Skip to main content

Simplifying Site-to-Site VPN Connectivity with StrongSwan

 As a new member of the team, I was tasked for establishing site-to-site VPN connectivity using a third-party tool. After exploring numerous blogs in search of the perfect solution, I stumbled upon StrongSwan. Excited to put it to the test, I followed the provided guides carefully. However, upon implementation, I encountered a frustrating roadblock: while the tunnel was successfully created, communication between the virtual networks remained elusive.

This blog aims to tackle that very challenge head-on. I’ll be sharing a comprehensive, step-by-step guide to achieve seamless site-to-site VPN connectivity between two cloud environments. Guess, what’s the best part? The same principles can be effortlessly applied to on-premise infrastructure setups as well.

But, what if your cloud provider doesn’t offer managed services for site-to-site VPN connectivity? Or if the process for establishing site-to-site VPN connectivity using managed services requires different configurations and setup steps? Don’t worry, we’ll address those scenarios too.

So, if you’ve ever had trouble with site-to-site VPN connections or making sure your networks connect properly, you’re in the right place. Let’s get started and understand site-to-site VPNs together!

Why Use StrongSwan?

Using StrongSwan for site-to-site VPN connectivity offers several advantages:

1.Flexibility: StrongSwan is highly configurable, allowing you to tailor the VPN setup to your specific requirements and network environments.

2. Open Source: Being an open-source solution, StrongSwan is cost-effective and offers transparency, enabling you to inspect and modify the code as needed.

3. Compatibility: StrongSwan supports various VPN protocols, including IKEv1 and IKEv2, ensuring compatibility with a wide range of devices and platforms.

4. Security: StrongSwan prioritizes security, offering robust encryption and authentication mechanisms to protect your data during transit.

5. Ease of use: The ease of use is another significant benefit of using StrongSwan for site-to-site VPN connectivity. Whether you’re a seasoned network administrator or a novice user, StrongSwan provides a user-friendly experience, ensuring that you can efficiently establish and maintain secure site-to-site VPN connections between various cloud platforms and on-premise infrastructure.

[Good Read: Migration Of MS SQL From Azure VM To Amazon RDS ]

Steps To Create Site to Site VPN Connection Using StrongSwan

I will demonstrate how to establish a site-to-site VPN connection between Azure and AWS. This method can be applied to any cloud platform or on-premise infrastructure.

Configuration on AWS side

Step 1: Configure VPC, Subnet and Internet Gateway

Create a Virtual Private Cloud (VPC) with a non-overlapping CIDR block compared to the Azure VNet. Within the VPC, establish a public subnet and attach an Internet Gateway to enable connectivity to the internet. Create a public route table and configure a route allowing internet traffic flow through it. Associate the public subnet with the route table to facilitate proper routing. Finally, launch an EC2 instance in the public subnet.

  • VPC Name: VPC-s2s
  • VPC Cidr: 172.0.0.0/16
  • Subnet Name: subnet-01
  • Subnet Cidr: 172.0.1.0/24
  • Route Table Name: rt-s2s
  • Internet Gateway Name: igw-s2s

Step 2: Connect Securely to the EC2 Instance and Perform the Configuration

A: Update the package repository and upgrade existing packages and install StrongSwan

sudo apt update && sudo apt upgrade -y
sudo apt install strongswan -y

BGenerate a Pre-Shared Key (PSK) for authentication purposes on both endpoints of the VPN tunnel, execute the following command.

openssl rand -base64 64

Copy the generated key and paste it into a secure location after removing any extra spaces.

COpen the “ipsec.secrets” file and add text with below format:

sudo nano /etc/ipsec.secrets
<public ip of aws VM (site a)> <public ip of azure VM (site b)>: <encryption method> <key>

D. Access the “ipsec.conf” file and append the provided configuration to the end of the file. Save the changes and exit.

sudo nano /etc/ipsec.conf
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
# connection to siteA datacenter
conn siteA-to-siteB
authby=secret
left=%defaultroute
leftid=<public ip of site A>
leftsubnet=<vpc range of strongswan instance at site A>
right=<public ip of site B>
rightsubnet=<vpc range of strongswan instance at site B>
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start

E. Enable ip forwarding

Enabling `net.ipv4.ip_forward=1` allows the instance to function as a router. With IP forwarding enabled on a Linux system, it gains the ability to forward packets between different network interfaces, similar to a router. StrongSwan relies on IP forwarding to efficiently route encrypted VPN traffic between the local and remote networks. Without IP forwarding enabled, the instance would not be able to effectively handle and route VPN traffic, leading to connectivity issues and potential VPN tunnel failures effectively.

