By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Site-to-Site VPN Tunnel Endpoint using AWS Private CA Does not Get correct domain name.

0

Please help. In the AWS Managment Console, I see the AWS Site-To-Site VPN tunnel endpoint gets the following domain name. How do I get the AWS Site-to-Site VPN tunnel endpoint to get a domain name using the CN of the Subordinate CA?

vpn-092ae95b347788983.endpoint-0

Strongswan doesn't allow for CN mismatch: Log line from strongswan log: IDir 'CN=vpn-092ae95b347788983.endpoint-0' does not match to '35.155.143.216'

My customer gateway has the following domain name (from subordinate CA), same as the AWS tunnel device used to retrieve the cert. 09[IKE] authentication of 'CN=**erlite3.tccavpn4.mydomain.com**' (myself) successful

  • Both the Customer Gateway and the AWS tunnel endpoint show the same CA for the certs.
  • The domain is hosted on Route53. All certs show "Issued" in AWS CM > Certificates. Screeshot of Certificates in use

Full strongswan log showing issue:

06[NET] received packet: from 35.155.143.216[500] to 104.X.X.X[500] (148 bytes)
06[ENC] parsed ID_PROT response 0 [ SA V V V ]
06[IKE] received DPD vendor ID
06[IKE] received FRAGMENTATION vendor ID
06[IKE] received NAT-T (RFC 3947) vendor ID
06[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
06[NET] sending packet: from 104.X.X.X[500] to 35.155.143.216[500] (244 bytes)
09[NET] received packet: from 35.155.143.216[500] to 104.X.X.X[500] (370 bytes)
09[ENC] parsed ID_PROT response 0 [ KE No CERTREQ CERTREQ NAT-D NAT-D ]
09[IKE] received cert request for 'O=TC, LLC, CN=tccavpn4.mydomain.com'
09[IKE] received cert request for 'O=TC, LLC, CN=tccavpn4.mydomain.com'
09[IKE] remote host is behind NAT
09[IKE] sending cert request for "O=TC, LLC, CN=tccavpn4.mydomain.com"
09[IKE] authentication of 'CN=erlite3.tccavpn4.mydomain.com' (myself) successful
09[IKE] sending end entity cert "CN=erlite3.tccavpn4.mydomain.com"
09[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
09[ENC] splitting IKE message with length of 1372 bytes into 2 fragments
09[ENC] generating ID_PROT request 0 [ FRAG(1) ]
09[ENC] generating ID_PROT request 0 [ FRAG(2/2) ]
09[NET] sending packet: from 104.X.X.X[4500] to 35.155.143.216[4500] (1248 bytes)
09[NET] sending packet: from 104.X.X.X[4500] to 35.155.143.216[4500] (196 bytes)
12[NET] received packet: from 35.155.143.216[4500] to 104.X.X.X[4500] (1248 bytes)
12[ENC] parsed ID_PROT response 0 [ FRAG(1) ]
12[ENC] received fragment #1, waiting for complete IKE message
05[NET] received packet: from 35.155.143.216[4500] to 104.X.X.X[4500] (100 bytes)
05[ENC] parsed ID_PROT response 0 [ FRAG(2/2) ]
05[ENC] received fragment #2, reassembling fragmented IKE message
13[NET] received packet: from 35.155.143.216[4500] to 104.X.X.X[4500] (1276 bytes)
13[ENC] parsed ID_PROT response 0 [ ID CERT SIG ]
13[IKE] received end entity cert "CN=vpn-092ae95b347788983.endpoint-0"
13[IKE] IDir 'CN=vpn-092ae95b347788983.endpoint-0' does not match to '35.155.143.216'
13[IKE] deleting IKE_SA peer-35.155.143.216-tunnel-vti[3] between 104.X.X.X[CN=erlite3.tccavpn4.mydomain.com]...35.155.143.216[%any]
Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS Private Certificate AuthorityAWS Virtual Private Network (VPN)
Language
English
DanF
asked 4 months ago140 views
2 Answers
0

Hello DanF,

I hope all is good,

Please consider the below points when you are using Private domains.

  1. Create a private certificate from a subordinate CA using AWS Private Certificate Authority (AWS Private CA).
  2. Sign the ACM subordinate CA (you can use an ACM Root CA or an external CA)
  3. You must create a service-linked role to generate and use the certificate for the AWS side of the Site-to-Site VPN tunnel endpoint.
  4. specify the certificate when you create the customer gateway. https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-tunnel-authentication-options.html#certificate
AWS
Shmosa
answered 4 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed 23 days ago
0

Thanks for the reply.

Steps 1,2 & 4 I'm confident are done correctly.

For #3, I see here: "You don't need to manually create a service-linked role. When you create a customer gateway with an associated ACM private certificate in the AWS Management Console, the AWS CLI, or the AWS API, Site-to-Site VPN creates the service-linked role for you."

  1. This was done.
  2. See 1.
  3. Found (not clear in initial documentation) no steps are required. https://docs.aws.amazon.com/vpn/latest/s2svpn/using-service-linked-roles.html
  4. Yes, selected. I created subordinate cert and applied to Customer Gateway in AWS Console.

As a workaround, I exported the AWS enpoint.0 cert, put in /etc/swanctl/x509/ on the customer gateway and ran # swanctl --load-creds. This allowed the VPN to show UP in the AWS Console.

Assuming I didn't miss anything, please, I'm asking for help with: "How do I get the AWS Site-to-Site VPN tunnel endpoint to get a domain name using the CN of the Subordinate CA?"

DanF
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content