Skip to main content

Simplifying Site-to-Site VPN Connectivity with StrongSwan

 As a new member of the team, I was tasked for establishing site-to-site VPN connectivity using a third-party tool. After exploring numerous blogs in search of the perfect solution, I stumbled upon StrongSwan. Excited to put it to the test, I followed the provided guides carefully. However, upon implementation, I encountered a frustrating roadblock: while the tunnel was successfully created, communication between the virtual networks remained elusive.

This blog aims to tackle that very challenge head-on. I’ll be sharing a comprehensive, step-by-step guide to achieve seamless site-to-site VPN connectivity between two cloud environments. Guess, what’s the best part? The same principles can be effortlessly applied to on-premise infrastructure setups as well.

But, what if your cloud provider doesn’t offer managed services for site-to-site VPN connectivity? Or if the process for establishing site-to-site VPN connectivity using managed services requires different configurations and setup steps? Don’t worry, we’ll address those scenarios too.

So, if you’ve ever had trouble with site-to-site VPN connections or making sure your networks connect properly, you’re in the right place. Let’s get started and understand site-to-site VPNs together!

Why Use StrongSwan?

Using StrongSwan for site-to-site VPN connectivity offers several advantages:

1.Flexibility: StrongSwan is highly configurable, allowing you to tailor the VPN setup to your specific requirements and network environments.

2. Open Source: Being an open-source solution, StrongSwan is cost-effective and offers transparency, enabling you to inspect and modify the code as needed.

3. Compatibility: StrongSwan supports various VPN protocols, including IKEv1 and IKEv2, ensuring compatibility with a wide range of devices and platforms.

4. Security: StrongSwan prioritizes security, offering robust encryption and authentication mechanisms to protect your data during transit.

5. Ease of use: The ease of use is another significant benefit of using StrongSwan for site-to-site VPN connectivity. Whether you’re a seasoned network administrator or a novice user, StrongSwan provides a user-friendly experience, ensuring that you can efficiently establish and maintain secure site-to-site VPN connections between various cloud platforms and on-premise infrastructure.

[Good Read: Migration Of MS SQL From Azure VM To Amazon RDS ]

Steps To Create Site to Site VPN Connection Using StrongSwan

I will demonstrate how to establish a site-to-site VPN connection between Azure and AWS. This method can be applied to any cloud platform or on-premise infrastructure.

Configuration on AWS side

Step 1: Configure VPC, Subnet and Internet Gateway

Create a Virtual Private Cloud (VPC) with a non-overlapping CIDR block compared to the Azure VNet. Within the VPC, establish a public subnet and attach an Internet Gateway to enable connectivity to the internet. Create a public route table and configure a route allowing internet traffic flow through it. Associate the public subnet with the route table to facilitate proper routing. Finally, launch an EC2 instance in the public subnet.

  • VPC Name: VPC-s2s
  • VPC Cidr: 172.0.0.0/16
  • Subnet Name: subnet-01
  • Subnet Cidr: 172.0.1.0/24
  • Route Table Name: rt-s2s
  • Internet Gateway Name: igw-s2s

Step 2: Connect Securely to the EC2 Instance and Perform the Configuration

A: Update the package repository and upgrade existing packages and install StrongSwan

sudo apt update && sudo apt upgrade -y
sudo apt install strongswan -y

BGenerate a Pre-Shared Key (PSK) for authentication purposes on both endpoints of the VPN tunnel, execute the following command.

openssl rand -base64 64

Copy the generated key and paste it into a secure location after removing any extra spaces.

COpen the “ipsec.secrets” file and add text with below format:

sudo nano /etc/ipsec.secrets
<public ip of aws VM (site a)> <public ip of azure VM (site b)>: <encryption method> <key>

D. Access the “ipsec.conf” file and append the provided configuration to the end of the file. Save the changes and exit.

sudo nano /etc/ipsec.conf
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
# connection to siteA datacenter
conn siteA-to-siteB
authby=secret
left=%defaultroute
leftid=<public ip of site A>
leftsubnet=<vpc range of strongswan instance at site A>
right=<public ip of site B>
rightsubnet=<vpc range of strongswan instance at site B>
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start

E. Enable ip forwarding

Enabling `net.ipv4.ip_forward=1` allows the instance to function as a router. With IP forwarding enabled on a Linux system, it gains the ability to forward packets between different network interfaces, similar to a router. StrongSwan relies on IP forwarding to efficiently route encrypted VPN traffic between the local and remote networks. Without IP forwarding enabled, the instance would not be able to effectively handle and route VPN traffic, leading to connectivity issues and potential VPN tunnel failures effectively.

