Skip to main content

IP Sec Tunneling

Requirement:

Establish connectivity between the on-premise data center and AWS data center using IPSec tunneling. 

Solution:

We are creating IPSec Tunneling between two VPC in a different account and the different region as we don’t have on-premise data center. 
Steps to achieve this.
1.       Create VPC A with CIDR Range 10.100.0.0/16 in First account.
2.       Create Subnet A in VPC A with range 10.100.1.0/24
3.       Create Internet Gateway and attach to VPC A.
4.       Add the Route (0.0.0.0/0) in default Route Table and target to Internet Gateway.
5.       Create VPC B with CIDR Range 10.200.0.0/16 in Second account.
6.       Create Subnet B in VPC B with range 10.200.1.0/24
7.       Create Internet Gateway and attach to VPC B.
8.       Add the Route (0.0.0.0/0) in default Route Table and target to Internet Gateway.
9.       Below steps to be executed at VPC B
a.       Launch the EC2 instance in VPC B with Public IP enabled.
b.       Login to EC2 instance created for OpenSwan software and install as below
[root@ip-10-200-1-88 ~]# yum install openswan -y
10.   Below steps to be executed at VPC A
a.       Create the Virtual Private Gateway and then attach to VPC A


b.       Create Customer Gateway, Enter the Name and select Static Routing Radio button.
Then Enter the Public IP address of OpenSwan Server created in VPC B. 
c.       Create Site-to-Site VPN Connection

                                                              i.      Enter Name Tag
                                                             ii.      Select Virtual Private Gateway from the dropdown
                                                            iii.      Select Customer Gateway from the drop-down
                                                            iv.      Select the Routing option as Static and enter the CIDR range of VPC B
                                                             v.      Keep rest of the values default and Click on Create VPC Connection button
Note: This will take a few mins to be active. 

d.       Go to Route table and click on Route Propagation tab
                                                               i.      Edit Route propagation button
                                                             ii.      Select the checkbox under Propagate and click on Save button.
e.       Navigate to Site to Site VPN Connection and Ensure status is available for the VPN Connection created already.
f.       Select the VPN connection created and click on Download Configuration button
·  Select Vendor as OpenSwan then click on Download button. This will download a text file into your desktop. 
11.       IPSec Tunnel 1 steps in the downloaded text file to be followed in OpenSwan server in VPC B
a.       Open the file /etc/sysctl.conf in edit more and add below lines then save & close the file.
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
b.       Restart the network service as below
service network restart
c.       Edit the file /etc/ipsec.conf and ensure below line is uncommented. Uncomment if not already to read the configuration files that will be created in subsequent steps.
include /etc/ipsec.d/*.conf
d.       Create a new file at /etc/ipsec.d/aws.conf if doesn't already exist, and then open it. Append the following configuration to the end in the file:
 #leftsubnet= is the local network behind your openswan server, and you will need to replace the <LOCAL NETWORK> below with this value (don't include the brackets). If you have multiple subnets, you can use 0.0.0.0/0 instead.
 #rightsubnet= is the remote network on the other side of your VPN tunnel that you wish to have connectivity with, and you will need to replace <REMOTE NETWORK> with this value (don't include brackets).
conn Tunnel1
                  authby=secret
                  auto=start
                  left=%defaultroute
                  leftid=13.233.105.163
                  right=3.13.170.32
                  type=tunnel
                  ikelifetime=8h
                  keylife=1h
                  phase2alg=aes128-sha1;modp1024
                  ike=aes128-sha1;modp1024
                  auth=esp
                  keyingtries=%forever
                  keyexchange=ike
                  leftsubnet=10.200.0.0/16
                  rightsubnet=10.100.0.0/16
                  dpddelay=10
                  dpdtimeout=30
                  dpdaction=restart_by_peer
Note 1: Ensure you remove the line auth=esp line
Note 2: Left ID is the IP of Customer Gateway created in VPC A. And this should not be edited as its auto-populated in text file downloaded. 
e.       Create a new file at /etc/ipsec.d/aws.secrets if it doesn't already exist and append this line to the file (be mindful of the spacing!):
13.233.105.163 3.13.170.32: PSK "qQ0Sws_uA4VVyCVbNi6MeNsNqrFrsNo9"
f.       Restart the ipsec service
service ipsec restart
12.       Navigate to Site-to-Site VPN Connection in VPC A and check the status under Tunnel Details.
13.       Login to OpenSwan Server and ping the Private IP of EC2 instance in VPC A
14.       Create Custom NACL in VPC A and Navigate to Subnet association tab
15.       Click on Edit Subnet Association and select the SubNetB
16.       Add the Inbound rules to allow ssh and ping from VPC B CIDR Range.
17.       Add the Outbound Rules to allow ALL IP range.
Note 1: Default or Custom NACL can have multiple SubNet. However, Subnet can be mapped to only one NACL.  By default it is mapped to Default NACL. You will have to associate required subnet to CustomNACL.
Note 2: By default, everything is blocked in Custom NACL. We must add the rule either to Allow or Deny
Note 3: Lower the Rule Number higher the precedence.
              i.e Rule # 99 will take the precedence over Rule # 100
Labels:

