Tutorial: Extend VPN Connectivity to Amazon AWS VPC Using the AWS VPC VPN Gateway Service
Successfully extend your on-premise Access Server VPN connectivity to your AWS VPC using IPsec. VPN users can access AWS resources securely.
Overview
If you're utilizing Amazon Web Services (AWS), you're likely aware that Amazon Virtual Private Cloud (VPC) offers built-in functionality to connect your on-premise network to your VPC instances. However, suppose you already have an Access Server set up on-premise and wish to extend your VPN connectivity to the Amazon cloud. In that case, you can achieve this without purchasing additional hardware or expensive equipment. This tutorial will guide you through connecting your on-premise Access Server to your Amazon VPC using IPsec. Upon completion, your on-premise VPN users will have seamless access to your AWS resources without complex configurations or installations.
Important
Always ensure your configurations comply with your organization's security policies and AWS best practices. Update your systems regularly and monitor the VPN connections for optimal performance and security.
Access Server installed on your local network.
An internet-facing IP address for your Access Server instance.
Strongswan installed.
AWS Management Console access with permissions to configure VPC settings.
Non-overlapping subnets between your on-premise and AWS VPC subnets.
For this first step, you need to enable Strongswan. The process differs if you have Access Server running on a virtual appliance or installed on-premise with a software package installation.
For Access Server virtual appliance users:
Connect to your console and get root privileges.
Strongswan is pre-installed but turned off by default on the Access Server virtual appliance. Run this command to enable it:
systemctl enable strongswan-starter.service
Start Strongswan:
systemctl start strongswan-starter.service
For software package installation users (Access Server installed using the install script):
If you're not using the virtual appliance, connect to your console and get root privileges.
Install Strongswan manually:
apt update apt install strongswan
Download the following required configuration files and place them in the appropriate directories:
ipsec.conf: Save to
/etc/.wget -O /etc/ipsec.conf https://packages.openvpn.net/as/scripts/ipsec.conf
ipsec.secrets: Save to
/etc/.wget -O /etc/ipsec.secrets https://packages.openvpn.net/as/scripts/ipsec.secrets
aws-updown.sh: Save to
/sbinand make it executable.wget -O /sbin/aws-updown.sh https://packages.openvpn.net/as/scripts/aws-updown.shsudo chmod +x /sbin/aws-updown.sh
Note
Adjust the package manager commands according to your Linux distribution (e.g.,
yumfor CentOS/RHEL).
Sign in to the AWS Management Console.
From the list of services, select VPC under the Networking & Content Delivery category.
In the VPC Dashboard, ensure you have at least one VPC listed.
If no VPC is present, you may need to create one or check if you're in the correct AWS region.
Tip
Check the top-right corner of the console to confirm your active region
In the Virtual private network (VPN) section, select Customer Gateways.
Click Create Customer Gateway.
Name Tag: Enter a descriptive name (e.g.,
OnPremiseAccessServer).IP Address: Enter the public IP address of your on-premise Access Server.
Important
This IP must be internet-facing and not behind NAT.
Click Create Customer Gateway to save settings.
In the Virtual private network (VPN) section, click Virtual Private Gateways.
Click Create Virtual Private Gateway.
Name Tag: Enter a descriptive name (e.g.,
MyVPCGateway).Click Create Virtual Private Gateway.
Select the newly created private gateway.
Click Actions > Attach to VPC.
Select your VPC from the dropdown.
Click Yes, Attach.
In the Virtual private cloud section, select Route Tables.
Choose the route table associated with your VPC subnets.
With the route table selected, click the Route Propagation tab.
Click Edit Route Propagation.
Click the box next to your virtual private gateway (
vgw-xxxxxxxx).Click Save.
In the Virtual private network (VPN) section, select Site-to-Site VPN connections.
Click Create VPN Connection.
Configure the VPN connection:
Name Tag: Enter a descriptive name (e.g.,
OnPremiseVPNConnection).Target Gateway Type: Choose Virtual Private Gateway.
Virtual Private Gateway: Select the one previously created.
Customer Gateway: Select Existing and choose your customer gateway.
Routing Options: Choose Static.
Static IP Prefixes: Enter the CIDR blocks of your on-premise and Access Server VPN networks. Example:
192.0.2.0/24,203.0.113.0/24.
Click Create VPN Connection.
Wait for the connection to be created.
Once the VPN connection is available, select it from the list.
Click Download Configuration.
In the dialog, select Strongswan for the vendor and click Download.
Save the configuration file for the next step.
Locate the downloaded configuration file:
Find the Strongswan configuration file you downloaded from the AWS console in Step 6. It's usually named something similar to vpn-xxxxxxx.conf.
Open the downloaded VPN configuration file.
Review the instructions contained within it:
Carefully read through the instructions provided in the configuration file. They contain the specific settings and keys required to establish the VPN connection using Strongswan.
Implement configuration steps:
Copying keys and secrets: Transfer the pre-shared keys and other secrets to the appropriate location on your Access Server, e.g.,
/etc/ipsec.secrets.Modifying 'ipsec.donf': Update the
ipsec.conffile with the details provided, such as the tunnel endpoints and other configuration parameters.Executing commands: Run any specific commands provided in the file to load and apply the new configurations.
This step is necessary if a server-side host connected to Access Server needs to access resources within the AWS VPC. If you don't need this configuration, you can skip this step.
Configure routing
Configure the routing table on the router or host that needs access to set up routing to the AWS VPC through the Access Server host. This typically involves adding a static route:
Identify the AWS VPC CIDR: Determine the CIDR block(s) of your AWS VPC, e.g.,
10.0.0.0/16.Add static route: Add a static route on your server or host using the following command (adjust based on your Linux distribution and network configuration):
ip route add 10.0.0.0/161 via OpenVPN_AS_Host_IP2
Example:
ip route add 10.0.0.0/16 via 192.0.2.100
Verify route: Verify the route has been added successfully:
ip route show
You should see the route to your AWS VPC CIDR via the Access Server host listed.
By configuring this route, hosts on your server-side network can reach resources within the AWS VPC through Access Server, extending the VPN connectivity to your entire server network.
Start the IPsec service:
ipsec start
Check the status of the IPsec tunnels to verify the connection:
ipsec status
You should see established Security Associations (SAs), indicating the tunnels are up.
If the IPsec tunnels don't establish, run this command:
ipsec restart
Enable the IPsec service at boot:
systemctl enable ipsec
(Optional) Add the command to
rc.local:Edit the
rc.localfile:nano /etc/rc.local
Add the following line before the
exit 0line:ipsec start
Save and exit.
From a machine in your on-premise network, ping an instance in your AWS VPC to test the connectivity from on-premise to AWS:
ping AWS_Instance_IP
From an AWS instance, ping a machine on your on-premise network to test connectivity from AWS to on-premise:
ping On_premise_Machine_IP
Connect to your Access Server using a VPN client.
Ensure that you can access AWS resources as intended.
If you need to troubleshoot, check firewall rules on both sides to ensure ICMP (ping) is allowed and review logs for any error messages:
cat /var/log/syslog | grep ipsec