Azure strongSwan (Classic mode) – AWS strongSwan cert authentication

(14 Sep 2017)

In this test a VPN connection was established between Azure and AWS cloud services using on both sides the strongSwan VPN gateway in Ubuntu Linux virtual machine. The authentication was done with certificates which is more secure than the PSK (Pre-Shared Key) authentication. Certificates were signed by the OpenSSL CA that was running in the Azure Ubuntu server.

The following configuration settings and VPN versions were used:

Azure

  • Virtual network: 10.7.1.0/24 (protected Network)
  • Public ip xxx.xxx.xxx.xxx, internal ip 10.7.1.4
  • Ubuntu 14.04 Linux
  • Linux strongSwan U5.1.2/K3.19.0-58-generic

AWS

  • Virtual network 172.31.0.0/20 (protected network)
  • Public ip yyy.yyy.yyy.yyy, internal ip 172.31.13.57
  • Ubuntu 14.04 Linux
  • Linux strongSwan U5.1.2/K3.13.0-74-generic

AzureStrongswan-AWSStrongswan

Setting up of strongSwan VPN gateway in Azure

  1. In Azure create Virtual Network with address space 10.7.1.0/24
  2. Add Ubuntu 14.04 Virtual Machine in the Virtual Network
  3. In Azure Endpoints menu of the Ubuntu server, enable the endpoints for UDP 500 and UDP 4500 packets:
    1. UDP 500: Private port 500, Public port 500
    2. UDP 4500: Private port 4500, Public port 4500
  4. In the Dashboard check the Public Virtual IP Address assigned to the Virtual Machine (this will be used as the remote gateway address in the AWS VPN configuration).
  5. Connect to the Ubuntu server e.g. with SSH.
  6. Install strongSwan VPN gateway with command: sudo apt-get install strongswan
  7. Edit IPSec and address settings in the configuration file: /etc/ipsec.conf
  8. Copy the CA certificate, strongSwan VPN gateway certificate and the Private Key file to the Ubuntu server (if not already there):
    • CA certificate to /etc/ipsec.d/cacerts
    • strongSwan VPN gateway certificate to /etc/ipsec.d/certs
    • strongSwan Private Key file to /etc/ipsec.d/private
  9. Add a reference to the Private Key file and the optional file password in /etc/ipsec.secrets
  10. Restart the VPN service: sudo ipsec restart

In addition to the above steps, the routing settings in Azure Virtual Network may need to be modified as discussed on the page Routing with Ubuntu Linux VPN Gateway.

Sample IPSEC.CONF for Azure strongSwan

config setup
nat_traversal=yes
conn aws
leftsubnet=10.7.1.0/24
leftcert=strongswanCert.pem
right=yyy.yyy.yyy.yyy
rightsubnet=172.31.0.0/20
rightid=”C=FI, ST=Some-State, O=MyOrg, OU=MyUnit, CN=MyAWSVPN, E=awsemail@myorg.com”
auto=start

 

NOTES:
  • “strongswanCert.pem” is the certificate of the Azure StrongSwan VPN gateway
  • rightid should match with the Subject field of the AWS VPN gateway
  • right = public ip address of the AWS VPN gateway
Sample IPSEC.SECRETS for Azure strongSwan
: RSA strongswanKey.pem “password”

 

NOTES:
  • “strongswanKey.pem” is the Private key file of the Azure VPN gateway, the file is protected by a password

Setting up of strongSwan VPN gateway in AWS

  1. Add Ubuntu 14.04 Virtual Machine in AWS
  2. Select the new instance and then Actions > Networking > Change Source/Dest Check and disable the check
  3. Open the Security Group > Inbound menu and create the custom inbound rules to allow UDP 500 and UDP 4500 packets and all the local traffic:
    1. UDP 500: Protocol UDP, Port Range 500, Source 0.0.0.0/0
    2. UDP 4500: Protocol UDP, Port Range 4500, Source 0.0.0.0/0
    3. All local traffic: Protocol All, Port Range 1-65535, Source 172.31.0.0/20
  4. In the Dashboard check the Public IP Address assigned to the Virtual Machine (this will be used as the remote gateway address in the Azure VPN configuration).
  5. Connect to the Ubuntu server e.g. with SSH
  6. Install strongSwan VPN gateway with command: sudo apt-get install strongswan
  7. Edit IPSec and address settings in the configuration file: /etc/ipsec.conf
  8. Create a certificate request in AWS Ubuntu server and copy it to the CA server for signing (in this case to the Azure Ubuntu server where the CA resides)
  9. Sign the certificate in CA server
  10. Copy the signed certificate and the CA certificate to the AWS Ubuntu server:
    1. CA certificate to /etc/ipsec.d/cacerts
    2. Signed gw certificate to /etc/ipsec.d/certs
    3. Check that the Private key file is in /etc/ipsec.d/Private
  11. Add a reference to the Private Key file and the optional file password in /etc/ipsec.secrets
  12. Restart the VPN service: sudo ipsec restart

Sample IPSEC.CONF in AWS strongSwan

config setup
nat_traversal=yes
conn azure
leftsubnet=172.31.0.0/20
leftcert=awsCert.pem
right=xxx.xxx.xxx.xxx
rightsubnet=10.7.1.0/24
rightid=”C=FI, ST=Some-State, O=MyOrg, OU=MyUnit, CN=MyVPN7, E=myemail7@myorg.com”
auto=start

 

NOTES:
  • “awsCert.pem” is the certificate of the AWS StrongSwan VPN gateway
  • rightid should match with the Subject field of the Azure VPN gateway
  • right = public ip address of the Azure VPN gateway
Sample IPSEC.SECRETS in AWS strongSwan
: RSA awsKey.pem “password”

 

NOTES:
  • “awsKey.pem” is the Private key file of the AWS VPN gateway, the file is protected by a password

Add route and enable forwarding in AWS

For the other devices in the AWS virtual network to be able to communicate through the VPN tunnel, a route needs to be added in the AWS route table and the forwarding option must be enabled in the Ubuntu server.

Add route:

  • In AWS Console, select VPC > Route Tables and select the route table.
  • Select Routes > Edit > Add Another Route:
    • Destination = 10.7.1.0/24
    • Target = (Instance ID of the Ubuntu server)

Enable forwarding:

  • In Ubuntu server open the configuration file /etc/sysctl.conf
  • Uncomment the line: net.ipv4.ip_forward=1
  • Restart the server (or run command sudo sysctl -p)