (Amazon VPC) provides customers with tremendous network routing flexibility. This document describes how a customer can create a secure IPSec tunnel to connect a corporate network with VPC using an on-premise Cisco ASA with an Amazon Linux Elastic Compute Cloud (Amazon EC2) instance.

Please reference the Amazon Virtual Private Cloud Network Administrator Guide for complete VPC networking documentation; however, the following definitions, example configuration, and diagram may be helpful for understanding the content of this paper.

Internet Gateway (IGW)

The IGW is an egress point from a customer's VPC that allows public Elastic IP addresses to be mapped to VPC instances. IGW will provide public address mapping that will allow VPN instances in each VPC to communicate with each other.

IPSec Connection

An IPSec VPN connection providing encrypted traffic between the on-premise Cisco ASA firewall and the EC2 VPN instance that will be used to virtually connect the two networks.

This guide will use the following VPC configuration for illustrative purposes:

1. The IPSec connections require each VPN instance to live in a public subnet and have an Elastic IP address.
2. VPN instances are a potential single point of failure. Please see the Appendix for a high-level High Availability design for this component.
3. This lab provides examples using Amazon Linux and standard Amazon Linux packages.
4. This guide assumes you already have a VPC created and a Cisco ASA device. For instructions on creating VPCs, see the Amazon Virtual Private Cloud Getting Starting Guide.
5. In this scenario, AWS manages the IGW and the customer is responsible for managing their Cisco ASA, EC2 instance, and the IPSec connections.

In this walkthrough, we will perform the following steps:

1. Launch an EC2 VPN instance
2. Configure VPN server software on the EC2 instance
3. Configure the Cisco ASA device

1. Launch an Amazon Linux instance in a VPC public subnet and do the following:
1. Assign the VPN instance a static private IP address. This is not required, but it makes setting up the config files easier. In this example, use 10.0.0.5.
2. Allocate a VPC EIP and associate an EIP to your VPN instance. In this example, use EIP1 to represent the public EIP address used to connect into your VPC.
2. Disable Source/Dest checking on your EC2 instance.
1. Right-click the instance and selecting Change Source/Dest. Check.
2. Click Yes, Disable.

   

3. Configure routing tables in your VPC to send traffic to your corporate network through the VPC EC2 instance.

   

1. Connect to each EC2 VPN Instance and install the openswan package with the following command:
   

   Prompt> sudo yum install openswan

2. Edit the /etc/ipsec.conf file (as root) to include files in /etc/ipsec.d/*.conf (uncomment the last line by removing the '#' on the first character of the last line so it looks like the following):
   

   Prompt> sudo vi /etc/ipsec.conf

   # /etc/ipsec.conf - Openswan IPsec configuration file
   #
   # Manual: ipsec.conf.5
   #
   # Please place your own config files in /etc/ipsec.d/ ending in .conf
   
   version 2.0 # conforms to second version of ipsec.conf specification
   
   # basic configuration
   config setup
   	# Debug-logging controls: "none" for (almost) none, "all" for lots.
   	# klipsdebug=none
   	# plutodebug="control parsing"
   	# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
   	protostack=netkey
   	nat_traversal=yes
   	virtual_private=
   	oe=off
   	# Enable this if you see "failed to find any available worker"
   	# nhelpers=0
   
   #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
   include /etc/ipsec.d/*.conf

3. Create the following files in /etc/ipsec.d (as root)
   

   Prompt> sudo vi /etc/ipsec.d/vpc1-to-vpc2.conf

   conn vpc-to-asa
   	type=tunnel
   	authby=secret
   	left=%defaultroute
   	leftid=
   	leftnexthop=%defaultroute
   	leftsubnet=
   	right=
   	rightsubnet=
   	esp=aes192-sha1
   	keyexchange=ike
   	ike=aes192-sha1
   	salifetime=43200s
   	pfs=yes
   	auto=start
   	dpdaction=restart

   Prompt> sudo vi /etc/ipsec.d/vpc1-to-vpc2.secrets

    : PSK "Put a Preshared Key here!!"

4. Start IPSec/Openswan.
   

   Prompt> sudo service ipsec start

5. Configure IPSec/Openswan to always start on boot.
   

   Prompt> sudo chkconfig ipsec on

6. Configure the Linux instance to route traffic by editing /etc/sysctl.conf and changing the net.ipv4.ip_forward variable from 0 to 1.
   

   Prompt> sudo vi /etc/sysctl.conf

   net.ipv4.ip_forward = 1

7. Restart your network settings for the network forwarding settings to take effect.
   

   Prompt> sudo service network restart

Please follow the Cisco ASA documentation for configuring an IPSec connection between your Cisco ASA and the Elastic IP address (EIP1) of your EC2 VPN Instance using the algorithms (aes192-sha1) and lifetimes (43200s) configured in the IPsec configuration file above. Also, some customers have found it necessary to disable the IKE keepalive to turn that dead peer detection off. The following example walks a user through using the Cisco ASA IPSec wizard for creating this type of connection (in step #5 of the example, ensure you check the option to enable Perfect Forwarding Secrecy (PFS) as this is a more secure section than the one recommended by the example):

https://houseoflinux.com/vpn/vpn-site-to-site-openswan-x-asa-cisco/page-2

Creating a fully redundant VPN connection requires the setup and configuration of two VPN instances and a monitoring instance to monitor the health of the VPN connections. The following diagram depicts an HA design for the VPC component of the network. Creating redundancy on the customer's Cisco ASA side of the network is out of scope for this document.

We recommend configuring your VPC route tables to leverage all VPN instances simultaneously by directing traffic from all of the subnets in one Availability Zone through its respective VPN instances in the same Availability Zone. Each VPN instance will then provide cross-VPC connectivity for instances that share the same Availability Zone.

The VPN Monitor is a custom instance that you will need to create and develop monitoring scripts to run on. This instance is intended to run and monitor the state of a VPN connection and VPN instances. If a VPN instance or connection goes down, the monitor will need to stop, terminate, or restart the VPN instance while also rerouting traffic from one subnet to the working VPN instance until both connections are functional. Amazon does not provide any guidance or scripts to use to set up this monitoring instance, so it is up to you to develop the necessary business logic to provide notification and/or attempt to automatically repair network connectivity in the event of a VPN connection failure.