Creating a Site-to-Site VPN between AWS VPC and a third-party network using Openswan

Most third-party applications have restricted access through the public Internet due to an organization’s security boundaries

If applications are hosted in AWS, creating a site-to-site VPN can provide access to these kind of networks. In this post, we explain the steps to create a site-to-site VPN tunnel connection between an AWS VPC and a third-party CISCO ASA router

There are a couple ways of achieving this:

Create a VPN tunnel using Openswan
Using AWS managed VPN - The main limitation of this option is that when AWS Managed VPNs are used, the VPN tunnel can only be initiated from the Third-party network

Of the two options, this blog explores how a VPN tunnel can be created using Openswan.

Setting up a VPN Tunnel on an AWS platform using Openswan

This can be explained using the following use case.

Let us assume we have a Java application deployed on multiple AWS EC2 instances inside a private subnet. There is a need to retrieve data from an external third-party API and this API is not accessible as a public API. Thus, a site-to-site VPN tunnel needs be created between the Java application instance(s) and the third-party external API.

There are four main steps in creating a VPN tunnel using Openswan;

Create an EC2 instance inside the public subnet and install Openswan (prerequisites listed below)
Add IP-SEC configuration for the two parties inside the Openswan instance
Route all the traffic from the private subnet to Openswan instance using a route table of the private subnet (your java applications are located inside the private subnet)
Test the VPN tunnel

The following prerequisites should be met to execute the first step

Create a VPC with 10.1.0.0/24 CIDR block
Create a Public Subnet inside the VPC with 10.1.0.0/25 CIDR block
Create a Private Subnet inside the VPC with 10.1.0.128/25 CIDR block
Create an EC2 instance inside the private subnet to install your java application. You will get a private IP address for each instance (in this scenario we have 10.1.0.160, 10.1.0.179 for private instances)
Create a Route Table and associate it with the Private Subnet
Create another Route Table and associate it with the Public Subnet
Create an Internet Gateway for your VPC and attach it to the Public Route Table

You are now ready to proceed with VPN tunnel creation.

Step 01: Create an EC2 instance to install Openswan

Log into the AWS management console, go to EC2 services. Create an EC2 instance by selecting the same VPC (10.1.0.0/24) and public subnet (10.1.0.0/25), which we created by following the steps above. This instance is responsible for establishing the VPN tunnel to the third-party
Select the EC2 instance and choose: “Actions -> Network -> Change Source/Dest Checking” and set it as disable
The instance in the public subnet should get a public IP address from AWS. However, I would recommend creating an Elastic IP and assigning it to the EC2 instance (54.32.58.45 in our scenario)
Go to the Security Group of the EC2 instance and add inbound rules to allow traffic from HTTP and HTTPS
Route traffic from the private subnet to Openswan instance and route traffic from Openswan instance to third-party network

Go to the Route Tables from the side bar and select your route table of the private subnet. Go to Routes tab and add inbound rule. Edit routes and add another route.

Destination > Private IP of third party/32 (172.25.75.98/32 in our scenario)

Target > Select Openswan instance from the list.

All the traffic received from the third-party IP address as the destination will route to the Openswan instance. Go to the Route Tables from the side bar and select your route table of public subnet. Next, Go to Routes tab and add inbound rule. Edit routes and add another route.

Destination > Private IP of third party/32 (172.25.75.98/32 in our scenario)

Target > Select Openswan instance from the list.

This will direct traffic between the Openswan instance and the Third-party network. Now you have a public EC2 instance to install Openswan and all the traffic routes are configured as needed.

Step 02: Install Openswan inside the EC2 instance and configure the tunnel

Log into the EC2 instance with SSH (ssh ec2-user@<Elastic IP of EC2> for Linux users or Putty for Windows users)
Install Openswan > sudo yum install openswan
We need to allow read configuration files from /etc/ipsec.d/ To do that you have to uncomment the following line from /etc/ipsec.conf file
include /etc/ipsec.d/*.conf
Go to sudo vi /etc/sysct1.conf and update net.ipv4.ip_forward record as follows
net.ipv4.ip_forward = 1
Create a new configuration file for IP-SEC VPN > sudo vi /etc/ipsec.d/cisco-vpn.conf

The next step is to add configurations for the VPN tunnel into the cisco-vpn.conf file. The configurations for this use case are as follows. Ensure you change the values based on your IP addresses;

   
                conn cisco-vpn
                type=tunnel
                authby=secret
                left=10.1.0.6 # private ip of openswan instance
                leftid= 54.32.58.45 #public ip of openswan instance
                leftsubnets={10.1.0.6/32,10.1.0.160/32,10.1.0.179/32} # private ip of   #openswan/32 and private ip of java application instances/32
                right=125.10.1.100 # public ip of the third party network
                rightsubnets=172.25.75.98/32 # private ip of the third party network
                esp=aes192-sha1
                keyexchange=ike
                ike=aes192-sha1
                salifetime=42200s
                pfs=yes
                auto=start
                dpdaction=restart

Before proceeding with the next step, carry out configurations on the CISCO end. Contact the system admin of the third-party network and complete the following task with him/her.

Cross check the values of esp, keyexchange, ike, salifetime, pfs, auto, dpdaction parameters. These configurations should match with what the third-party has set up on their end of the VPN connection. Make changes if necessary
Get the third-party firewall access for the public IP of Openswan instance and private IP addresses of the private instances
Ask the admin to create a Pre-Shared Key (PSK) and share with you

Next, create the following file.

vi /etc/ipsec.d/cisco-vpn.secrets

Add the following record.

<Public IP of Openswan instance> <Public IP of third-party network: PSK “<PSK>”

Eg: 54.32.58.45 125.10.1.100: PSK “CGhdgddgheehehs” (This is for our scenario)

Now all configurations are complete.

Note: You can call third party network using DNS or private IP address. If you are using DNS, you have to add a record to the /etc/hosts file as follows to resolve the DNS.

<private IP of Third party> <DNS name of the third party>

Step 3: Test the VPN tunnel

Check if the VPN tunnel is established or not.
Give the following commands.

                      sudo service ipsec start
                      sudo chkconfig ipsec on
                      sudo service netwaork restart

Give the following command to test whether the VPN tunnel is up or not.

                      sudo ipsec auto — status

You should receive the log “IPsec SA established.” If you do not get this log, try the following commands. They will explain the reasons for failure.

                      sudo ipsec auto — replace cisco-vpn
                      sudo ipsec auto — up cisco-vpn

Check whether the VPN tunnel can connect from the Openswan instance to Third-party network
```
                      telnet <-Private IP of third party> 443 or use cURL command
```

Check the connection between private application instances to third-party network

                      telnet <-Private IP of third party> 443 or use cURL command

If you are connected through telnet, you have successfully created the site-to-site VPN between the AWS platform and the third-party CISCO ASA network.

Congratulations!

References

Openswan - www.openswan.org

Ridma Gamage

Senior Software Engineer