As a new member of the team, I was tasked for establishing site-to-site VPN connectivity using a third-party tool. After exploring numerous blogs in search of the perfect solution, I stumbled upon StrongSwan. Excited to put it to the test, I followed the provided guides carefully. However, upon implementation, I encountered a frustrating roadblock: while the tunnel was successfully created, communication between the virtual networks remained elusive.
This blog aims to tackle that very challenge head-on. I’ll be sharing a comprehensive, step-by-step guide to achieve seamless site-to-site VPN connectivity between two cloud environments. Guess, what’s the best part? The same principles can be effortlessly applied to on-premise infrastructure setups as well.
But, what if your cloud provider doesn’t offer managed services for site-to-site VPN connectivity? Or if the process for establishing site-to-site VPN connectivity using managed services requires different configurations and setup steps? Don’t worry, we’ll address those scenarios too.
So, if you’ve ever had trouble with site-to-site VPN connections or making sure your networks connect properly, you’re in the right place. Let’s get started and understand site-to-site VPNs together!
Why Use StrongSwan?
Using StrongSwan for site-to-site VPN connectivity offers several advantages:
1.Flexibility: StrongSwan is highly configurable, allowing you to tailor the VPN setup to your specific requirements and network environments.
2. Open Source: Being an open-source solution, StrongSwan is cost-effective and offers transparency, enabling you to inspect and modify the code as needed.
3. Compatibility: StrongSwan supports various VPN protocols, including IKEv1 and IKEv2, ensuring compatibility with a wide range of devices and platforms.
4. Security: StrongSwan prioritizes security, offering robust encryption and authentication mechanisms to protect your data during transit.
5. Ease of use: The ease of use is another significant benefit of using StrongSwan for site-to-site VPN connectivity. Whether you’re a seasoned network administrator or a novice user, StrongSwan provides a user-friendly experience, ensuring that you can efficiently establish and maintain secure site-to-site VPN connections between various cloud platforms and on-premise infrastructure.
[Good Read: Migration Of MS SQL From Azure VM To Amazon RDS ]
Steps To Create Site to Site VPN Connection Using StrongSwan
I will demonstrate how to establish a site-to-site VPN connection between Azure and AWS. This method can be applied to any cloud platform or on-premise infrastructure.
Configuration on AWS side
Step 1: Configure VPC, Subnet and Internet Gateway
Create a Virtual Private Cloud (VPC) with a non-overlapping CIDR block compared to the Azure VNet. Within the VPC, establish a public subnet and attach an Internet Gateway to enable connectivity to the internet. Create a public route table and configure a route allowing internet traffic flow through it. Associate the public subnet with the route table to facilitate proper routing. Finally, launch an EC2 instance in the public subnet.
- VPC Name: VPC-s2s
- VPC Cidr: 172.0.0.0/16
- Subnet Name: subnet-01
- Subnet Cidr: 172.0.1.0/24
- Route Table Name: rt-s2s
- Internet Gateway Name: igw-s2s
Step 2: Connect Securely to the EC2 Instance and Perform the Configuration
A: Update the package repository and upgrade existing packages and install StrongSwan
sudo apt update && sudo apt upgrade -y
sudo apt install strongswan -yB. Generate a Pre-Shared Key (PSK) for authentication purposes on both endpoints of the VPN tunnel, execute the following command.
openssl rand -base64 64Copy the generated key and paste it into a secure location after removing any extra spaces.
C. Open the “ipsec.secrets” file and add text with below format:
sudo nano /etc/ipsec.secrets<public ip of aws VM (site a)> <public ip of azure VM (site b)>: <encryption method> <key>D. Access the “ipsec.conf” file and append the provided configuration to the end of the file. Save the changes and exit.
sudo nano /etc/ipsec.confconfig setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no# connection to siteA datacenter
conn siteA-to-siteB
authby=secret
left=%defaultroute
leftid=<public ip of site A>
leftsubnet=<vpc range of strongswan instance at site A>
right=<public ip of site B>
rightsubnet=<vpc range of strongswan instance at site B>
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=startE. Enable ip forwarding
Enabling `net.ipv4.ip_forward=1` allows the instance to function as a router. With IP forwarding enabled on a Linux system, it gains the ability to forward packets between different network interfaces, similar to a router. StrongSwan relies on IP forwarding to efficiently route encrypted VPN traffic between the local and remote networks. Without IP forwarding enabled, the instance would not be able to effectively handle and route VPN traffic, leading to connectivity issues and potential VPN tunnel failures effectively.
To enable IP forwarding:
- Open the
/etc/sysctl.conffile for editing. - Locate the line
#net.ipv4.ip_forward=1and remove the#at the beginning. - Save the changes and exit the editor.
- Apply the changes immediately without rebooting by running
sudo sysctl -p.
F. Source and destination check off
By default, EC2 instances in AWS have a feature called “source/destination check” enabled. This feature ensures that an instance only accepts traffic that is either destined for or originates from itself. This behavior is suitable for most instances that function as servers. However, when an instance acts as a router, such as when running StrongSwan for VPN connectivity, it needs to be able to forward traffic between different network interfaces, even if the traffic is not specifically destined for the instance itself. Disabling source and destination checks allows the instance to process and forward packets intended for other destinations. This can be done through the AWS Management Console by selecting the instance, navigating to its networking settings and disabling the source/destination.
G. Configuring Route in the Public Route Table for Azure VNet:
The purpose of adding this route is to ensure proper routing of traffic between the EC2 instance where StrongSwan is installed and the Azure Virtual Network (VNet). This step is essential for establishing a VPN connection between the two networks and facilitating the exchange of data securely.
To add the route, follow these steps:
1. In the “Destination” field, enter the CIDR block for the Azure VNet. This CIDR block specifies the range of IP addresses assigned to the Azure VNet.
2. In the “Target” field, select “Instance” and then choose the EC2 instance ID of the server where StrongSwan is installed. This indicates that the specified destination CIDR block should be reachable via the selected EC2 instance.
Routing VPN Traffic:
Once the route is added, the EC2 instance hosting StrongSwan effectively handles the VPN connection and forwards the traffic through the VPN tunnel to the Azure VNet. This ensures seamless communication between the two networks and enables secure data exchange over the VPN connection.
You can check more info about: Simplifying Site-to-Site VPN Connectivity with StrongSwan.
Comments
Post a Comment