Azure strongSwan (Resource Manager mode) – AWS strongSwan VPN with PSK authentication

(14 Sep 2017)

In this sample configuration the VPN connection was established between Azure and AWS cloud services using on both sides the strongSwan VPN gateway in Ubuntu Linux virtual machine. The authentication was done with PSK (Pre-Shared Key) by configuring the same secret key on both sides. In Azure setup the Resource Manager mode was used.

The following configuration settings and VPN versions were used:

Azure

  • Virtual network: 10.0.5.0/24 (protected Network)
  • Public ip xxx.xxx.xxx.xxx, internal ip 10.0.5.4
  • Ubuntu 16.04 Linux
  • Linux strongSwan U5.3.5/K4.4.0-92-generic

AWS

  • Virtual network 172.31.0.0/20 (protected network)
  • Public ip yyy.yyy.yyy.yyy, internal ip 172.31.9.41
  • Ubuntu 16.04 Linux
  • Linux strongSwan U5.3.5/K4.4.0-1022-aws

AWSPSK

 

Setting up of strongSwan VPN gateway in Azure

  1. In Azure create Ubuntu 16.04 Virtual Server and add it to Virtual Network with address space and subnet 10.0.5.0/24 (you can create the network if it doesn’t yet exist).
  2. When prompted by the wizard, create a public ip address. This will be used as the remote VPN server address on the AWS side.
  3. After the Ubuntu server has been created, go to Azure portal and add the following Inbound Port Rules in the Network section of the server to enable the access to the VPN ports UDP 500 and 4500 (select the Advanced mode to view all the rule options):
    1. Source = Any: Destination = Any: Destination Port = 500: Protocol = UDP: Action = Allow
    2. Source = Any: Destination = Any: Destination Port = 4500: Protocol = UDP: Action = Allow
  4. Next, connect e.g. with SSH to the Ubuntu server and install the strongSwan VPN gateway (if not already installed): sudo apt-get install strongswan
  5. Edit IPSec and address settings in the configuration file: /etc/ipsec.conf
  6. Add the PSK secret in /etc/ipsec.secrets
  7. Restart the VPN service: sudo ipsec restart

In addition to the above steps, the route settings in Azure Virtual Network may need to be modified as discussed on the page Routing with Ubuntu Linux VPN Gateway (Resource Manager mode). The route settings need to be modified if there are any other devices in the virtual network which will use the VPN connection.

Sample IPSEC.CONF for Azure strongSwan

config setup
# strictcrlpolicy=yes
# uniqueids = no

# Add connections here.

conn awspsk
authby=secret
leftsubnet=10.0.5.0/24
right=yyy.yyy.yyy.yyy
rightsubnet=172.31.0.0/20
rightid=172.31.9.41
auto=start

NOTES:

  • rightid should match with the address from which the AWS VPN gateway communicates. In this case it is the local interface address 172.31.9.41
  • right = public ip address of the AWS VPN gateway

Sample IPSEC.SECRETS for Azure strongSwan

: PSK “abcd1234”

Setting up of strongSwan VPN gateway in AWS

  1. Install Ubuntu 16.04 AMI in AWS
  2. After the new instance has been launched, note the public address. The address will be used as the remote address in the Azure VPN configuration.
  3. Select the instance and then Actions > Networking > Change Source/Dest Check and disable the Source/Destination Check
  4. Open the Security Group > Inbound menu and create the custom inbound rules to allow UDP 500 and UDP 4500 packets for the VPN connection and all traffic from the local network devices:
    1. UDP 500: Protocol UDP, Port Range 500, Source 0.0.0.0/0
    2. UDP 4500: Protocol UDP, Port Range 4500, Source 0.0.0.0/0
    3. All local traffic: Protocol All, Port Range 1-65535, Source 172.31.0.0/20
  5. Connect to the Ubuntu server e.g. with SSH and install the strongSwan VPN gateway with command: sudo apt-get install strongswan
  6. Edit IPSec and address settings in the configuration file: /etc/ipsec.conf
  7. Add the PSK secret in /etc/ipsec.secrets
  8. Restart the VPN service: sudo ipsec restart

Sample IPSEC.CONF in AWS strongSwan

config setup
# strictcrlpolicy=yes
# uniqueids = no

# Add connections here.

conn awspsk
authby=secret
leftsubnet=172.31.0.0/20
right=xxx.xxx.xxx.xxx
rightsubnet=10.0.5.0/24
rightid=10.0.5.4
auto=start

NOTES:

  • rightid should match with the address the Azure gateway is communicating from, in this case the local address 10.0.5.4
  • right = public ip address of the Azure VPN gateway

Sample IPSEC.SECRETS in AWS strongSwan

: PSK “abcd1234”

Add route and enable forwarding in AWS

For the other devices in the AWS virtual network to be able to communicate through the VPN tunnel, a route needs to be added in the AWS route table and the forwarding option must be enabled in the Ubuntu server.

Add route:

  • In AWS Console, select VPC > Route Tables and select the route table.
  • Select Routes > Edit > Add Another Route:
    • Destination = 10.0.5.0/24
    • Target = (Instance ID of the Ubuntu server)

Enable forwarding:

  • In Ubuntu server open the configuration file /etc/sysctl.conf
  • Uncomment the line: net.ipv4.ip_forward=1
  • Restart the server (or run command sudo sysctl -p)