To enable IP forwarding:

  • Open the /etc/sysctl.conf file for editing.
  • Locate the line #net.ipv4.ip_forward=1 and remove the # at the beginning.
  • Save the changes and exit the editor.
  • Apply the changes immediately without rebooting by running sudo sysctl -p.

F. Source and destination check off

By default, EC2 instances in AWS have a feature called “source/destination check” enabled. This feature ensures that an instance only accepts traffic that is either destined for or originates from itself. This behavior is suitable for most instances that function as servers. However, when an instance acts as a router, such as when running StrongSwan for VPN connectivity, it needs to be able to forward traffic between different network interfaces, even if the traffic is not specifically destined for the instance itself. Disabling source and destination checks allows the instance to process and forward packets intended for other destinations. This can be done through the AWS Management Console by selecting the instance, navigating to its networking settings and disabling the source/destination.

G. Configuring Route in the Public Route Table for Azure VNet:

The purpose of adding this route is to ensure proper routing of traffic between the EC2 instance where StrongSwan is installed and the Azure Virtual Network (VNet). This step is essential for establishing a VPN connection between the two networks and facilitating the exchange of data securely.

To add the route, follow these steps:

1. In the “Destination” field, enter the CIDR block for the Azure VNet. This CIDR block specifies the range of IP addresses assigned to the Azure VNet.

2. In the “Target” field, select “Instance” and then choose the EC2 instance ID of the server where StrongSwan is installed. This indicates that the specified destination CIDR block should be reachable via the selected EC2 instance.

Routing VPN Traffic:

Once the route is added, the EC2 instance hosting StrongSwan effectively handles the VPN connection and forwards the traffic through the VPN tunnel to the Azure VNet. This ensures seamless communication between the two networks and enables secure data exchange over the VPN connection.

You can check more info about: Simplifying Site-to-Site VPN Connectivity with StrongSwan.

Comments

Popular posts from this blog

How to Perform Penetration Testing on IoT Devices: Tools & Techniques for Business Security

The Internet of Things (IoT) has transformed our homes and workplaces but at what cost?   With billions of connected devices, hackers have more entry points than ever. IoT penetration testing is your best defense, uncovering vulnerabilities before cybercriminals do. But where do you start? Discover the top tools, techniques, and expert strategies to safeguard your IoT ecosystem. Don’t wait for a breach, stay one step ahead.   Read on to fortify your devices now!  Why IoT Penetration Testing is Critical  IoT devices often lack robust security by design. Many run on outdated firmware, use default credentials, or have unsecured communication channels. A single vulnerable device can expose an entire network.  Real-world examples of IoT vulnerabilities:   Mirai Botnet (2016) : Exploited default credentials in IP cameras and DVRs, launching massive DDoS attacks. Stuxnet (2010): Targeted industrial IoT systems, causing physical damage to nuclear centrifu...

Infrastructure-as-Prompt: How GenAI Is Revolutionizing Cloud Automation

Forget YAML sprawl and CLI incantations. The next frontier in cloud automation isn't about writing more code; it's about telling the cloud what you need. Welcome to the era of Infrastructure-as-Prompt (IaP), where Generative AI is transforming how we provision, manage, and optimize cloud resources. The Problem: IaC's Complexity Ceiling Infrastructure-as-Code (IaC) like Terraform, CloudFormation, or ARM templates revolutionized cloud ops. But it comes with baggage: Steep Learning Curve:  Mastering domain-specific languages and cloud provider nuances takes time. Boilerplate Bloat:  Simple tasks often require verbose, repetitive code. Error-Prone:  Manual coding leads to misconfigurations, security gaps, and drift. Maintenance Overhead:  Keeping templates updated across environments and providers is tedious. The Solution: GenAI as Your Cloud Co-Pilot GenAI models (like GPT-4, Claude, Gemini, or specialized cloud models) understand n...

How Security-First CI/CD Pipelines Help Mitigate Business Risk

Businesses today must adapt quickly, rolling out software updates and new features at an unprecedented pace. To accomplish this, many turn to Continuous Integration and Continuous Delivery (CI/CD) pipelines. However, this pursuit of speed can introduce significant security risks if it's not approached with caution. This is where the concept of DevSecOps comes into play. It’s an essential strategy for organizations aiming to strike the right balance between speed and security. Historically, security has often been an afterthought, resulting in delays and making systems more vulnerable to cyber threats. DevSecOps changes this narrative by embedding security practices within every stage of the software development lifecycle. In this blog, we will delve into the tangible ROI of adopting DevSecOps , highlighting how a security-first mindset in CI/CD not only minimizes business risks but also reduces downtime and leads to measurable cost savings. Additionally, we’ll examine how automatin...