IPsec tunnel to AWS VPC with Certificates

IPsec tunnel to AWS VPC with Certificates

IPsec tunnel to AWS VPC with Certificates

tested on: 5.2.1, 6.0.5

AWS VPC configuration

Create Certificates

AWS supports multiple ways to create and manage certificates. This guide utilized AWS Certificate Manager, read AWS documentation on how the Certificate Manager can be used to create a CA and VPC certificates. For this example, the following items were created using the AWS's certificate manager
  1. Private CA
  2. Private Subordinate CA which is used to sign the VPN certificates

  3. Private Certificate, issued by the Subordinate for each Nodegrid IPsec endpoint. In this case this was one tunnel.
    NOTE: the domain name can be anything, but for best practices should the domain name include the hosts hostname, in this example the domain name "fre-ipsec.se.zpesystems.com" was choosen.
  4. 2 Private Certificates, issued by the Subordinate for each VPC endpoint.
    These will automatically be created when the VPC is configured.

Configure AWS Virtual Private Network

The following setup is following the AWS VPN setup process, the guide will highlight the most import settings which are required otherwise it will use AWS default values, for more details reference the AWS documentation.

Create Customer Gateway

Create a Customer Gateway for each Nodegrid endpoint. Provide the following details:
- Name: provide a name for the gateway
- Routing: Select either static or dynamic based on your preference
- IP Address: Leave blank, this will allow the Nodegrid to connect with a dynamic IP address
- Certificate ARN: select the previously create Certificate

Virtual Private Gateway

Create a Virtual Private Gateway if none yet exist

Site to Site VPN Connections

Create the VPN Connection by providing/selecting the following values:
- Name: provide a name for the VPN connection
- Target Gateway Type: Virtual Private Gateway
- Virtual Private Gateway: Select the previously created Gateway

- Customer Gateway: Select Existing
- Customer Gateway ID: Select the previously created Customer Gateway

Depending on if a policy based tunnel or a routing based tunnel should be created, define the other values as needed. Below are 2 examples:

Policy Based

- Routing Options: Static
- Static IP Prefixes: provide at least one network range from the Customer Gateway which will be announced to the VPC
Leave all other settings at their defaults

Routing Based

- Routing Options: Dynamic (Requires BGP)
Leave all other settings at their defaults

Extract Certificates and configuration details

now that the tunnel was created, is it necessary to extract the required information from AWS.
Tunnel Details

Extract Certificates
- navigate the Certificate Manager
- Select the Customer Gateway certificated, click on Action and Export the certificate
- Provide a password with which the PEM files will be encrypted. Take a note of the password, as it will be required later.
- Save or download
       - Certificate Body
       - Certificate Chain
       - Certificate Private Key
- Repeat the process for both VPN endpoint certificates which where automatically created
- Save or download
       - Certificate Body


Nodegrid configuration

Base Configuration

  1. Login to the Nodegrid
  2. before configuring the IPsec tunnel on the Nodegrid ensure the items are configured, review the article on how to prepare a Nodegrid for a IPSec connection and the Nodegrid Security Guide
    1. IPv4 forwarding, reverse path filtering
    2. Firewall
  3. Navigate to Network -> IPsec -> Global settings and disable "Enable Virtual Tunnel Interface" should it be enabled


Create IKE Profile

AWS VCP's supports a wide range of IKE settings. The guide provides a working example which can be utilised with AWS VPC connections

AWS_IKEv1

  1. Navigate  to Network -> IPsec -> IKE Profile
  2. Click on add and create a new Profile
  3. Fill on the following settings:
    1. Profile Name: AWS_IKEv1
    2. IKE Version: IKEv1
    3. Phase 1:
      1. Encryption: AES-GCM256
      2. Authentication: SHA512
      3. Diffie-Hellman Group: Group 21
      4. Lifetime (sec): 28800
    4. Phase 2:
      1. Authentication Protocol: AES-GCM256
      2. Authentication: SHA512
      3. PFS Group: Group 21
      4. Lifetime (sec): 3600
    5. Dead Pear Detection
      1. Number of Retries: 5
      2. Interval (sec): 30
      3. Action: Restart



Import Certificates

  1. Copy all the exported certificates files to the Nodegrid's tmp directory
  2. The following names were selected for the files
    Customer Gateway certificate - certificate.crt
    Customer Gateway certificate private key - privateKey.key
    Customer Gateway Certificate Chain - ca.crt
    Endpoint 0 certificate - endpoint.0.crt
    Endpoint 1 certificate - endpoint.1.crt
  3. ssh to the Nodegrid and become root user with
    1. shell sudo su -
  4. run the following commands to import the certificates
  1. certutil -A -i /tmp/ca.crt -n "vpnca" -t "CT,," -d sql:/etc/ipsec/ipsec.d/
    openssl pkcs12 -export -out /tmp/certificate.p12 -inkey /tmp/privateKey.key -in /tmp/certificate.crt
    ipsec import --nssdir /etc/ipsec/ipsec.d/ /tmp/certificate.p12
    certutil -A -i /tmp/endpoint.0.crt -n "endpoint-0" -t "P,," -d sql:/etc/ipsec/ipsec.d/
    certutil -A -i /tmp/endpoint.1.crt -n "endpoint-1" -t "P,," -d sql:/etc/ipsec/ipsec.d/
  1. list the imported Certificates and their Aliases. NOTE: The full Alias for the important Customer Gateway in this example shown below is "fre-ipsec.se.zpesystems.com - Sales Engineers ZPE Systems"
  1. root@fre-ipsec:~# certutil -L -d /etc/ipsec/ipsec.d/

