- Newest
- Most votes
- Most comments
There are couple of ways you can build Site-to-site VPN connections to AWS. You can use AWS managed VPN using Virtual Private Gateway (VGW) or Transit Gateway (TGW); Alternatively you can use Third party software VPN appliance from Marketplace.
If you are looking to setup Certificate based VPN take a look at this Knowledge Center article:
How do I create a certificate-based VPN using AWS Site-to-Site VPN?
What specific error or issue you are facing?
Ok, that is indeed our architecture and thank you for the response. Maybe you could provide a little detail into why the following is happening. I have spoken with our VPN software provider (strongswan) and it seems our EC2 instance is modifying the end-identity certificate signature before sending it for authorization, only zero's being available after a certain point. Keep in mind, we tested two EC2 instances with the same setup and end-identity certs. One is setup behind a TGW, the other is completely internet facing connecting through an IGW. For some reason, when we try to connect to the IGW instance the connection fails because the signature packet is being modified to contain zeros halfway through. They show this via our logs in the following link,
https://github.com/strongswan/strongswan/discussions/1517
"So for some reason there are only zeros available after a certain point. You see the decryption of that message starting at line 68154 in the log (the plain text data ends with 544 bytes of zeroes instead of the actual certificate data etc.). And while the end-entity certificate is parsed, it definitely wouldn't be usable due to the defective signature value. And trying to parse an intermediate CA certificate afterwards from only zero bytes will obviously fail (and it does so repeatedly). Since the padding and its length is correctly decrypted (see line 68423), I don't think this is an issue on the strongSwan side during decryption. So it's probably a problem on the sender side. But what exactly could fail there in this way, no idea. It's also weird that the next IKE message that's received (its decryption starts at line 69096) and contains the rest of that 4256 byte TLS record does not contain zeros only."
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
Sorry, maybe I didn't phrase my question properly and thank you for your response. I understand that I can build a site-to-site vpn connection the ways you mentioned. My question is: do I HAVE to build it this way? In other words, do I need to use some VGW or TGW to manage the connection? If so, why? Why can't I just setup a site-to-site using installed certificates on each endpoint and manage the connection via strongswan? Why are EC2 instances force to use VGW's or TGW's? The EC2 instance has an internet facing IP address and installed certificates, why must I use some sort of gateway?
You don't have to use VGW or TGW, its not a must. You would use those gateways if you want to use AWS Managed VPN. You can use EC2 software VPN appliance, see this: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/software-site-to-site-vpn.html