To enable IP forwarding:

  • Open the /etc/sysctl.conf file for editing.
  • Locate the line #net.ipv4.ip_forward=1 and remove the # at the beginning.
  • Save the changes and exit the editor.
  • Apply the changes immediately without rebooting by running sudo sysctl -p.

F. Source and destination check off

By default, EC2 instances in AWS have a feature called “source/destination check” enabled. This feature ensures that an instance only accepts traffic that is either destined for or originates from itself. This behavior is suitable for most instances that function as servers. However, when an instance acts as a router, such as when running StrongSwan for VPN connectivity, it needs to be able to forward traffic between different network interfaces, even if the traffic is not specifically destined for the instance itself. Disabling source and destination checks allows the instance to process and forward packets intended for other destinations. This can be done through the AWS Management Console by selecting the instance, navigating to its networking settings and disabling the source/destination.

G. Configuring Route in the Public Route Table for Azure VNet:

The purpose of adding this route is to ensure proper routing of traffic between the EC2 instance where StrongSwan is installed and the Azure Virtual Network (VNet). This step is essential for establishing a VPN connection between the two networks and facilitating the exchange of data securely.

To add the route, follow these steps:

1. In the “Destination” field, enter the CIDR block for the Azure VNet. This CIDR block specifies the range of IP addresses assigned to the Azure VNet.

2. In the “Target” field, select “Instance” and then choose the EC2 instance ID of the server where StrongSwan is installed. This indicates that the specified destination CIDR block should be reachable via the selected EC2 instance.

Routing VPN Traffic:

Once the route is added, the EC2 instance hosting StrongSwan effectively handles the VPN connection and forwards the traffic through the VPN tunnel to the Azure VNet. This ensures seamless communication between the two networks and enables secure data exchange over the VPN connection.

You can check more info about: Simplifying Site-to-Site VPN Connectivity with StrongSwan.

Comments

Popular posts from this blog

Cloud Data Warehouses vs. Data Lakes: Choosing the Right Solution for Your Data Strategy

In today’s data-driven world, companies rely on vast amounts of data to fuel business intelligence, predictive analytics, and decision-making processes. As businesses grow, so do their data storage needs. Two popular storage solutions are cloud data warehouses  and data lakes . While they may seem similar, these technologies serve distinct purposes, each with unique advantages and challenges. Here’s a closer look at the key differences, advantages, and considerations to help you decide which one aligns best with your data strategy. What Are Cloud Data Warehouses? Cloud data warehouses are designed for structured data and are optimized for analytics. They allow businesses to perform fast, complex queries on large volumes of data and produce meaningful insights. Popular cloud data warehouses include solutions like Amazon Redshift, Google BigQuery , and Snowflake. These tools enable companies to store, query, and analyze structured data, often in real-time, which can be incredibly use...

Comparison between Mydumper, mysqldump, xtrabackup

Backing up databases is crucial for ensuring data integrity, disaster recovery preparedness, and business continuity. In MySQL environments, several tools are available, each with its strengths and optimal use cases. Understanding the differences between these tools helps you choose the right one based on your specific needs. Use Cases for Database Backup : Disaster Recovery : In the event of data loss due to hardware failure, human error, or malicious attacks, having a backup allows you to restore your database to a previous state.  Database Migration : When moving data between servers or upgrading MySQL versions, backups ensure that data can be safely transferred or rolled back if necessary.  Testing and Development : Backups are essential for creating realistic testing environments or restoring development databases to a known state.  Compliance and Auditing : Many industries require regular backups as part of compliance regulations to ensure data retention and integri...

Cloud Security Posture Management – How to Stay Compliant

  Cloud computing has become the backbone of modern business operations. Organizations are increasingly migrating their workloads, applications, and data to the cloud to leverage its scalability, flexibility, and cost-efficiency. However, with this shift comes a new set of challenges, particularly in ensuring cloud data protection, security, and compliance of cloud environments. This is where Cloud Security Posture Management (CSPM) comes into play.   CSPM is a critical component of cloud security that helps organizations identify and remediate risks, enforce compliance, and maintain a strong security posture in their cloud infrastructure. In this blog, we’ll explore what CSPM is, why it’s essential, and how organizations can use it to stay compliant with industry regulations and standards.   What is Cloud Security Posture Management (CSPM)? Cloud Security Posture Management (CSPM) refers to a set of tools, processes, and practices designed to continuously monitor, assess...