Connecting Alibaba Cloud to AWS with High Availability VPN

Prerequisites

High Availability VPN Connection between Alibaba Cloud and AWS

Configure strongSwan Servers in Alibaba Cloud

$ sudo yum install –y strongswan
$ echo 1 > /proc/sys/net/ipv4/ip_forward && sudo sysctl –p
$ yum install –y keepalived
$ sudo echo 'systemctl start keepalived.service' >> /etc/rc.d/rc.local
$ mkdir /etc/keepalived/script
$ cd /etc/keepalived/script
$ vi notify.sh
#!/bin/bash
ENDSTATE=$3
NAME=$2
TYPE=$1
case $ENDSTATE in
"MASTER")
echo "MASTER; `date`" >> /tmp/log
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -d 100.64.0.0/10 -j RETURN
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 ! -p vrrp -j SNAT --to-source 10.1.0.1
systemctl restart strongswan.service
;;
"BACKUP")
echo "BACKUP; `date`" >> /tmp/log
iptables -t nat -F
systemctl stop strongswan.service
exit 0
;;
"FAULT")
echo "FAULT; `date`" >> /tmp/log
iptables -t nat -F
systemctl stop strongswan.service
exit 0
;;
*) echo "unknown state ${ENDSTATE} for VRRP ${TYPE} ${NAME}"
exit 1
;;
esac
$ chmod +x notify.sh
$ vi ../keepalived.conf
! Configuration File for keepalivedglobal_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 192.168.200.1
smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 150
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.1.0.1 dev eth0 label eth0:havip
}
notify /etc/keepalived/scripts/notify.sh
unicast_src_ip 10.1.0.55
unicast_peer {
10.1.0.56
}
}
$ sudo systemctl start keepalived.service

Configure Routing

Configuring AWS

$ vi /etc/strongswan/ipsec.conf
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=28800s
keylife=3600s
rekeymargin=3m
keyingtries=3
dpddelay=10s
dpdtimeout=30s
authby=secret
mobike=no
conn toawstunnel1
keyexchange=ikev1
left=10.1.0.55
leftsubnet=10.1.0.0/24
leftid=47.89.241.197
right=35.160.16.102
rightsubnet=172.0.0.0/24
rightid=35.160.16.102
dpdaction=restart
auto=route
esp=aes128-sha1-modp1024
lifetime=3600
ike=aes128-sha1-modp1024
ikelifetime=28800s
type=tunnel
conn toawstunnel2
keyexchange=ikev1
left=10.1.0.55
leftsubnet=10.1.0.0/24
leftid=47.89.241.197
right=35.160.48.137
rightsubnet=172.0.0.0/24
rightid=35.160.48.137
dpdaction=restart
auto=route
esp=aes128-sha1-modp1024
lifetime=3600
ike=aes128-sha1-modp1024
ikelifetime=28800s
type=tunnel
47.89.241.197 35.160.16.102 : PSK "put_your_PSK_here_xxxxxxxxxxxxxxxxxxxx"
47.89.241.197 35.160.48.137 : PSK "put_your_PSK_here_xxxxxxxxxxxxxxxxxxx"
$ systemctl restart strongswan.service
$ systemctl status strongswan.service

Testing the VPN Tunnel

[root@ali_ecs_test ~]# ping 172.0.0.80 
64 bytes from 172.0.0.80: icmp_seq=1 ttl=63 time=26.1 ms
64 bytes from 172.0.0.80: icmp_seq=2 ttl=63 time=26.2 ms
64 bytes from 172.0.0.80: icmp_seq=3 ttl=63 time=26.0 ms
64 bytes from 172.0.0.80: icmp_seq=4 ttl=63 time=26.0 ms

Update Security Groups

Conclusion

Further Reading

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store