Site-to-Site IPSEC VPN on GCP/AWS with Strongswan
Security happens to be a very critical and sensitive area for businesses e.g telecommunication, health and banking industry. Most of the critical infrastructure used by these entities are secure behind private networks and other complex networking rules used in order to ensure integrity and authenticity of the data being shared.
As a developer one of the painful things you have to do before you begin actual integration is to establish a connection with these entities’ infrastructure. There are several security measures and protocols that can be used to achieve this but I want to focus on a site to site virtual private network. In this article we are going to explore how we can connect a Google cloud Debian instance in the US to an Ubuntu instance on Amazon in London. This is called a site to site VPN. This kind of a setup could also be replicated in Hardware defined VPNs for instance Google/Amazon VM to Cisco router.
There are two type of site-to-site VPNs: intranet-based and extranet-based. However, we’ll focus more on the intranet-based one here.
Why a site-to-site VPN?
A site-to-site VPN will help us to restrict access to specific set of hosts (intranets) between the two sites. According to Cisco, a point-to-point VPN topology allows two devices to communicate directly with each other, without the option of IPsec failover. In order to create a point-to-point VPN topology, you specify two endpoints as peer devices so each of the devices can initiate a connection.
Enough of the theory, let’s get our hands dirty!!!
VPN Topology
Pre-requisites
For us to configure our site to site VPN we will require the following tools and services.
- Google/AWS cloud accounts.
- Ubuntu/debian virtual machine.
- Strongswan.
- Tcpdump.
- Iptables knowledge.
- Openssh
- Peer details. (IP, IKE versions, Encryption and integrity algorithms)
Setting up environment
To begin we will need to create a debian instance on Google Cloud Platform (GCP). After registering an account head over to compute engine menu and you will be directed to this page.
Click on create instance and you will get a page with vm details.
Pick a unique name for you VPN and select the smallest machine available since we will not need much processing power (it also saves on your credits). Then jump down to the networking tab and click edit button so as to enable ip forwarding and set up a static ip for the instance (we need an elastic ip to prevent us loosing the connection when the VM reboots). In the external ip dropdown pick create ip address to reserve an ip for the machine.
Also remember to add your public key to the ssh tab to allow you to securely login to the VM.
Now that we have our first host up and running, we need to finish configuring it so that we can replicate the same setup in our second host.
Setting up strongswan
Get the latest updates and install strongswan from the ubuntu repos by running the following commands.
sudo apt-get update
sudo apt-get install strongswan
sudo systemctl start strongswanThis will install strongswan and all the dependencies required to setup an ipsec tunnel. With this installation two important files will be created (/etc/ipsec.conf and /etc/ipsec.secret).
ipsec.conf file will store the tunnel configurations while the ipsec.secrets will store the key we will be using to authenticate the hosts.
Next, we’ll make the following configurations on our hosts. First, we need an encryption domain. We will use our Public VPN IP for this since we are using an extranet-based VPN. Secondly, we need a Peer IP. Below is a sample config file for ikev1 using a pre-shared key. Copy the following into the ipsec.conf file. Note that you need admin privileges to edit the files.
Google host conf
AWS host config
Since we are using a pre-shared key we will need to add the secret key to the ipsec.secrets file on our two hosts.
Our first peer is now ready. We’ll move on to configure our second one. Here, we’ll replicate the steps in the first peer, only that we’ll do it on the AWS EC2 instance this time.
Setting up firewall rules
From the above example we have created a tunnel that allows connection to any subnet in our instances. This is not secure and thus to create a more secure environment one will need to setup firewall rules using iptables commands in the unix environment and the instances dashboard.
Iptables is administration tool for IPv4/IPv6 packet filtering and NAT.
Checkout for more information on iptables and a deeper understanding of NAT
AWS
By default AWS instance have all external traffic blocked. To enable this you will need to modify the security groups to accept traffic from our GCP instance.
GCP
To allow AWS to access other nodes in our GCP network we add the following rule to the firewall. The command will alter the source IP as the public ip of your machine.
Alternatively configure the GCP instance firewall rules to accept connections from the AWS internal ip and route all traffic from the AWS instance to GCP through the established tunnel.
sudo iptables -t nat -A POSTROUTING -j MASQUERADEEarlier, we directed our AWS instance to receive traffic from our GCP instance. As such, we need to make sure that the traffic originating from the GCP instance is routed over the tunnel towards the AWS instance. By default the traffic is NAT-ed and means it goes with the public ip address as source, thus will be dropped.
sudo iptables -t nat -A POSTROUTING -d <aws instance internal ip> -o eth0 -j SNAT --to-source <gcp internal ip>Testing connections
Ping one of the test peer and use tcpdump on the peer being pinged to monitor the results.
ping 172.xx.xx.4sudo tcpdump icmpsudo tcpdump espsudo ipsec statusallsudo ipsec up aws-to-gcpsudo ipsec down aws-to-gcpsudo ip xfrm statesudo ip xfrm policy
Conclusion
Over the past few years adoption of remote work for technology companies has risen. This means that the employees are able to deliver or work from their home without too much restrictions. But this poses a risk to company information since everything is being sent over the internet. This therefore forces the company to invest in several security measures to ensure high-level of security in communications.
It is prudent for every technology company to put in place such option to deter any surprises arising from external attacks.
Looking to hire top developers for your company? Let Andela help you out.
