Flite Careers

Connecting VPCs With IPSec and StrongSwan

For many organizations on AWS it is important to deploy applications to multiple regions. It insulates from region-specific outages, and allows traffic to be served closer to the consumer.

A problem emerges however, when applications in a VPC must communicate with applications in another VPC from a different region. At the time of writing, there is no VPC-peering between regions. This means that one or both of the applications must be accessible from the Internet; a condition with which some teams may not want to comply.

Although there is no inter-region VPC peering on AWS, it is possible to connect VPCs with an IPSec VPN. Traffic between VPCs may be routed over the VPN, and applications may communicate without exposing unencrypted traffic to the Internet.

This can be accomplished with StrongSwan, an open-source IPSec VPN solution.

StongSwan is a good tool for this work for the following reasons.

  • It is actively maintained
  • It has a good amount of available documentation
  • There is a friendly, helpful IRC channel on Freenode: #strongswan

Assuming one end of the VPN tunnel is managed by AWS, it helps to know what AWS supports.

The following connection configuration is known to work at the present:

1
2
3
4
5
6
7
8
9
10
11
12
authby=secret
dpddelay=10
dpdtimeout=30
dpdaction=restart
esp=aes128-sha1-modp1024!
ike=aes128-sha1-modp1024!
ikelifetime=28800s
lifetime=1h
keyexchange=ikev1
keyingtries=%forever
rekey=yes
type=tunnel

If you are using Chef for configuration management, there are cookbooks that can help configure StrongSwan.

For instance, there is a good cookbook available from Jerry Jackson called strongSwan-base. It covers the use of several common scenarios.

However, if you are connecting to an AWS IPSec tunnel endpoint you may want something more specific.

For this reason I created a Chef cookbook, strongswanaws. It contains a custom resource for these types of connections. It may be useful to a number of people because strongswanaws tries to do the following:

  • Make this configuration easy
  • Hide StrongSwan complexity
  • Expose configuration that a person would need to customize with info from AWS.

For instance, using the VPC Creation Wizard a person can create two VPCs in different regions: One VPC using the selection marked “VPC with Public and Private Subnets and Hardware VPN Access”, and the other VPC using the selection marked “VPC with a Single Public Subnet”.

Once complete, find the following information:

  • VPN Tunnel Pre-shared Key
  • VPN Tunnel IP
  • Local network CIDR address
  • Remote network CIDR address

Add this info to your Chef environment and strongswanaws databag, as shown in the README.md.

When Chef next converges, StrongSwan should connect and bring up a tunnel to your other AWS VPC.

Note: In order to route traffic over the new StrongSwan node, you will need to add routes as shown in the AWS Hardware VPN docs.

Comments

Comments