Policy-based VPN: GCP (Strongswan) to AWS

 

This article shows how to implement a VPN using Strongswan on GCP to AWS VPN.

GitHub Repository for Terraform Script

The Terraform implementation on GitHub can be found here – Policy-based IPsec VPN – GCP (Strongswan) and AWS (VPN). The README file in the GitHub repository describes how to run the scripts and configure the tunnels.

Sample Strongswan configuration

user@strongswan-gateway:~$ sudo cat /etc/ipsec.secrets
%any : PSK "password123"
user@strongswan-gateway:~$
user@strongswan-gateway:~$ sudo cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

include /var/lib/strongswan/ipsec.conf.inc

conn %default
authby=psk
auto=start
dpdaction=hold
esp=aes128-sha1-modp2048!
forceencaps=yes
ike=aes128-sha1-modp2048!
keyexchange=ikev1
mobike=no
type=tunnel
left=%any
leftid=35.230.154.145
leftsubnet=10.0.0.0/24
leftauth=psk
leftikeport=4500
rightsubnet=10.0.1.0/24
rightauth=psk
rightikeport=4500

conn aws-tunnel1
right=35.176.138.106

#conn aws-tunnel2
#right=[ON_PREM_EXTERNAL_IP_ADDRESS2]
user@strongswan-gateway:~$

Testing the Connectivity

user@strongswan-gateway:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-6-amd64, x86_64):
  uptime: 5 minutes, since Jun 24 14:43:49 2018
  malloc: sbrk 1486848, mmap 0, used 405216, free 1081632
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
  10.0.0.3
Connections:
 aws-tunnel1:  %any...35.176.138.106  IKEv1, dpddelay=30s
 aws-tunnel1:   local:  [35.230.154.145] uses pre-shared key authentication
 aws-tunnel1:   remote: [35.176.138.106] uses pre-shared key authentication
 aws-tunnel1:   child:  10.0.0.0/24 === 10.0.1.0/24 TUNNEL, dpdaction=hold
Security Associations (1 up, 0 connecting):
 aws-tunnel1[1]: ESTABLISHED 5 minutes ago, 10.0.0.3[35.230.154.145]...35.176.138.106[35.176.138.106]
 aws-tunnel1[1]: IKEv1 SPIs: 15dc4b0dac8f597d_i* 49c6c79abaa83386_r, pre-shared key reauthentication in 2 hours
 aws-tunnel1[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
 aws-tunnel1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c54bc988_i 724cf525_o
 aws-tunnel1{1}:  AES_CBC_128/HMAC_SHA1_96/MODP_2048, 0 bytes_i, 0 bytes_o, rekeying in 38 minutes
 aws-tunnel1{1}:   10.0.0.0/24 === 10.0.1.0/24
user@strongswan-gateway:~$ 
user@strongswan-gateway:~$ ping -c 5 10.0.1.122
PING 10.0.1.122 (10.0.1.122) 56(84) bytes of data.
64 bytes from 10.0.1.122: icmp_seq=1 ttl=254 time=3.79 ms
64 bytes from 10.0.1.122: icmp_seq=2 ttl=254 time=3.54 ms
64 bytes from 10.0.1.122: icmp_seq=3 ttl=254 time=3.46 ms
64 bytes from 10.0.1.122: icmp_seq=4 ttl=254 time=3.22 ms
64 bytes from 10.0.1.122: icmp_seq=5 ttl=254 time=3.42 ms

--- 10.0.1.122 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 3.227/3.492/3.795/0.191 ms
user@strongswan-gateway:~$ 

Leave a Reply

Your email address will not be published. Required fields are marked *