Site-To-Site VPN connection between Amazon VPC and Google cloud

March 10, 2015 | | Tags : AWS Amazon VPC VPN Linux Google Cloud


Recently I needed to set up a VPN between AWS and Google Cloud. For my memory and to help others I publish the steps here.

  1. If you don’t have Amazon VPC (Virtual Private Cloud) set up, follow these instructions to create one. The instructions are for a VPC with a single public subnet. You can choose a different type, or just add a private subnet later.
  2. Allocate a new static Elastic IP for EC2-VPC on Amazon side. This EIP will later be assigned to the StrongSwan instance inside Amazon VPC, but for now we just need it to set up VPN on the Goole Cloud side. Refer to this document if you need instructions on how to allocate new EIP for your VPC.
  3. If you don’t have a “network” inside of the Google Cloud (this is the same as VPC in Amazon), which you will use to connect to the Amazon VPC, create one, following the instructions here. Please remember the IP range of that network as it will be used later;
  4. Create new VPN on the Google cloud side, following these instructions. Use the following values:
    • network: choose from the dropdown the network you created in step 3;
    • region: choose the region where the VPN endpoint will be located.
    • IP address: select new static IP address option. Once the VPN is created please remember this IP as it will be used later;
    • peer IP address: Elastic IP address you created in step 2;
    • IKE version: IKEv2;
    • shared secret: some random string;
    • remote network IP range: the IP range of the VPC you created in step 1.
  5. Create new security group in Amazon VPC just for this VPN server with SSH inbound rule allowed, so that we can SSH into the instance later, and ALL outbound traffic allowed. We will change these settings later.
  6. Follow these instructions to launch new Ubuntu 14.04 LTS instance into the Amazon VPC public subnet, using the previously created security group.
  7. SSH into the newly launched instance and install strongswan:
    sudo apt-get update  
    sudo apt-get install strongswan
  8. Edit the ipsec.conf file in StrongSwan VM:
    sudo nano /etc/ipsec.conf

    Replace the contents of the file with the following:

    config setup  
     strictcrlpolicy=no  
     charondebug=all  
    conn %default  
     ikelifetime=60m  
     keylife=20m  
     rekeymargin=3m  
     keyingtries=1  
     keyexchange=ikev2  
    conn googlecloud  
     authby=secret  
     auto=start  
     type=tunnel  
     left=<AWS Instance Local IP Address>  
     leftid=<AWS Public Elastic IP Address (from Step 2)>  
     leftsubnet=<the IP range of the VPC you created in step 1/netmask>  
     leftauth=psk  
     right=<Google VPN Public Static IP Address you created in step 4>  
     rightsubnet=<Google network IP range/netmask>  
     rightauth=psk  
     ike=aes128-sha1-modp1024  
     esp=aes128-sha1-modp1024
  9. Edit the ipsec.secrets file in StrongSwan VM:
    sudo nano /etc/ipsec.secrets

    Add the following line to it:

    <AWS Instance Local IP> <Google VPN Public Static IP> : PSK "<Shared Secret you used in Step 4>"
  10. Enable IP forwarding in StrongSwan VM:
    sudo nano /etc/sysctl.conf

    Uncomment this instruction:

    net.ipv4.ip_forward=1

    Apply changes:

    sudo sysctl -p /etc/sysctl.conf
  11. Disable Source/Destination check on the StrongSwan VM using Amazon management console
  12. Modify the security group we created in Step 5. Add two custom UDP inbound rules: one for 500 and one for 4500 for the Google VPN Public Static IP (use /32 as netmask)
  13. Restart StrongSwan:
    sudo ipsec restart
  14. Configure routing tables on Amazon VPC side. In Amazon console, switch to VPC view, and for each routing table associated with it, add the route to the Google network IP range/netmask (destination) using the StrongSwan VPN instance you created (target).
  15. Configure firewall on Google side (in the console choose “networks”, click on the network, then add/modify firewall rules. Make sure that it is open to desired traffic for all or selected internal IP addresses from the Amazon side.
  16. Configure Security Groups on Amazon side. For each security group associated with the instance that needs to access (or receive traffic) from the Google side, you will need to allow that traffic from/to the StrongSwan VM, and also from/to the Google network IPs.
  17. Create VMs on both sides, SSH to them and try to ping to each other (don’t forget to set up security groups and firewalls prior to that!)

Comments