Site-To-Site VPN connection between Amazon VPC and Google cloud
Recently I needed to set up a VPN between AWS and Google Cloud. For my memory and to help others I publish the steps here.
- If you don’t have Amazon VPC (Virtual Private Cloud) set up, follow these instructions to create one. The instructions are for a VPC with a single public subnet. You can choose a different type, or just add a private subnet later.
- Allocate a new static Elastic IP for EC2-VPC on Amazon side. This EIP will later be assigned to the StrongSwan instance inside Amazon VPC, but for now we just need it to set up VPN on the Goole Cloud side. Refer to this document if you need instructions on how to allocate new EIP for your VPC.
- If you don’t have a “network” inside of the Google Cloud (this is the same as VPC in Amazon), which you will use to connect to the Amazon VPC, create one, following the instructions here. Please remember the IP range of that network as it will be used later;
- Create new VPN on the Google cloud side, following these instructions. Use the following values:
- network: choose from the dropdown the network you created in step 3;
- region: choose the region where the VPN endpoint will be located.
- IP address: select new static IP address option. Once the VPN is created please remember this IP as it will be used later;
- peer IP address: Elastic IP address you created in step 2;
- IKE version: IKEv2;
- shared secret: some random string;
- remote network IP range: the IP range of the VPC you created in step 1.
- Create new security group in Amazon VPC just for this VPN server with SSH inbound rule allowed, so that we can SSH into the instance later, and ALL outbound traffic allowed. We will change these settings later.
- Follow these instructions to launch new Ubuntu 14.04 LTS instance into the Amazon VPC public subnet, using the previously created security group.
- SSH into the newly launched instance and install strongswan:
sudo apt-get update sudo apt-get install strongswan
- Edit the ipsec.conf file in StrongSwan VM:
sudo nano /etc/ipsec.conf
Replace the contents of the file with the following:
config setup strictcrlpolicy=no charondebug=all conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn googlecloud authby=secret auto=start type=tunnel left=<AWS Instance Local IP Address> leftid=<AWS Public Elastic IP Address (from Step 2)> leftsubnet=<the IP range of the VPC you created in step 1/netmask> leftauth=psk right=<Google VPN Public Static IP Address you created in step 4> rightsubnet=<Google network IP range/netmask> rightauth=psk ike=aes128-sha1-modp1024 esp=aes128-sha1-modp1024
- Edit the ipsec.secrets file in StrongSwan VM:
sudo nano /etc/ipsec.secrets
Add the following line to it:
<AWS Instance Local IP> <Google VPN Public Static IP> : PSK "<Shared Secret you used in Step 4>"
- Enable IP forwarding in StrongSwan VM:
sudo nano /etc/sysctl.conf
Uncomment this instruction:
sudo sysctl -p /etc/sysctl.conf
- Disable Source/Destination check on the StrongSwan VM using Amazon management console
- Modify the security group we created in Step 5. Add two custom UDP inbound rules: one for 500 and one for 4500 for the Google VPN Public Static IP (use /32 as netmask)
- Restart StrongSwan:
sudo ipsec restart
- Configure routing tables on Amazon VPC side. In Amazon console, switch to VPC view, and for each routing table associated with it, add the route to the Google network IP range/netmask (destination) using the StrongSwan VPN instance you created (target).
- Configure firewall on Google side (in the console choose “networks”, click on the network, then add/modify firewall rules. Make sure that it is open to desired traffic for all or selected internal IP addresses from the Amazon side.
- Configure Security Groups on Amazon side. For each security group associated with the instance that needs to access (or receive traffic) from the Google side, you will need to allow that traffic from/to the StrongSwan VM, and also from/to the Google network IPs.
- Create VMs on both sides, SSH to them and try to ping to each other (don’t forget to set up security groups and firewalls prior to that!)