Connecting Alibaba Cloud to AWS with High Availability VPN

Prerequisites

You should have:

  1. A certain familiarity with AWS and Alibaba Cloud
  2. Good understanding of the principles of networking, from setting IP addresses and firewalling by iptable tool
  3. Knowledge of the basic concepts of authentication based on public-key cryptography and a public-key infrastructure (PKI)
  1. Non-overlapping networks in each VPC
  2. Public (and optionally private) subnets
  3. A routing table to route internet traffic for your public subnets via an Internet interface
  4. Appropriate security groups and attachments

High Availability VPN Connection between Alibaba Cloud and AWS

As we are going to connect a VPC in AWS to a VPC Alibaba Cloud to set up a multi-cloud infrastructure, we need to plan the network IPv4 CIDR block ahead to avoid the address block overlapping by these two VPCs. The architecture is shown below:

Configure strongSwan Servers in Alibaba Cloud

Configure two strongSwan servers in Alibaba Cloud VPC (vpc_ali)

$ sudo yum install –y strongswan
$ echo 1 > /proc/sys/net/ipv4/ip_forward && sudo sysctl –p
$ yum install –y keepalived
$ sudo echo 'systemctl start keepalived.service' >> /etc/rc.d/rc.local
$ mkdir /etc/keepalived/script
$ cd /etc/keepalived/script
$ vi notify.sh
#!/bin/bash
ENDSTATE=$3
NAME=$2
TYPE=$1
case $ENDSTATE in
"MASTER")
echo "MASTER; `date`" >> /tmp/log
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -d 100.64.0.0/10 -j RETURN
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -p vrrp -j SNAT --to-source 10.1.0.1
systemctl restart strongswan.service
;;
"BACKUP")
echo "BACKUP; `date`" >> /tmp/log
iptables -t nat -F
systemctl stop strongswan.service
exit 0
;;
"FAULT")
echo "FAULT; `date`" >> /tmp/log
iptables -t nat -F
systemctl stop strongswan.service
exit 0
;;
*) echo "unknown state ${ENDSTATE} for VRRP ${TYPE} ${NAME}"
exit 1
;;
esac
$ chmod +x notify.sh
$ vi ../keepalived.conf
! Configuration File for keepalivedglobal_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.1.0.1 dev eth0 label eth0:havip
}
notify /etc/keepalived/scripts/notify.sh
unicast_src_ip 10.1.0.55
unicast_peer {
10.1.0.56
}
}
$ sudo systemctl start keepalived.service

Configure Routing

Navigate to your VPC console and bind the HAVIP to the two ECS instances:

Configuring AWS

Having created two strongSwan ECS instances with a known public HAVIP address, it’s time to create the other end of our tunnel in AWS VPC. For this discussion, we shall assume that vpc_aws is located in us-west-2 and has a network block of 172.0.0.0/16.

  1. Navigate to the VPC Dashboard in the AWS Console
  2. Make sure you are in the correct region(us-west-2)
  3. Select the ‘Virtual Private Gateways’ menu item
  4. Click ‘Create Virtual Private Gateway’
  5. Give your new VGW a name
  6. Select ‘Yes, Create’
  7. Once your VGW has been created, select it, and then click ‘Attach to VPC’
  8. Select the target VPC from the VPC drop-down list
  9. Select the ‘Customer Gateways’ menu item
  10. Click ‘Create Customer Gateway’
  11. Give your CGW a name
  12. Set routing to Static
  13. Set the public IP address of the remote end of the VPN connection, i.e. the VOIP of the Alibaba Cloud strongSwan instance.
  14. Click ‘Yes, Create’
  15. Select the ‘VPN Connections’ menu item
  16. Click ‘Create VPN Connection’
  17. Name: Give your VPN connection a name
  18. Virtual Private Gateway: Select the VGW you created in step 4
  19. Customer Gateway: Select ‘Existing’ and choose the CGW you created in step 8
  20. Routing Options: Static
  21. Static IP Prefixes: Set the CIDR block of your VPC you wish to make available over the VPN tunnel, e.g. 172.0.0.0/16 for the entire VPC network
  22. Click ‘Yes, Create’
$ vi /etc/strongswan/ipsec.conf
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=28800s
keylife=3600s
rekeymargin=3m
keyingtries=3
dpddelay=10s
dpdtimeout=30s
authby=secret
mobike=no
conn toawstunnel1
keyexchange=ikev1
left=10.1.0.55
leftsubnet=10.1.0.0/24
leftid=47.89.241.197
right=35.160.16.102
rightsubnet=172.0.0.0/24
rightid=35.160.16.102
dpdaction=restart
auto=route
esp=aes128-sha1-modp1024
lifetime=3600
ike=aes128-sha1-modp1024
ikelifetime=28800s
type=tunnel
conn toawstunnel2
keyexchange=ikev1
left=10.1.0.55
leftsubnet=10.1.0.0/24
leftid=47.89.241.197
right=35.160.48.137
rightsubnet=172.0.0.0/24
rightid=35.160.48.137
dpdaction=restart
auto=route
esp=aes128-sha1-modp1024
lifetime=3600
ike=aes128-sha1-modp1024
ikelifetime=28800s
type=tunnel
47.89.241.197 35.160.16.102 : PSK "put_your_PSK_here_xxxxxxxxxxxxxxxxxxxx"
47.89.241.197 35.160.48.137 : PSK "put_your_PSK_here_xxxxxxxxxxxxxxxxxxx"
$ systemctl restart strongswan.service
$ systemctl status strongswan.service

Testing the VPN Tunnel

Now that we have both ends of the tunnel created, we need to ensure that they can talk to each other.

[root@ali_ecs_test ~]# ping 172.0.0.80 
64 bytes from 172.0.0.80: icmp_seq=1 ttl=63 time=26.1 ms
64 bytes from 172.0.0.80: icmp_seq=2 ttl=63 time=26.2 ms
64 bytes from 172.0.0.80: icmp_seq=3 ttl=63 time=26.0 ms
64 bytes from 172.0.0.80: icmp_seq=4 ttl=63 time=26.0 ms

Update Security Groups

Now, we’ll create a Security Group (or modify an existing one) to contain rules to permit the public traffic necessary to set up the IPSec tunnel. Configure your security group as per the table below.

Conclusion

Hopefully you have been able to follow the steps above to bring up your own IPSec tunnel between Alibaba Cloud VPC and AWS VPC. AWS VPNs provide two tunnels for redundancy as AWS may perform maintenance on one of the tunnels from time to time. Having two established tunnels allows you to keep communicating over the VPN during these maintenance windows.

Further Reading

  1. https://www.alibabacloud.com/product/vpn-gateway
  2. https://www.alibabacloud.com/help/doc-detail/65398.htm
  3. https://wiki.strongswan.org/projects/strongswan/wiki
  4. https://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc
  5. https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com