IPsec tunnel to AWS VPC with Certificates
IPsec tunnel to AWS VPC with Certificates
tested on: 5.2.1, 6.0.5
AWS VPC configuration
Create Certificates
AWS supports multiple ways to create and manage certificates. This guide utilized AWS Certificate Manager, read AWS documentation on how the Certificate Manager can be used to create a CA and VPC certificates. For this example, the following items were created using the AWS's certificate manager
- Private CA
- Private Subordinate CA which is used to sign the VPN certificates
- Private Certificate, issued by the Subordinate for each Nodegrid IPsec endpoint. In this case this was one tunnel.
NOTE: the domain name can be anything, but for best practices should the domain name include the hosts hostname, in this example the domain name "fre-ipsec.se.zpesystems.com" was choosen. - 2 Private Certificates, issued by the Subordinate for each VPC endpoint.
These will automatically be created when the VPC is configured.
Configure AWS Virtual Private Network
The following setup is following the AWS VPN setup process, the guide will highlight the most import settings which are required otherwise it will use AWS default values, for more details reference the AWS documentation.
Create Customer Gateway
Create a Customer Gateway for each Nodegrid endpoint. Provide the following details:
- Name: provide a name for the gateway
- Routing: Select either static or dynamic based on your preference
- IP Address: Leave blank, this will allow the Nodegrid to connect with a dynamic IP address
- Certificate ARN: select the previously create Certificate
Virtual Private Gateway
Create a Virtual Private Gateway if none yet exist
Site to Site VPN Connections
Create the VPN Connection by providing/selecting the following values:
- Name: provide a name for the VPN connection
- Target Gateway Type: Virtual Private Gateway
- Virtual Private Gateway: Select the previously created Gateway
- Customer Gateway: Select Existing
- Customer Gateway ID: Select the previously created Customer Gateway
Depending on if a policy based tunnel or a routing based tunnel should be created, define the other values as needed. Below are 2 examples:
Policy Based
- Routing Options: Static
- Static IP Prefixes: provide at least one network range from the Customer Gateway which will be announced to the VPC
Leave all other settings at their defaults
Routing Based
- Routing Options: Dynamic (Requires BGP)
Leave all other settings at their defaults
Extract Certificates and configuration details
now that the tunnel was created, is it necessary to extract the required information from AWS.
Tunnel Details
Extract Certificates
- navigate the Certificate Manager
- Select the Customer Gateway certificated, click on Action and Export the certificate
- Provide a password with which the PEM files will be encrypted. Take a note of the password, as it will be required later.
- Save or download
- Certificate Body
- Certificate Chain
- Certificate Private Key
- Repeat the process for both VPN endpoint certificates which where automatically created
- Save or download
- Certificate Body
Nodegrid configuration
Base Configuration
- Login to the Nodegrid
- before
configuring the IPsec tunnel on the Nodegrid ensure the items are
configured, review the article on how to prepare a Nodegrid for a IPSec
connection and the Nodegrid Security Guide
- IPv4 forwarding, reverse path filtering
- Firewall
- Navigate to Network -> IPsec -> Global settings and disable "Enable Virtual Tunnel Interface" should it be enabled
Create IKE Profile
AWS VCP's supports a wide range of IKE settings. The guide provides a working example which can be utilised with AWS VPC connections
AWS_IKEv1
- Navigate to Network -> IPsec -> IKE Profile
- Click on add and create a new Profile
- Fill on the following settings:
- Profile Name: AWS_IKEv1
- IKE Version: IKEv1
- Phase 1:
- Encryption: AES-GCM256
- Authentication: SHA512
- Diffie-Hellman Group: Group 21
- Lifetime (sec): 28800
- Phase 2:
- Authentication Protocol: AES-GCM256
- Authentication: SHA512
- PFS Group: Group 21
- Lifetime (sec): 3600
- Dead Pear Detection
- Number of Retries: 5
- Interval (sec): 30
- Action: Restart
Import Certificates
- Copy all the exported certificates files to the Nodegrid's tmp directory
- The following names were selected for the files
Customer Gateway certificate - certificate.crt
Customer Gateway certificate private key - privateKey.key
Customer Gateway Certificate Chain - ca.crt
Endpoint 0 certificate - endpoint.0.crt
Endpoint 1 certificate - endpoint.1.crt - ssh to the Nodegrid and become root user with
- shell sudo su -
- shell sudo su -
- run the following commands to import the certificates
- certutil -A -i /tmp/ca.crt -n "vpnca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
openssl pkcs12 -export -out /tmp/certificate.p12 -inkey /tmp/privateKey.key -in /tmp/certificate.crt
ipsec import --nssdir /etc/ipsec/ipsec.d/ /tmp/certificate.p12
certutil -A -i /tmp/endpoint.0.crt -n "endpoint-0" -t "P,," -d sql:/etc/ipsec/ipsec.d/
certutil -A -i /tmp/endpoint.1.crt -n "endpoint-1" -t "P,," -d sql:/etc/ipsec/ipsec.d/
- list the imported Certificates and their Aliases. NOTE: The full Alias for the important Customer Gateway in this example shown below is "fre-ipsec.se.zpesystems.com - Sales Engineers ZPE Systems"
- root@fre-ipsec:~# certutil -L -d /etc/ipsec/ipsec.d/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
endpoint-0 P,,
endpoint-1 P,,
vpnca CT,,
fre-ipsec.se.zpesystems.com - Sales Engineers ZPE Systems u,u,u
Create Tunnel
- create an IPsec configuration file in /etc/ipsec/ipsec.d/ with
vi /etc/ipsec/ipsec.d/AWS.conf - Copy the following template into the file and replace the variables (marked by {{ }} ) with the required information. The below example is a policy based tunnel
- # Managed by Nodegrid
conn AWS
auto=start
type=tunnel
leftid=%fromcert
left=%defaultroute
leftrsasigkey=%cert
leftcert={{ AWS CUSTOMER GATEWAY CERTIFICATE ALIAS }} #example "fre-ipsec.se.zpesystems.com - Sales Engineers ZPE Systems"
rightid=%fromcert
right={{ AWS VPC PUBLIC IP }}
rightrsasigkey=%cert
rightcert="endpoint-0" #For the 2nd tunnel use the value endpoint-1
also=AWS-IKEv1 #Use a profile name which was created earlier, in this example either AWS-IKEv1, AWS-IKEv2
leftsourceip={{ Inside IP Addresses - Customer Gateway }}
rightsourceip={{ Inside IP Addresses - Virtual Private Gateway }}
leftsubnets={{ {Inside IP Address CIDR, Customer Gateway Network} }} #example {169.254.109.12/30, 10.10.0.0/16}
rightsubnets={{ {Inside IP Address CIDR, AWS Network} }} #example {169.254.109.12/30, 10.0.0.0/16}
- # Managed by Nodegrid
- Route based configuration example. NOTE: This will only set the IPsec policies, but no routes will be installed, this needs to be done manually.
