By using AWS re:Post, you agree to the AWS re:Post Terms of Use

EC2 Instance IPSec VPN question

0

Hello, thanks for reading, friend.

Is it possible to establish a direct IPSec tunnel via IKEv2 SA endpoints verified by identity certs with an EC2 instance or do you have to setup some sort of vpn gateway to handle the connection, as implied by the following link:

https://docs.aws.amazon.com/vpc/latest/userguide/vpn-connections.html

I ask this because we are having a very peculiar issue... Any of our internet facing DMZ EC2 instances encounter the same error when attempting the aforementioned VPN tunnel via strongswan, connecting with some other device out on the internet. Interestingly, all of our EC2 instances established behind a customer gateway we setup, work fine. This leads us to believe that AWS requires some sort of gateway handle VPN connections, is this true?

2 Answers
0

There are couple of ways you can build Site-to-site VPN connections to AWS. You can use AWS managed VPN using Virtual Private Gateway (VGW) or Transit Gateway (TGW); Alternatively you can use Third party software VPN appliance from Marketplace.

If you are looking to setup Certificate based VPN take a look at this Knowledge Center article:

How do I create a certificate-based VPN using AWS Site-to-Site VPN?

What specific error or issue you are facing?

profile pictureAWS
EXPERT
answered 2 years ago
  • Sorry, maybe I didn't phrase my question properly and thank you for your response. I understand that I can build a site-to-site vpn connection the ways you mentioned. My question is: do I HAVE to build it this way? In other words, do I need to use some VGW or TGW to manage the connection? If so, why? Why can't I just setup a site-to-site using installed certificates on each endpoint and manage the connection via strongswan? Why are EC2 instances force to use VGW's or TGW's? The EC2 instance has an internet facing IP address and installed certificates, why must I use some sort of gateway?

  • You don't have to use VGW or TGW, its not a must. You would use those gateways if you want to use AWS Managed VPN. You can use EC2 software VPN appliance, see this: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/software-site-to-site-vpn.html

0

Ok, that is indeed our architecture and thank you for the response. Maybe you could provide a little detail into why the following is happening. I have spoken with our VPN software provider (strongswan) and it seems our EC2 instance is modifying the end-identity certificate signature before sending it for authorization, only zero's being available after a certain point. Keep in mind, we tested two EC2 instances with the same setup and end-identity certs. One is setup behind a TGW, the other is completely internet facing connecting through an IGW. For some reason, when we try to connect to the IGW instance the connection fails because the signature packet is being modified to contain zeros halfway through. They show this via our logs in the following link,

https://github.com/strongswan/strongswan/discussions/1517

"So for some reason there are only zeros available after a certain point. You see the decryption of that message starting at line 68154 in the log (the plain text data ends with 544 bytes of zeroes instead of the actual certificate data etc.). And while the end-entity certificate is parsed, it definitely wouldn't be usable due to the defective signature value. And trying to parse an intermediate CA certificate afterwards from only zero bytes will obviously fail (and it does so repeatedly). Since the padding and its length is correctly decrypted (see line 68423), I don't think this is an issue on the strongSwan side during decryption. So it's probably a problem on the sender side. But what exactly could fail there in this way, no idea. It's also weird that the next IKE message that's received (its decryption starts at line 69096) and contains the rest of that 4256 byte TLS record does not contain zeros only."

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions