Connecting Cisco ASA to VPC EC2 Instance (IPSec)
- Configuration Walkthrough
- Appendix: High-Level HA Architecture for VPN Instances
Amazon Virtual Private Cloud (Amazon VPC) provides customers with tremendous network routing flexibility. This document describes how a customer can create a secure IPSec tunnel to connect a corporate network with VPC using an on-premise Cisco ASA with an Amazon Linux Elastic Compute Cloud (Amazon EC2) instance.
Please reference the Amazon Virtual Private Cloud Network Administrator Guide for complete VPC networking documentation; however, the following definitions, example configuration, and diagram may be helpful for understanding the content of this paper.
Internet Gateway (IGW)
The IGW is an egress point from a customer's VPC that allows public Elastic IP addresses to be mapped to VPC instances. IGW will provide public address mapping that will allow VPN instances in each VPC to communicate with each other.
An IPSec VPN connection providing encrypted traffic between the on-premise Cisco ASA firewall and the EC2 VPN instance that will be used to virtually connect the two networks.
This guide will use the following VPC configuration for illustrative purposes:
- The IPSec connections require each VPN instance to live in a public subnet and have an Elastic IP address.
- VPN instances are a potential single point of failure. Please see the Appendix for a high-level High Availability design for this component.
- This lab provides examples using Amazon Linux and standard Amazon Linux packages.
- This guide assumes you already have a VPC created and a Cisco ASA device. For instructions on creating VPCs, see the Amazon Virtual Private Cloud Getting Starting Guide.
- In this scenario, AWS manages the IGW and the customer is responsible for managing their Cisco ASA, EC2 instance, and the IPSec connections.
In this walkthrough, we will perform the following steps:
- Launch an EC2 VPN instance
- Configure VPN server software on the EC2 instance
- Configure the Cisco ASA device
- Launch an Amazon Linux instance in a VPC public subnet and do the following:
- Assign the VPN instance a static private IP address. This is not required, but it makes setting up the config files easier. In this example, use 10.0.0.5.
- Allocate a VPC EIP and associate an EIP to your VPN instance. In this example, use EIP1 to represent the public EIP address used to connect into your VPC.
- Disable Source/Dest checking on your EC2 instance.
- Right-click the instance and selecting Change Source/Dest. Check.
- Click Yes, Disable.
- Configure routing tables in your VPC to send traffic to your corporate network through the VPC EC2 instance.
- Connect to each EC2 VPN Instance and install the openswan package with the following command:
Prompt> sudo yum install openswan
- Edit the /etc/ipsec.conf file (as root) to include files in /etc/ipsec.d/*.conf (uncomment the last line by removing the '#' on the first character of the last line so it looks like the following):
Prompt> sudo vi /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file # # Manual: ipsec.conf.5 # # Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Debug-logging controls: "none" for (almost) none, "all" for lots. # klipsdebug=none # plutodebug="control parsing" # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey protostack=netkey nat_traversal=yes virtual_private= oe=off # Enable this if you see "failed to find any available worker" # nhelpers=0 #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this. include /etc/ipsec.d/*.conf
- Create the following files in /etc/ipsec.d (as root)
Prompt> sudo vi /etc/ipsec.d/vpc1-to-vpc2.conf
conn vpc-to-asa type=tunnel authby=secret left=%defaultroute leftid=<EIP1> leftnexthop=%defaultroute leftsubnet=<VPC CIDR> right=<ASA Public IP> rightsubnet=<Corporate Network CIDR> esp=aes192-sha1 keyexchange=ike ike=aes192-sha1 salifetime=43200s pfs=yes auto=start dpdaction=restart
Prompt> sudo vi /etc/ipsec.d/vpc1-to-vpc2.secrets
<EIP1> <ASA Public IP>: PSK "Put a Preshared Key here!!"
- Start IPSec/Openswan.
Prompt> sudo service ipsec start
- Configure IPSec/Openswan to always start on boot.
Prompt> sudo chkconfig ipsec on
- Configure the Linux instance to route traffic by editing /etc/sysctl.conf and changing the net.ipv4.ip_forward variable from 0 to 1.
Prompt> sudo vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
- Restart your network settings for the network forwarding settings to take effect.
Prompt> sudo service network restart
Please follow the Cisco ASA documentation for configuring an IPSec connection between your Cisco ASA and the Elastic IP address (EIP1) of your EC2 VPN Instance using the algorithms (aes192-sha1) and lifetimes (43200s) configured in the IPsec configuration file above. Also, some customers have found it necessary to disable the IKE keepalive to turn that dead peer detection off. The following example walks a user through using the Cisco ASA IPSec wizard for creating this type of connection (in step #5 of the example, ensure you check the option to enable Perfect Forwarding Secrecy (PFS) as this is a more secure section than the one recommended by the example):
Creating a fully redundant VPN connection requires the setup and configuration of two VPN instances and a monitoring instance to monitor the health of the VPN connections. The following diagram depicts an HA design for the VPC component of the network. Creating redundancy on the customer's Cisco ASA side of the network is out of scope for this document.
We recommend configuring your VPC route tables to leverage all VPN instances simultaneously by directing traffic from all of the subnets in one Availability Zone through its respective VPN instances in the same Availability Zone. Each VPN instance will then provide cross-VPC connectivity for instances that share the same Availability Zone.
The VPN Monitor is a custom instance that you will need to create and develop monitoring scripts to run on. This instance is intended to run and monitor the state of a VPN connection and VPN instances. If a VPN instance or connection goes down, the monitor will need to stop, terminate, or restart the VPN instance while also rerouting traffic from one subnet to the working VPN instance until both connections are functional. Amazon does not provide any guidance or scripts to use to set up this monitoring instance, so it is up to you to develop the necessary business logic to provide notification and/or attempt to automatically repair network connectivity in the event of a VPN connection failure.