- # Managed by Nodegrid
conn AWS
auto=start
type=tunnel
leftid=%fromcert
left=%defaultroute
leftrsasigkey=%cert
leftcert={{ AWS CUSTOMER GATEWAY CERTIFICATE ALIAS }} #example "fre-ipsec.se.zpesystems.com - Sales Engineers ZPE Systems"
rightid=%fromcert
right={{ AWS VPC PUBLIC IP }}
rightrsasigkey=%cert
rightcert="endpoint-0" #For the 2nd tunnel use the value endpoint-1
also=AWS-IKEv1 #Use a profile name which was created earlier, in this example either AWS-IKEv1, AWS-IKEv2
leftsourceip= #This should be blank
rightsourceip= #This should be blank
leftsubnets=0.0.0.0/0
rightsubnets=0.0.0.0/0
mark=-1
vti-interface=vtiaws01
vti-routing=no
vti-shared=yes
leftvti=
- # Managed by Nodegrid
Appendix
import_settings commands
IPsec Global Settings
- /settings/ipsec/global enable_virtual_tunnel_interface=no
/settings/ipsec/global enable_logging=no
AWS_IKEv1 Profile
- /settings/ipsec/ike_profile/AWS_IKEv1 profile_name=AWS_IKEv1
/settings/ipsec/ike_profile/AWS_IKEv1 ike_version=ikev1
/settings/ipsec/ike_profile/AWS_IKEv1 phase_1_mode=main
/settings/ipsec/ike_profile/AWS_IKEv1 phase_1_encryption=aes
/settings/ipsec/ike_profile/AWS_IKEv1 phase_1_authentication=sha256
/settings/ipsec/ike_profile/AWS_IKEv1 phase_1_diffie-hellman_group=group_2
/settings/ipsec/ike_profile/AWS_IKEv1 phase_1_lifetime=28800
/settings/ipsec/ike_profile/AWS_IKEv1 phase_2_authentication_protocol=esp
/settings/ipsec/ike_profile/AWS_IKEv1 phase_2_encryption=aes
/settings/ipsec/ike_profile/AWS_IKEv1 phase_2_authentication=sha2_256
/settings/ipsec/ike_profile/AWS_IKEv1 phase_2_pfs_group=group_2
/settings/ipsec/ike_profile/AWS_IKEv1 phase_2_lifetime=3600
/settings/ipsec/ike_profile/AWS_IKEv1 enable_dead_peer_detection=yes
/settings/ipsec/ike_profile/AWS_IKEv1 dead_peer_detection_number_of_retries=5
/settings/ipsec/ike_profile/AWS_IKEv1 dead_peer_detection_interval=30
/settings/ipsec/ike_profile/AWS_IKEv1 dead_peer_detection_action=restart
Related Articles
IPSec VPN support
Version 0.1 (02 May 2018) Virtual Private Network (VPN) Overview A Virtual Private Network (VPN) is used to provide a secure means of communication among remote computers across networks, such as the Internet or a public WAN in general. VPN creates ...How to Create Certificates for IPSec
Reversion 0.2 (30 Jun 2021) Overview Certificates offer the best level of security for an IPSec tunnel, as the Certificate Authority (CA) can control trust relationships and revoke certificates to specific units or users. The Nodegrid IPSec ...How to Configure IPSec Host to Host tunnel with Certificate
Version 0.1 (02 May 2018) Overview Host to Host configurations allow two nodes to established a tunnel between them. The encrypted communication will be limited just to the two nodes involved. Figure 11: Host to Host Configuration Example Details ...How to Configure IPSec Site to Site Tunnel with Certificate
Version 0.1 (02 May 2018) Overview Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses ...How to Configure IPSec Host to Site Tunnel with Certificate
Version 0.1 (02 May 2018) Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and rightsubnets. ...