EC2 VPC VPN Update – NAT Traversal, Additional Encryption Options, and More
You can use Amazon Virtual Private Cloud (Amazon VPC) to create a logically isolated section of the AWS Cloud. Within the VPC, you can define your desired IP address range, create subnets, configure route tables, and so forth. You can also use a network gateway to connect the VPC to your existing on-premises network using a hardware Virtual Private Network (VPN) connection. The VPN running in the AWS Cloud (also known as a VPN gateway or VGW) communicates with a customer gateway (CGW) on your network or in your data center (read about Your Customer Gateway to learn more).
Today we are adding several new features to the VPN. Here’s a summary:
- NAT Traversal
- Additional Encryption Options
- Reusable IP addresses for the CGW
In order to take advantage of any of these new features, you will need to create a new VGW and then create new VPN tunnels with the desired attributes.
Network Address Translation (NAT) maps one range of IP addresses to another. Let’s say that you have private IP space on your local LAN that all connects to the internet through a single router or firewall. You aren’t able to put your VPN device (CGW) on a public IP address of it’s own. You can now use Network Address Translation to map the CGW from a private IP to a public, and use NAT-Traversal, or NAT-T, to connect your CGW to your Virtual Private Gateway (VGW). NAT-T allows you to create IP connections that originate on-premises behind a NAT device and connect to a VPC using addresses that have been translated. This mapping process takes places when the VPN is established.
You don’t need to do anything to set this up in the AWS Management Console. You just need to configure your NAT device for NAT-Traversal. You will also need to open up UDP port 4500 in your firewall in order to make use of NAT-T.
Additional Encryption Options
You can now make use of several new encryption options.
When the VPC’s hardware VPN is in the process of establishing a connection with your on-premises VPN, it proposes several different encryption options, each with a different strength. You can now configure the VPN on the VPC to propose AES256 as an alternative to the older and weaker AES128. If you decide to make use of this new option, you should configure your device so that it no longer accepts a proposal to use AES128 encryption.
The two endpoints participate in a Diffie-Hellman key exchange in order to establish a shared secret. The Diffie-Hellman groups used in the exchange will determine the strength of the hash on the keys. You can now configure the use of a wider range of groups:
- Phase 1 can now use DH groups 2, 14-18, 22, 23, and 24.
- Phase 2 can now use DH groups 1, 2, 5, 14-18, 22, 23, and 24.
Packets that flow across the VPN connection are verified using a hash algorithm. A matching hash gives a very high-quality indicator that the packet has not been maliciously modified along the way. You can now configure the VPN on the VPC to use the SHA-2 hashing algorithm with a 256 bit digest (also known as SHA-256). Again, you should configure your device to disallow the use of the weaker hash algorithms.
Reusable CGW IP Addresses
You no longer need to specify a unique IP address for each customer gateway connection that you create. Instead, you can now reuse an existing IP address. Many VPC users have been asking for this feature and I expect it to be well-used.