    Certificate Nickname                                         Trust Attributes
                                                                                   SSL,S/MIME,JAR/XPI

    endpoint-0                                                   P,,
    endpoint-1                                                   P,,
    vpnca                                                           CT,,
    fre-ipsec.se.zpesystems.com - Sales Engineers ZPE Systems    u,u,u

Create Tunnel

  1. create an IPsec configuration file in /etc/ipsec/ipsec.d/ with
    vi /etc/ipsec/ipsec.d/AWS.conf
  2. Copy the following template into the file and replace the variables (marked by {{ }} ) with the required information. The below example is a policy based tunnel
    1. # Managed by Nodegrid
      conn AWS
              auto=start
              type=tunnel
              leftid=%fromcert
              left=%defaultroute
              leftrsasigkey=%cert
              leftcert={{ AWS CUSTOMER GATEWAY CERTIFICATE ALIAS }}                  #example "fre-ipsec.se.zpesystems.com - Sales Engineers ZPE Systems"
              rightid=%fromcert
              right={{ AWS VPC PUBLIC IP }}
              rightrsasigkey=%cert
              rightcert="endpoint-0"                                                                                         #For the 2nd tunnel use the value endpoint-1           
              also=AWS-IKEv1                                                                                                   #Use a profile name which was created earlier, in this example either AWS-IKEv1, AWS-IKEv2
              leftsourceip={{ Inside IP Addresses - Customer Gateway }}
              rightsourceip={{ Inside IP Addresses   - Virtual Private Gateway  }}
              leftsubnets={{ {Inside IP Address CIDR, Customer Gateway Network} }}       #example {169.254.109.12/30, 10.10.0.0/16}
              rightsubnets={{ {Inside IP Address CIDR, AWS Network} }}                             #example {169.254.109.12/30, 10.0.0.0/16}
  3. Route based configuration example. NOTE: This will only set the IPsec policies, but no routes will be installed, this needs to be done manually.
    1. # Managed by Nodegrid
      conn AWS
              auto=start
              type=tunnel
              leftid=%fromcert
              left=%defaultroute
              leftrsasigkey=%cert
              leftcert={{ AWS CUSTOMER GATEWAY CERTIFICATE ALIAS }}                  #example "fre-ipsec.se.zpesystems.com - Sales Engineers ZPE Systems"
              rightid=%fromcert
              right={{ AWS VPC PUBLIC IP }}
              rightrsasigkey=%cert
              rightcert="endpoint-0"                                                                                         #For the 2nd tunnel use the value endpoint-1           
              also=AWS-IKEv1                                                                                                   #Use a profile name which was created earlier, in this example either AWS-IKEv1, AWS-IKEv2
              leftsourceip=                                                                                                            #This should be blank
              rightsourceip=                                                                                                          #This should be blank
              leftsubnets=0.0.0.0/0
              rightsubnets=0.0.0.0/0
              mark=-1
              vti-interface=vtiaws01
              vti-routing=no
              vti-shared=yes
              leftvti=

Appendix

import_settings commands

IPsec Global Settings

  1. /settings/ipsec/global enable_virtual_tunnel_interface=no
    /settings/ipsec/global enable_logging=no

AWS_IKEv1 Profile

  1. /settings/ipsec/ike_profile/AWS_IKEv1 profile_name=AWS_IKEv1
    /settings/ipsec/ike_profile/AWS_IKEv1 ike_version=ikev1
    /settings/ipsec/ike_profile/AWS_IKEv1 phase_1_mode=main
    /settings/ipsec/ike_profile/AWS_IKEv1 phase_1_encryption=aes
    /settings/ipsec/ike_profile/AWS_IKEv1 phase_1_authentication=sha256
    /settings/ipsec/ike_profile/AWS_IKEv1 phase_1_diffie-hellman_group=group_2
    /settings/ipsec/ike_profile/AWS_IKEv1 phase_1_lifetime=28800
    /settings/ipsec/ike_profile/AWS_IKEv1 phase_2_authentication_protocol=esp
    /settings/ipsec/ike_profile/AWS_IKEv1 phase_2_encryption=aes
    /settings/ipsec/ike_profile/AWS_IKEv1 phase_2_authentication=sha2_256
    /settings/ipsec/ike_profile/AWS_IKEv1 phase_2_pfs_group=group_2
    /settings/ipsec/ike_profile/AWS_IKEv1 phase_2_lifetime=3600
    /settings/ipsec/ike_profile/AWS_IKEv1 enable_dead_peer_detection=yes
    /settings/ipsec/ike_profile/AWS_IKEv1 dead_peer_detection_number_of_retries=5
    /settings/ipsec/ike_profile/AWS_IKEv1 dead_peer_detection_interval=30
    /settings/ipsec/ike_profile/AWS_IKEv1 dead_peer_detection_action=restart

    • Related Articles

    • IPSec VPN support

      Version 0.1 (02 May 2018) Virtual Private Network (VPN) Overview A Virtual Private Network (VPN) is used to provide a secure means of communication among remote computers across networks, such as the Internet or a public WAN in general. VPN creates ...
    • How to Create Certificates for IPSec

      Reversion 0.2 (30 Jun 2021) Overview Certificates offer the best level of security for an IPSec tunnel, as the Certificate Authority (CA) can control trust relationships and revoke certificates to specific units or users. The Nodegrid IPSec ...
    • How to Configure IPSec Host to Host tunnel with Certificate

      Version 0.1 (02 May 2018) Overview Host to Host configurations allow two nodes to established a tunnel between them. The encrypted communication will be limited just to the two nodes involved. Figure 11: Host to Host Configuration Example Details ...
    • How to Configure IPSec Site to Site Tunnel with Certificate

      Version 0.1 (02 May 2018) Overview Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses ...
    • How to Configure IPSec Host to Site Tunnel with Certificate

      Version 0.1 (02 May 2018) Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and rightsubnets. ...