Comments

Post a Comment

Popular posts from this blog

NAT Instance

NAT Instance Requirement: Create EC2 instance in private Subnet and provide Internet access using NAT Instance Solution: 1.        Create One VPC with CIDR Range 10.0.0.0/16 2.       Create a private Subnet with CIDR Range 10.0.1.0/24 3.       Create a public Subnet with CIDR Range 10.0.2.0/24 4.       Create One Internet Gateway and assign to VPC. 5.       Create one custom Route table and associate Public Subnet. a.        Create a global route (0.0.0.0/0) and target to IGW 6.       Associate private subnet to default Route table 7.       Launch the Nat instance using the template from Community AMIs in public Subnet with Public IP enabled. 8.       Select the Nat Instance created à Action à Networking à Change Source/Dest. Check à   Yes, Disable button. 9.       Launch another EC2 instance in private Subnet with only Private IP. 10.   Note the Instance ID of the NAT Instance and identify the Network Interface ID from Network Interfac
Post a Comment
Read more

VPC Peering scenario

Requirement: Create 3 EC2 instances (Machine A, Machine B and Machine C)in 3 different VPCs(VPC A, VPC B, VPC C). We should be able to do SSH from Machine A to Machine B and from Machine B to Machine C. However, we should NOT be allowed to Machine B to Machine A as well as Machine C to Machine B Solution: 1.        Create two VPC with CIDR Range 10.0.1.0/24, 10.0.2.0/24 & 10.0.3.0/24 2.        Create Subnet in respective VPC with range same as VPC CIDR 3.        Create two Internet Gateway and attach to respective VPC. 4.        In default Route Table add the default Rule (0.0.0.0/0) and target to Internet Gateway. 5.        Create Peering connections (for VPC Peering) a.        Select the Source as VPC A and destination as VPC B b.        Accept the Peering request c.        Select the Source as VPC B and destination as VPC C d.        Accept the Peering request 6.        Edit Route table A and add the route to VPC B CIDR Range and target to VPC Pe
Post a Comment
Read more

Install Active directory and federate with AWS account

Active Directory and Federated user creation Requirement: Create users in Active Directory and provide selective access to AWS services. Solution: Create EC2 Windows machine (OS version 2008/2012/2016) Configure AD in windows machine Configure DNS Server Configure PTR record in DNS Create test users in AD Reset the Administrator user password in AD Create Directory service in IAM Create role and policy in Directory Service and establish trust. Create AWS Domain/console URL to access from federated user Enable management console access to Domain URL.  Add users in Directory service Test the access for federated users Detailed steps: Create AD and create users in AD. Should be able to login to AWS Console with selective access. 1.        Launch a Windows 2012 R2 instance in custom VPC and subnet. a.        Create the VPC with CIDR range 10.0.0.0/16 b.        Create two public subnet with CIDR range 10.0.1.0/24 and 10.0.2.0/24 c.      
Post a Comment
Read more